mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Merge pull request #18

Browse Source 
* MP-19 Refactoring: Einführung der "Registry" & "Masterdata" Trennung …

* MP-19 Refactoring: Frontend Tabula Rasa

* MP-19 Refactoring: Frontend Tabula Rasa

* refactoring:

* MP-20 fix(docker/clients): include `:domains` module in web/desktop b…

* MP-20 fix(web-app build): resolve JS compile error and add dev/prod b…

* MP-20 fix(web-app): remove vendor.js reference and harden JS bootstra…

* MP-20 fixing: clients

* MP-20 fixing: clients
This commit is contained in:
StefanMo
2025-11-30 14:13:12 +01:00
committed by GitHub
parent 596a05b69c
commit 9ea2b74a81
254 changed files with 5485 additions and 15971 deletions
Download Patch File Download Diff File Expand all files Collapse all files
clients/auth-feature/build.gradle.kts
+102 -96
View File
@@ -6,117 +6,123 @@ import org.jetbrains.kotlin.gradle.dsl.JvmTarget
* und den UI-Baukasten (common-ui), aber es kennt keine anderen Features.
*/
plugins {
alias(libs.plugins.kotlinMultiplatform)
alias(libs.plugins.composeMultiplatform)
alias(libs.plugins.composeCompiler)
alias(libs.plugins.kotlinSerialization)
alias(libs.plugins.kotlinMultiplatform)
alias(libs.plugins.composeMultiplatform)
alias(libs.plugins.composeCompiler)
alias(libs.plugins.kotlinSerialization)
}
group = "at.mocode.clients"
version = "1.0.0"
kotlin {
val enableWasm = providers.gradleProperty("enableWasm").orNull == "true"
val enableWasm = providers.gradleProperty("enableWasm").orNull == "true"
jvmToolchain(21)
jvmToolchain(21)
jvm()
jvm()
js {
browser {
testTask {
enabled = false
}
}
binaries.executable()
}
// WASM, nur wenn explizit aktiviert
if (enableWasm) {
@OptIn(org.jetbrains.kotlin.gradle.ExperimentalWasmDsl::class)
wasmJs {
browser()
binaries.executable()
}
}
sourceSets {
commonMain.dependencies {
// UI Kit
implementation(project(":clients:shared:common-ui"))
// Shared Konfig & Utilities (AppConfig + BuildConfig)
implementation(project(":clients:shared"))
// Compose dependencies
implementation(compose.runtime)
implementation(compose.foundation)
implementation(compose.material3)
implementation(compose.ui)
implementation(compose.components.resources)
implementation(compose.materialIconsExtended)
// Ktor client for HTTP calls
implementation(libs.ktor.client.core)
implementation(libs.ktor.client.contentNegotiation)
implementation(libs.ktor.client.serialization.kotlinx.json)
implementation(libs.ktor.client.logging)
implementation(libs.ktor.client.auth)
// Coroutines and serialization
implementation(libs.kotlinx.coroutines.core)
implementation(libs.kotlinx.serialization.json)
// DateTime for multiplatform time handling
implementation(libs.kotlinx.datetime)
// ViewModel lifecycle
implementation(libs.androidx.lifecycle.viewmodelCompose)
implementation(libs.androidx.lifecycle.runtimeCompose)
js {
browser {
testTask {
enabled = false
}
}
}
// WASM, nur wenn explizit aktiviert
commonTest.dependencies {
implementation(libs.kotlin.test)
implementation(libs.kotlinx.coroutines.test)
implementation("io.ktor:ktor-client-mock:${libs.versions.ktor.get()}")
}
jvmTest.dependencies {
implementation(libs.mockk)
implementation(projects.platform.platformTesting)
implementation(libs.bundles.testing.jvm)
}
jvmMain.dependencies {
implementation(libs.ktor.client.cio)
}
jsMain.dependencies {
implementation(libs.ktor.client.js)
implementation(libs.ktor.client.auth)
implementation(libs.kotlinx.coroutines.core)
implementation(libs.kotlinx.serialization.json)
implementation(libs.kotlinx.datetime)
}
// WASM SourceSet, nur wenn aktiviert
if (enableWasm) {
@OptIn(org.jetbrains.kotlin.gradle.ExperimentalWasmDsl::class)
wasmJs { browser() }
}
sourceSets {
commonMain.dependencies {
// UI Kit
implementation(project(":clients:shared:common-ui"))
// Shared Konfig & Utilities (AppConfig + BuildConfig)
implementation(project(":clients:shared"))
// Compose dependencies
implementation(compose.runtime)
implementation(compose.foundation)
implementation(compose.material3)
implementation(compose.ui)
implementation(compose.components.resources)
implementation(compose.materialIconsExtended)
// Ktor client for HTTP calls
implementation(libs.ktor.client.core)
implementation(libs.ktor.client.contentNegotiation)
implementation(libs.ktor.client.serialization.kotlinx.json)
implementation(libs.ktor.client.logging)
implementation(libs.ktor.client.auth)
// Coroutines and serialization
implementation(libs.kotlinx.coroutines.core)
implementation(libs.kotlinx.serialization.json)
// DateTime for multiplatform time handling
implementation(libs.kotlinx.datetime)
// ViewModel lifecycle
implementation(libs.androidx.lifecycle.viewmodelCompose)
