Merge remote-tracking branch 'origin/dev-wffweb-12'

webfirmframework · Dec 14, 2024 · 0ffd803 · 0ffd803
2 parents 0d8960a + cad5733
commit 0ffd803
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 16 deletions.
diff --git a/src/main/java/com/webfirmframework/ui/page/common/NavigationURI.java b/src/main/java/com/webfirmframework/ui/page/common/NavigationURI.java
@@ -67,11 +67,12 @@ public Predicate<URIEvent> getPredicate(DocumentModel documentModel, URIStateSwi
 
         LocalStorage localStorage = documentModel.session().localStorage();
         String contextPath = documentModel.contextPath();
+        String sessionId = documentModel.session().id();
         if (NavigationURI.LOGIN.equals(this)) {
             return uriEvent -> {
                 forTag.getCurrentWhenURIProperties().setPreventDuplicateSuccess(true);
                 forTag.getCurrentWhenURIProperties().setPreventDuplicateFail(true);
-                return !TokenUtil.isValidJWT(localStorage.getToken("jwtToken")) && contextPath.concat(this.uri).equals(uriEvent.uriAfter());
+                return !TokenUtil.isValidJWT(localStorage.getToken("jwtToken"), sessionId) && contextPath.concat(this.uri).equals(uriEvent.uriAfter());
             };
         }
         if (!loginRequired && !parentPath) {
@@ -89,24 +90,24 @@ public Predicate<URIEvent> getPredicate(DocumentModel documentModel, URIStateSwi
         }
         if (loginRequired && parentPath) {
             if (patternOrQueryParamType) {
-                return uriEvent -> TokenUtil.isValidJWT(localStorage.getToken("jwtToken")) && URIUtil.patternMatchesBase(this.uri, uriEvent.uriAfter());
+                return uriEvent -> TokenUtil.isValidJWT(localStorage.getToken("jwtToken"), sessionId) && URIUtil.patternMatchesBase(this.uri, uriEvent.uriAfter());
             }
             return uriEvent -> {
                 forTag.getCurrentWhenURIProperties().setPreventDuplicateSuccess(true);
                 forTag.getCurrentWhenURIProperties().setPreventDuplicateFail(true);
-                return TokenUtil.isValidJWT(localStorage.getToken("jwtToken")) && uriEvent.uriAfter().startsWith(contextPath.concat(this.uri));
+                return TokenUtil.isValidJWT(localStorage.getToken("jwtToken"), sessionId) && uriEvent.uriAfter().startsWith(contextPath.concat(this.uri));
             };
         } else if (loginRequired) {
             if (patternOrQueryParamType) {
-                return uriEvent -> TokenUtil.isValidJWT(localStorage.getToken("jwtToken")) && URIUtil.patternMatches(this.uri, uriEvent.uriAfter());
+                return uriEvent -> TokenUtil.isValidJWT(localStorage.getToken("jwtToken"), sessionId) && URIUtil.patternMatches(this.uri, uriEvent.uriAfter());
             }
         }
         return uriEvent -> {
             if (!patternOrQueryParamType) {
                 forTag.getCurrentWhenURIProperties().setPreventDuplicateSuccess(true);
                 forTag.getCurrentWhenURIProperties().setPreventDuplicateFail(true);
             }
-            return TokenUtil.isValidJWT(localStorage.getToken("jwtToken")) && contextPath.concat(this.uri).equals(URIUtil.parse(uriEvent.uriAfter()).pathname());
+            return TokenUtil.isValidJWT(localStorage.getToken("jwtToken"), sessionId) && contextPath.concat(this.uri).equals(URIUtil.parse(uriEvent.uriAfter()).pathname());
         };
     }
 

diff --git a/src/main/java/com/webfirmframework/ui/page/layout/IndexPageLayout.java b/src/main/java/com/webfirmframework/ui/page/layout/IndexPageLayout.java
@@ -138,7 +138,7 @@ public void buildMainDivTags() {
 
                     LocalStorage.Item token = documentModel.session().localStorage().getToken("jwtToken");
                     //if already logged in then navigate to user account page otherwise navigate to login page
-                    if (TokenUtil.isValidJWT(token)) {
+                    if (TokenUtil.isValidJWT(token, documentModel.session().id())) {
                         documentModel.browserPage().setURI(NavigationURI.USER.getUri(documentModel));
                     } else {
                         documentModel.browserPage().setURI(NavigationURI.LOGIN.getUri(documentModel));

diff --git a/src/main/java/com/webfirmframework/wffwebcommon/MultiInstanceTokenUtil.java b/src/main/java/com/webfirmframework/wffwebcommon/MultiInstanceTokenUtil.java
@@ -31,19 +31,15 @@ public enum MultiInstanceTokenUtil {
         verifier = JWT.require(algorithmHS).withIssuer(issuer).build();
     }
 
-    public boolean isValidJWT(LocalStorage.Item token) {
-        if (token != null) {
+    public boolean isValidJWT(final LocalStorage.Item token, final String sessionId) {
+        if (token != null && sessionId != null) {
             try {
-                JWTVerifier verifier = JWT.require(algorithmHS)
-                        .withIssuer(issuer)
-                        .build(); //Reusable verifier instance
-                DecodedJWT jwt = verifier.verify(token.value());
-                return true;
+                final DecodedJWT jwt = verifier.verify(token.value());
+                return sessionId.equals(jwt.getClaim("sid").asString());
             } catch (JWTVerificationException e) {
                 //Invalid signature/claims
             }
         }
-
         return false;
     }
 

diff --git a/src/main/java/com/webfirmframework/wffwebcommon/TokenUtil.java b/src/main/java/com/webfirmframework/wffwebcommon/TokenUtil.java
@@ -7,8 +7,8 @@
 
 public final class TokenUtil {
 
-    public static boolean isValidJWT(LocalStorage.Item token) {
-        return MultiInstanceTokenUtil.AUTHORIZATION.isValidJWT(token);
+    public static boolean isValidJWT(LocalStorage.Item token, String sessionId) {
+        return MultiInstanceTokenUtil.AUTHORIZATION.isValidJWT(token, sessionId);
     }
 
     public static JSONObject getPayloadFromJWT(LocalStorage.Item token) {