implementation(libs.androidx.lifecycle.runtimeCompose)
}
commonTest.dependencies {
implementation(libs.kotlin.test)
implementation(libs.kotlinx.coroutines.test)
implementation("io.ktor:ktor-client-mock:${libs.versions.ktor.get()}")
}
jvmTest.dependencies {
implementation(libs.mockk)
implementation(projects.platform.platformTesting)
implementation(libs.bundles.testing.jvm)
}
jvmMain.dependencies {
implementation(libs.ktor.client.cio)
}
jsMain.dependencies {
implementation(libs.ktor.client.js)
implementation(libs.ktor.client.auth)
implementation(libs.kotlinx.coroutines.core)
implementation(libs.kotlinx.serialization.json)
implementation(libs.kotlinx.datetime)
}
// WASM SourceSet, nur wenn aktiviert
if (enableWasm) {
val wasmJsMain = getByName("wasmJsMain")
wasmJsMain.dependencies {
implementation(libs.ktor.client.js) // WASM verwendet JS-Client [cite: 7]
// ✅ HINZUFÜGEN: Compose für shared UI components für WASM
implementation(compose.runtime)
implementation(compose.foundation)
implementation(compose.material3)
}
}
val wasmJsMain = getByName("wasmJsMain")
wasmJsMain.dependencies {
implementation(libs.ktor.client.js) // WASM verwendet JS-Client [cite: 7]
// ✅ HINZUFÜGEN: Compose für shared UI components für WASM
implementation(compose.runtime)
implementation(compose.foundation)
implementation(compose.material3)
}
}
}
}
// KMP Compile-Optionen
tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
compilerOptions {
jvmTarget.set(JvmTarget.JVM_21)
freeCompilerArgs.addAll(
"-opt-in=kotlin.RequiresOptIn"
)
}
compilerOptions {
jvmTarget.set(JvmTarget.JVM_21)
freeCompilerArgs.addAll(
"-opt-in=kotlin.RequiresOptIn",
// Suppress beta warning for expect/actual classes as per project decision
"-Xexpect-actual-classes"
)
}
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/AuthApiClient.kt
+159 -118
View File
@@ -1,11 +1,9 @@
package at.mocode.clients.authfeature
import at.mocode.clients.shared.AppConfig
import at.mocode.clients.shared.core.AppConstants
import io.ktor.client.call.*
import io.ktor.client.request.*
import io.ktor.client.request.forms.*
import io.ktor.http.*
import io.ktor.http.content.*
import kotlinx.serialization.Serializable
/**
@@ -13,138 +11,181 @@ import kotlinx.serialization.Serializable
*/
@Serializable
data class LoginRequest(
val username: String,
val password: String
val username: String,
val password: String
)
@Serializable
data class LoginResponse(
val success: Boolean,
val token: String? = null,
val message: String? = null,
val userId: String? = null,
val username: String? = null
val success: Boolean,
val token: String? = null,
val message: String? = null,
val userId: String? = null,
val username: String? = null
)
/**
* HTTP client for authentication API calls
*/
class AuthApiClient(
// Keycloak Basis-URL (z. B. http://localhost:8180)
private val keycloakBaseUrl: String = AppConfig.KEYCLOAK_URL,
// Realm-Name in Keycloak
private val realm: String = AppConfig.KEYCLOAK_REALM,
// Client-ID (Public Client empfohlen für Frontend-Flows)
private val clientId: String = AppConfig.KEYCLOAK_CLIENT_ID,
// Optional: Client-Secret (nur bei vertraulichen Clients erforderlich)
private val clientSecret: String? = null
// Keycloak Basis-URL (z. B. http://localhost:8180)
private val keycloakBaseUrl: String = AppConstants.KEYCLOAK_URL,
// Realm-Name in Keycloak
private val realm: String = AppConstants.KEYCLOAK_REALM,
// Client-ID (Public Client empfohlen für Frontend-Flows)
private val clientId: String = AppConstants.KEYCLOAK_CLIENT_ID,
// Optional: Client-Secret (nur bei vertraulichen Clients erforderlich)
private val clientSecret: String? = null
) {
private val client = AuthenticatedHttpClient.createUnauthenticated()
private val client = AuthenticatedHttpClient.createUnauthenticated()
/**
* Authenticate user with username and password
*/
suspend fun login(username: String, password: String): LoginResponse {
val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
return try {
val response = client.submitForm(
url = tokenEndpoint,
formParameters = Parameters.build {
append("grant_type", "password")
append("client_id", clientId)
if (!clientSecret.isNullOrBlank()) {
append("client_secret", clientSecret)
}
append("username", username)
append("password", password)
}
) {
// Explicit: URL-encoded Form
contentType(ContentType.Application.FormUrlEncoded)
}
if (response.status.isSuccess()) {
val kc = response.body<KeycloakTokenResponse>()
LoginResponse(
success = true,
token = kc.access_token,
message = null,
userId = null,
username = username
)
} else {
LoginResponse(
success = false,
message = "Login fehlgeschlagen: HTTP ${response.status.value}"
)
}
} catch (e: Exception) {
LoginResponse(
success = false,
message = "Verbindungsfehler: ${e.message}"
)
/**
* Authenticate user with username and password
*/
suspend fun login(username: String, password: String): LoginResponse {
val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
return try {
val response = client.submitForm(
url = tokenEndpoint,
formParameters = Parameters.build {
append("grant_type", "password")
append("client_id", clientId)
if (!clientSecret.isNullOrBlank()) {
append("client_secret", clientSecret)
}
append("username", username)
append("password", password)
}
) {
// Explicit: URL-encoded Form
contentType(ContentType.Application.FormUrlEncoded)
}
if (response.status.isSuccess()) {
val kc = response.body<KeycloakTokenResponse>()
LoginResponse(
success = true,
token = kc.access_token,
message = null,
userId = null,
username = username
)
} else {
LoginResponse(
success = false,
message = "Login fehlgeschlagen: HTTP ${response.status.value}"
)
}
} catch (e: Exception) {
LoginResponse(
success = false,
message = "Verbindungsfehler: ${e.message}"
)
}
}
/**
* Refresh authentication token
*/
suspend fun refreshToken(refreshToken: String): LoginResponse {
val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
return try {
val response = client.submitForm(
url = tokenEndpoint,
formParameters = Parameters.build {
append("grant_type", "refresh_token")
append("client_id", clientId)
if (!clientSecret.isNullOrBlank()) {
append("client_secret", clientSecret)
}
append("refresh_token", refreshToken)
}
) {
contentType(ContentType.Application.FormUrlEncoded)
}
if (response.status.isSuccess()) {
val kc = response.body<KeycloakTokenResponse>()
LoginResponse(
success = true,
token = kc.access_token,
message = null
)
} else {
LoginResponse(
success = false,
message = "Token refresh fehlgeschlagen: HTTP ${response.status.value}"
)
}
} catch (e: Exception) {
LoginResponse(
success = false,
message = "Token refresh Fehler: ${e.message}"
)
/**
* Exchange an authorization code (PKCE) for tokens
*/
suspend fun exchangeAuthorizationCode(code: String, codeVerifier: String, redirectUri: String): LoginResponse {
val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
return try {
val response = client.submitForm(
url = tokenEndpoint,
formParameters = Parameters.build {
append("grant_type", "authorization_code")
append("client_id", clientId)
if (!clientSecret.isNullOrBlank()) {
append("client_secret", clientSecret)
}
append("code", code)
append("code_verifier", codeVerifier)
append("redirect_uri", redirectUri)
}
}
) {
contentType(ContentType.Application.FormUrlEncoded)
}
/**
* Logout and invalidate token
*/
suspend fun logout(token: String): Boolean {
// Empfehlung: Frontend-seitig Token lokal verwerfen.
// Optional könnten hier Keycloak-Endpoints für Token-Revocation aufgerufen werden.
return true
if (response.status.isSuccess()) {
val kc = response.body<KeycloakTokenResponse>()
LoginResponse(
success = true,
token = kc.access_token,
message = null
)
} else {
LoginResponse(
success = false,
message = "Code-Exchange fehlgeschlagen: HTTP ${'$'}{response.status.value}"
)
}
} catch (e: Exception) {
LoginResponse(
success = false,
message = "Code-Exchange Fehler: ${'$'}{e.message}"
)
}
}
@Serializable
private data class KeycloakTokenResponse(
val access_token: String,
val expires_in: Long? = null,
val refresh_expires_in: Long? = null,
val refresh_token: String? = null,
val token_type: String? = null,
val not_before_policy: Long? = null,
val session_state: String? = null,
val scope: String? = null
)
/**
* Refresh authentication token
*/
suspend fun refreshToken(refreshToken: String): LoginResponse {
val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
return try {
val response = client.submitForm(
url = tokenEndpoint,
formParameters = Parameters.build {
append("grant_type", "refresh_token")
append("client_id", clientId)
if (!clientSecret.isNullOrBlank()) {
append("client_secret", clientSecret)
}
append("refresh_token", refreshToken)
}
) {
contentType(ContentType.Application.FormUrlEncoded)
}
if (response.status.isSuccess()) {
val kc = response.body<KeycloakTokenResponse>()
LoginResponse(
success = true,
token = kc.access_token,
message = null
)
} else {
LoginResponse(
success = false,
message = "Token refresh fehlgeschlagen: HTTP ${response.status.value}"
)
}
} catch (e: Exception) {
LoginResponse(
success = false,
message = "Token refresh Fehler: ${e.message}"
)
}
}
/**
* Logout and invalidate token
*/
suspend fun logout(token: String): Boolean {
// Empfehlung: Frontend-seitig Token lokal verwerfen.
// Optional könnten hier Keycloak-Endpoints für Token-Revocation aufgerufen werden.
return true
}
@Serializable
private data class KeycloakTokenResponse(
val access_token: String,
val expires_in: Long? = null,
val refresh_expires_in: Long? = null,
val refresh_token: String? = null,
val token_type: String? = null,
val not_before_policy: Long? = null,
val session_state: String? = null,
val scope: String? = null
)
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/AuthTokenManager.kt
+288 -294
View File
@@ -5,12 +5,6 @@ import kotlinx.coroutines.flow.StateFlow
import kotlinx.coroutines.flow.asStateFlow
import kotlinx.serialization.Serializable
import kotlinx.serialization.json.Json
import kotlinx.serialization.json.JsonArray
import kotlinx.serialization.json.JsonObject
import kotlinx.serialization.json.JsonPrimitive
import kotlinx.serialization.json.jsonPrimitive
import kotlinx.serialization.json.longOrNull
import kotlinx.serialization.json.contentOrNull
import kotlin.io.encoding.Base64
import kotlin.io.encoding.ExperimentalEncodingApi
import kotlin.time.ExperimentalTime
@@ -20,29 +14,29 @@ import kotlin.time.ExperimentalTime
*/
@Serializable
enum class Permission {
// Person management
PERSON_READ,
PERSON_CREATE,
PERSON_UPDATE,
PERSON_DELETE,
// Person management
PERSON_READ,
PERSON_CREATE,
PERSON_UPDATE,
PERSON_DELETE,
// Club management
VEREIN_READ,
VEREIN_CREATE,
VEREIN_UPDATE,
VEREIN_DELETE,
// Club management
VEREIN_READ,
VEREIN_CREATE,
VEREIN_UPDATE,
VEREIN_DELETE,
// Event management
VERANSTALTUNG_READ,
VERANSTALTUNG_CREATE,
VERANSTALTUNG_UPDATE,
VERANSTALTUNG_DELETE,
// Event management
VERANSTALTUNG_READ,
VERANSTALTUNG_CREATE,
VERANSTALTUNG_UPDATE,
VERANSTALTUNG_DELETE,
// Horse management
PFERD_READ,
PFERD_CREATE,
PFERD_UPDATE,
PFERD_DELETE
// Horse management
PFERD_READ,
PFERD_CREATE,
PFERD_UPDATE,
PFERD_DELETE
}
/**
@@ -50,23 +44,23 @@ enum class Permission {
*/
@Serializable
data class JwtPayload(
val sub: String? = null, // User ID
val username: String? = null, // Username
val exp: Long? = null, // Expiration timestamp
val iat: Long? = null, // Issued at timestamp
val iss: String? = null, // Issuer
val permissions: List<String>? = null // Permissions array
val sub: String? = null, // User ID
val username: String? = null, // Username
val exp: Long? = null, // Expiration timestamp
val iat: Long? = null, // Issued at timestamp
val iss: String? = null, // Issuer
val permissions: List<String>? = null // Permissions array
)
/**
* Authentication state
*/
data class AuthState(
val isAuthenticated: Boolean = false,
val token: String? = null,
val userId: String? = null,
val username: String? = null,
val permissions: List<Permission> = emptyList()
val isAuthenticated: Boolean = false,
val token: String? = null,
val userId: String? = null,
val username: String? = null,
val permissions: List<Permission> = emptyList()
)
/**
@@ -78,267 +72,267 @@ data class AuthState(
*/
class AuthTokenManager {
private var currentToken: String? = null
private var tokenPayload: JwtPayload? = null
private var currentToken: String? = null
private var tokenPayload: JwtPayload? = null
private val _authState = MutableStateFlow(AuthState())
val authState: StateFlow<AuthState> = _authState.asStateFlow()
private val _authState = MutableStateFlow(AuthState())
val authState: StateFlow<AuthState> = _authState.asStateFlow()
/**
* Store JWT token in memory
*/
fun setToken(token: String) {
currentToken = token
tokenPayload = parseJwtPayload(token)
/**
* Store JWT token in memory
*/
fun setToken(token: String) {
currentToken = token
tokenPayload = parseJwtPayload(token)
// Parse permissions from token payload
val permissions = tokenPayload?.permissions?.mapNotNull { permissionString ->
try {
Permission.valueOf(permissionString)
} catch (e: IllegalArgumentException) {
// Ignore unknown permissions
null
}
} ?: emptyList()
// Parse permissions from token payload
val permissions = tokenPayload?.permissions?.mapNotNull { permissionString ->
try {
Permission.valueOf(permissionString)
} catch (e: IllegalArgumentException) {
// Ignore unknown permissions
null
}
} ?: emptyList()
_authState.value = AuthState(
isAuthenticated = true,
token = token,
userId = tokenPayload?.sub,
username = tokenPayload?.username,
permissions = permissions
)
_authState.value = AuthState(
isAuthenticated = true,
token = token,
userId = tokenPayload?.sub,
username = tokenPayload?.username,
permissions = permissions
)
}
/**
* Get current JWT token
*/
fun getToken(): String? = currentToken
/**
* Check if we have a valid (non-expired) token
*/
@OptIn(ExperimentalTime::class)
fun hasValidToken(): Boolean {
val token = currentToken ?: return false
val payload = tokenPayload ?: return false
// Check expiration
val expiration = payload.exp ?: return false
val currentTime = kotlin.time.Clock.System.now().epochSeconds
return currentTime < expiration
}
/**
* Clear token from memory (logout)
*/
fun clearToken() {
currentToken = null
tokenPayload = null
_authState.value = AuthState()
}
/**
* Get user ID from token
*/
fun getUserId(): String? = tokenPayload?.sub
/**
* Get username from token
*/
fun getUsername(): String? = tokenPayload?.username
/**
* Get current user permissions
*/
fun getPermissions(): List<Permission> = _authState.value.permissions
/**
* Check if user has a specific permission
*/
fun hasPermission(permission: Permission): Boolean {
return _authState.value.permissions.contains(permission)
}
/**
* Check if user has any of the specified permissions
*/
fun hasAnyPermission(vararg permissions: Permission): Boolean {
return permissions.any { _authState.value.permissions.contains(it) }
}
/**
* Check if user has all of the specified permissions
*/
fun hasAllPermissions(vararg permissions: Permission): Boolean {
return permissions.all { _authState.value.permissions.contains(it) }
}
/**
* Check if user can perform read operations
*/
fun canRead(): Boolean {
return hasAnyPermission(
Permission.PERSON_READ,
Permission.VEREIN_READ,
Permission.VERANSTALTUNG_READ,
Permission.PFERD_READ
)
}
/**
* Check if user can perform create operations
*/
fun canCreate(): Boolean {
return hasAnyPermission(
Permission.PERSON_CREATE,
Permission.VEREIN_CREATE,
Permission.VERANSTALTUNG_CREATE,
Permission.PFERD_CREATE
)
}
/**
* Check if user can perform update operations
*/
fun canUpdate(): Boolean {
return hasAnyPermission(
Permission.PERSON_UPDATE,
Permission.VEREIN_UPDATE,
Permission.VERANSTALTUNG_UPDATE,
Permission.PFERD_UPDATE
)
}
/**
* Check if user can perform delete operations (admin-level)
*/
fun canDelete(): Boolean {
return hasAnyPermission(
Permission.PERSON_DELETE,
Permission.VEREIN_DELETE,
Permission.VERANSTALTUNG_DELETE,
Permission.PFERD_DELETE
)
}
/**
* Check if user is admin (has delete permissions)
*/
fun isAdmin(): Boolean = canDelete()
/**
* Check if token expires within specified minutes
*/
@OptIn(ExperimentalTime::class)
fun isTokenExpiringSoon(minutesThreshold: Int = 5): Boolean {
val payload = tokenPayload ?: return false
val expiration = payload.exp ?: return false
val currentTime = kotlin.time.Clock.System.now().epochSeconds
val thresholdTime = currentTime + (minutesThreshold * 60)
return expiration <= thresholdTime
}
/**
* Parse JWT payload for basic validation and user info extraction
* Note: This is for client-side info extraction only, not security validation
*/
@OptIn(ExperimentalEncodingApi::class)
private fun parseJwtPayload(token: String): JwtPayload? {
return try {
val parts = token.split(".")
if (parts.size != 3) return null
// Decode the payload (second part)
val payloadJson = Base64.decode(parts[1]).decodeToString()
// First try to parse with standard approach
val basicPayload = try {
Json.decodeFromString<JwtPayload>(payloadJson)
} catch (e: Exception) {
// If that fails, extract manually
null
}
// If basic parsing succeeded and has permissions, return it
if (basicPayload != null && basicPayload.permissions != null) {
return basicPayload
}
// Otherwise, extract permissions manually from JSON string
val permissions = extractPermissionsFromJson(payloadJson)
// Return payload with manually extracted permissions
JwtPayload(
sub = basicPayload?.sub,
username = basicPayload?.username,
exp = basicPayload?.exp,
iat = basicPayload?.iat,
iss = basicPayload?.iss,
permissions = permissions
)
} catch (e: Exception) {
// Failed to parse - token might be invalid format
null
}
}
/**
* Extract permissions array from JSON string using simple string parsing
*/
private fun extractPermissionsFromJson(jsonString: String): List<String>? {
return try {
// Simple regex to find permissions array
val permissionsRegex = """"permissions":\s*\[(.*?)\]""".toRegex()
val match = permissionsRegex.find(jsonString)
match?.let {
val permissionsContent = it.groupValues[1]
if (permissionsContent.isBlank()) return emptyList()
// Extract individual permission strings
val permissions = permissionsContent
.split(",")
.mapNotNull { permission ->
permission.trim()
.removePrefix("\"")
.removeSuffix("\"")
.takeIf { it.isNotBlank() }
}
permissions
}
} catch (e: Exception) {
null
}
}
/**
* Get token with Bearer prefix for HTTP headers
*/
fun getBearerToken(): String? {
val token = getToken() ?: return null
return "Bearer $token"
}
/**
* Refresh token if needed based on expiry
*/
suspend fun refreshTokenIfNeeded(authApiClient: AuthApiClient): Boolean {
if (!isTokenExpiringSoon()) return true
val currentToken = getToken() ?: return false
val refreshResponse = authApiClient.refreshToken(currentToken)
if (refreshResponse.success && refreshResponse.token != null) {
setToken(refreshResponse.token)
return true
}
/**
* Get current JWT token
*/
fun getToken(): String? = currentToken
/**
* Check if we have a valid (non-expired) token
*/
@OptIn(ExperimentalTime::class)
fun hasValidToken(): Boolean {
val token = currentToken ?: return false
val payload = tokenPayload ?: return false
// Check expiration
val expiration = payload.exp ?: return false
val currentTime = kotlin.time.Clock.System.now().epochSeconds
return currentTime < expiration
}
/**
* Clear token from memory (logout)
*/
fun clearToken() {
currentToken = null
tokenPayload = null
_authState.value = AuthState()
}
/**
* Get user ID from token
*/
fun getUserId(): String? = tokenPayload?.sub
/**
* Get username from token
*/
fun getUsername(): String? = tokenPayload?.username
/**
* Get current user permissions
*/
fun getPermissions(): List<Permission> = _authState.value.permissions
/**
* Check if user has a specific permission
*/
fun hasPermission(permission: Permission): Boolean {
return _authState.value.permissions.contains(permission)
}
/**
* Check if user has any of the specified permissions
*/
fun hasAnyPermission(vararg permissions: Permission): Boolean {
return permissions.any { _authState.value.permissions.contains(it) }
}
/**
* Check if user has all of the specified permissions
*/
fun hasAllPermissions(vararg permissions: Permission): Boolean {
return permissions.all { _authState.value.permissions.contains(it) }
}
/**
* Check if user can perform read operations
*/
fun canRead(): Boolean {
return hasAnyPermission(
Permission.PERSON_READ,
Permission.VEREIN_READ,
Permission.VERANSTALTUNG_READ,
Permission.PFERD_READ
)
}
/**
* Check if user can perform create operations
*/
fun canCreate(): Boolean {
return hasAnyPermission(
Permission.PERSON_CREATE,
Permission.VEREIN_CREATE,
Permission.VERANSTALTUNG_CREATE,
Permission.PFERD_CREATE
)
}
/**
* Check if user can perform update operations
*/
fun canUpdate(): Boolean {
return hasAnyPermission(
Permission.PERSON_UPDATE,
Permission.VEREIN_UPDATE,
Permission.VERANSTALTUNG_UPDATE,
Permission.PFERD_UPDATE
)
}
/**
* Check if user can perform delete operations (admin-level)
*/
fun canDelete(): Boolean {
return hasAnyPermission(
Permission.PERSON_DELETE,
Permission.VEREIN_DELETE,
Permission.VERANSTALTUNG_DELETE,
Permission.PFERD_DELETE
)
}
/**
* Check if user is admin (has delete permissions)
*/
fun isAdmin(): Boolean = canDelete()
/**
* Check if token expires within specified minutes
*/
@OptIn(ExperimentalTime::class)
fun isTokenExpiringSoon(minutesThreshold: Int = 5): Boolean {
val payload = tokenPayload ?: return false
val expiration = payload.exp ?: return false
val currentTime = kotlin.time.Clock.System.now().epochSeconds
val thresholdTime = currentTime + (minutesThreshold * 60)
return expiration <= thresholdTime
}
/**
* Parse JWT payload for basic validation and user info extraction
* Note: This is for client-side info extraction only, not security validation
*/
@OptIn(ExperimentalEncodingApi::class)
private fun parseJwtPayload(token: String): JwtPayload? {
return try {
val parts = token.split(".")
if (parts.size != 3) return null
// Decode the payload (second part)
val payloadJson = Base64.decode(parts[1]).decodeToString()
// First try to parse with standard approach
val basicPayload = try {
Json.decodeFromString<JwtPayload>(payloadJson)
} catch (e: Exception) {
// If that fails, extract manually
null
}
// If basic parsing succeeded and has permissions, return it
if (basicPayload != null && basicPayload.permissions != null) {
return basicPayload
}
// Otherwise, extract permissions manually from JSON string
val permissions = extractPermissionsFromJson(payloadJson)
// Return payload with manually extracted permissions
JwtPayload(
sub = basicPayload?.sub,
username = basicPayload?.username,
exp = basicPayload?.exp,
iat = basicPayload?.iat,
iss = basicPayload?.iss,
permissions = permissions
)
} catch (e: Exception) {
// Failed to parse - token might be invalid format
null
}
}
/**
* Extract permissions array from JSON string using simple string parsing
*/
private fun extractPermissionsFromJson(jsonString: String): List<String>? {
return try {
// Simple regex to find permissions array
val permissionsRegex = """"permissions":\s*\[(.*?)\]""".toRegex()
val match = permissionsRegex.find(jsonString)
match?.let {
val permissionsContent = it.groupValues[1]
if (permissionsContent.isBlank()) return emptyList()
// Extract individual permission strings
val permissions = permissionsContent
.split(",")
.mapNotNull { permission ->
permission.trim()
.removePrefix("\"")
.removeSuffix("\"")
.takeIf { it.isNotBlank() }
}
permissions
}
} catch (e: Exception) {
null
}
}
/**
* Get token with Bearer prefix for HTTP headers
*/
fun getBearerToken(): String? {
val token = getToken() ?: return null
return "Bearer $token"
}
/**
* Refresh token if needed based on expiry
*/
suspend fun refreshTokenIfNeeded(authApiClient: AuthApiClient): Boolean {
if (!isTokenExpiringSoon()) return true
val currentToken = getToken() ?: return false
val refreshResponse = authApiClient.refreshToken(currentToken)
if (refreshResponse.success && refreshResponse.token != null) {
setToken(refreshResponse.token)
return true
}
// Refresh failed, clear token
clearToken()
return false
}
// Refresh failed, clear token
clearToken()
return false
}
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/AuthenticatedHttpClient.kt
+39 -39
View File
@@ -1,6 +1,6 @@
package at.mocode.clients.authfeature
import at.mocode.clients.shared.AppConfig
import at.mocode.clients.shared.core.AppConstants
import io.ktor.client.*
import io.ktor.client.plugins.contentnegotiation.*
import io.ktor.client.request.*
@@ -14,49 +14,49 @@ import kotlinx.serialization.json.Json
*/
object AuthenticatedHttpClient {
private val authTokenManager = AuthTokenManager()
private val authTokenManager = AuthTokenManager()
/**
* Create a basic HTTP client with JSON support
*/
fun create(baseUrl: String = AppConfig.GATEWAY_URL): HttpClient {
return HttpClient {
install(ContentNegotiation) {
json(Json {
prettyPrint = true
isLenient = true
ignoreUnknownKeys = true
})
}
}
/**
* Create a basic HTTP client with JSON support
*/
fun create(baseUrl: String = AppConstants.GATEWAY_URL): HttpClient {
return HttpClient {
install(ContentNegotiation) {
json(Json {
prettyPrint = true
isLenient = true
ignoreUnknownKeys = true
})
}
}
}
/**
* Add an authentication header to an HTTP request builder if a token is available
*/
fun HttpRequestBuilder.addAuthHeader() {
authTokenManager.getBearerToken()?.let { bearerToken ->
header(HttpHeaders.Authorization, bearerToken)
}
/**
* Add an authentication header to an HTTP request builder if a token is available
*/
fun HttpRequestBuilder.addAuthHeader() {
authTokenManager.getBearerToken()?.let { bearerToken ->
header(HttpHeaders.Authorization, bearerToken)
}
}
/**
* Get the shared AuthTokenManager instance
*/
fun getAuthTokenManager(): AuthTokenManager = authTokenManager
/**
* Get the shared AuthTokenManager instance
*/
fun getAuthTokenManager(): AuthTokenManager = authTokenManager
/**
* Create an HTTP client without authentication (for login/public endpoints)
*/
fun createUnauthenticated(): HttpClient {
return HttpClient {
install(ContentNegotiation) {
json(Json {
prettyPrint = true
isLenient = true
ignoreUnknownKeys = true
})
}
}
/**
* Create an HTTP client without authentication (for login/public endpoints)
*/
fun createUnauthenticated(): HttpClient {
return HttpClient {
install(ContentNegotiation) {
json(Json {
prettyPrint = true
isLenient = true
ignoreUnknownKeys = true
})
}
}
}
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/LoginScreen.kt
+106 -106
View File
@@ -19,118 +19,118 @@ import androidx.lifecycle.viewmodel.compose.viewModel
@OptIn(ExperimentalMaterial3Api::class)
@Composable
fun LoginScreen(
authTokenManager: AuthTokenManager,
viewModel: LoginViewModel = viewModel { LoginViewModel(authTokenManager) },
onLoginSuccess: () -> Unit = {}
authTokenManager: AuthTokenManager,
viewModel: LoginViewModel = viewModel { LoginViewModel(authTokenManager) },
onLoginSuccess: () -> Unit = {}
) {
val uiState by viewModel.uiState.collectAsState()
val passwordFocusRequester = remember { FocusRequester() }
val uiState by viewModel.uiState.collectAsState()
val passwordFocusRequester = remember { FocusRequester() }
Column(
Column(
modifier = Modifier
.fillMaxSize()
.padding(24.dp),
horizontalAlignment = Alignment.CenterHorizontally,
verticalArrangement = Arrangement.Center
) {
// Title
Text(
text = "Anmelden",
style = MaterialTheme.typography.headlineMedium,
color = MaterialTheme.colorScheme.onSurface,
modifier = Modifier.padding(bottom = 32.dp)
)
// Username field
OutlinedTextField(
value = uiState.username,
onValueChange = viewModel::updateUsername,
label = { Text("Benutzername") },
enabled = !uiState.isLoading,
isError = uiState.usernameError != null,
supportingText = uiState.usernameError?.let { { Text(it) } },
keyboardOptions = KeyboardOptions(
keyboardType = KeyboardType.Text,
imeAction = ImeAction.Next
),
keyboardActions = KeyboardActions(
onNext = { passwordFocusRequester.requestFocus() }
),
modifier = Modifier
.fillMaxWidth()
.padding(bottom = 16.dp)
)
// Password field
OutlinedTextField(
value = uiState.password,
onValueChange = viewModel::updatePassword,
label = { Text("Passwort") },
enabled = !uiState.isLoading,
isError = uiState.passwordError != null,
supportingText = uiState.passwordError?.let { { Text(it) } },
visualTransformation = PasswordVisualTransformation(),
keyboardOptions = KeyboardOptions(
keyboardType = KeyboardType.Password,
imeAction = ImeAction.Done
),
keyboardActions = KeyboardActions(
onDone = {
if (uiState.canLogin) {
viewModel.login()
}
}
),
modifier = Modifier
.fillMaxWidth()
.focusRequester(passwordFocusRequester)
.padding(bottom = 24.dp)
)
// Error message
if (uiState.errorMessage != null) {
Card(
colors = CardDefaults.cardColors(
containerColor = MaterialTheme.colorScheme.errorContainer
),
modifier = Modifier
.fillMaxSize()
.padding(24.dp),
horizontalAlignment = Alignment.CenterHorizontally,
verticalArrangement = Arrangement.Center
) {
// Title
.fillMaxWidth()
.padding(bottom = 16.dp)
) {
Text(
text = "Anmelden",
style = MaterialTheme.typography.headlineMedium,
color = MaterialTheme.colorScheme.onSurface,
modifier = Modifier.padding(bottom = 32.dp)
text = uiState.errorMessage!!,
color = MaterialTheme.colorScheme.onErrorContainer,
style = MaterialTheme.typography.bodyMedium,
textAlign = TextAlign.Center,
modifier = Modifier.padding(16.dp)
)
// Username field
OutlinedTextField(
value = uiState.username,
onValueChange = viewModel::updateUsername,
label = { Text("Benutzername") },
enabled = !uiState.isLoading,
isError = uiState.usernameError != null,
supportingText = uiState.usernameError?.let { { Text(it) } },
keyboardOptions = KeyboardOptions(
keyboardType = KeyboardType.Text,
imeAction = ImeAction.Next
),
keyboardActions = KeyboardActions(
onNext = { passwordFocusRequester.requestFocus() }
),
modifier = Modifier
.fillMaxWidth()
.padding(bottom = 16.dp)
)
// Password field
OutlinedTextField(
value = uiState.password,
onValueChange = viewModel::updatePassword,
label = { Text("Passwort") },
enabled = !uiState.isLoading,
isError = uiState.passwordError != null,
supportingText = uiState.passwordError?.let { { Text(it) } },
visualTransformation = PasswordVisualTransformation(),
keyboardOptions = KeyboardOptions(
keyboardType = KeyboardType.Password,
imeAction = ImeAction.Done
),
keyboardActions = KeyboardActions(
onDone = {
if (uiState.canLogin) {
viewModel.login()
}
}
),
modifier = Modifier
.fillMaxWidth()
.focusRequester(passwordFocusRequester)
.padding(bottom = 24.dp)
)
// Error message
if (uiState.errorMessage != null) {
Card(
colors = CardDefaults.cardColors(
containerColor = MaterialTheme.colorScheme.errorContainer
),
modifier = Modifier
.fillMaxWidth()
.padding(bottom = 16.dp)
) {
Text(
text = uiState.errorMessage!!,
color = MaterialTheme.colorScheme.onErrorContainer,
style = MaterialTheme.typography.bodyMedium,
textAlign = TextAlign.Center,
modifier = Modifier.padding(16.dp)
)
}
}
// Login button
Button(
onClick = { viewModel.login() },
enabled = uiState.canLogin && !uiState.isLoading,
modifier = Modifier
.fillMaxWidth()
.height(48.dp)
) {
if (uiState.isLoading) {
CircularProgressIndicator(
modifier = Modifier.size(20.dp),
strokeWidth = 2.dp,
color = MaterialTheme.colorScheme.onPrimary
)
} else {
Text("Anmelden")
}
}
}
}
// Handle login success
LaunchedEffect(uiState.isAuthenticated) {
if (uiState.isAuthenticated) {
onLoginSuccess()
}
// Login button
Button(
onClick = { viewModel.login() },
enabled = uiState.canLogin && !uiState.isLoading,
modifier = Modifier
.fillMaxWidth()
.height(48.dp)
) {
if (uiState.isLoading) {
CircularProgressIndicator(
modifier = Modifier.size(20.dp),
strokeWidth = 2.dp,
color = MaterialTheme.colorScheme.onPrimary
)
} else {
Text("Anmelden")
}
}
}
// Handle login success
LaunchedEffect(uiState.isAuthenticated) {
if (uiState.isAuthenticated) {
onLoginSuccess()
}
}
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/LoginViewModel.kt
+92 -93
View File
@@ -2,131 +2,130 @@ package at.mocode.clients.authfeature
import androidx.lifecycle.ViewModel
import androidx.lifecycle.viewModelScope
import at.mocode.clients.shared.AppConfig
import io.ktor.client.call.*
import at.mocode.clients.authfeature.AuthenticatedHttpClient.addAuthHeader
import at.mocode.clients.shared.core.AppConstants
import io.ktor.client.request.*
import kotlinx.coroutines.flow.MutableStateFlow
import kotlinx.coroutines.flow.StateFlow
import kotlinx.coroutines.flow.asStateFlow
import kotlinx.coroutines.launch
import at.mocode.clients.authfeature.AuthenticatedHttpClient.addAuthHeader
/**
* UI state for the login screen
*/
data class LoginUiState(
val username: String = "",
val password: String = "",
val isLoading: Boolean = false,
val isAuthenticated: Boolean = false,
val errorMessage: String? = null,
val usernameError: String? = null,
val passwordError: String? = null
val username: String = "",
val password: String = "",
val isLoading: Boolean = false,
val isAuthenticated: Boolean = false,
val errorMessage: String? = null,
val usernameError: String? = null,
val passwordError: String? = null
) {
val canLogin: Boolean
get() = username.isNotBlank() && password.isNotBlank() && !isLoading
val canLogin: Boolean
get() = username.isNotBlank() && password.isNotBlank() && !isLoading
}
/**
* ViewModel for handling login authentication logic
*/
class LoginViewModel(
private val authTokenManager: AuthTokenManager
private val authTokenManager: AuthTokenManager
) : ViewModel() {
private val _uiState = MutableStateFlow(LoginUiState())
val uiState: StateFlow<LoginUiState> = _uiState.asStateFlow()
private val _uiState = MutableStateFlow(LoginUiState())
val uiState: StateFlow<LoginUiState> = _uiState.asStateFlow()
private val authApiClient = AuthApiClient()
private val authApiClient = AuthApiClient()
fun updateUsername(username: String) {
_uiState.value = _uiState.value.copy(
username = username,
usernameError = null,
errorMessage = null
)
fun updateUsername(username: String) {
_uiState.value = _uiState.value.copy(
username = username,
usernameError = null,
errorMessage = null
)
}
fun updatePassword(password: String) {
_uiState.value = _uiState.value.copy(
password = password,
passwordError = null,
errorMessage = null
)
}
fun login() {
val currentState = _uiState.value
// Validate input
if (currentState.username.isBlank()) {
_uiState.value = currentState.copy(usernameError = "Benutzername ist erforderlich")
return
}
fun updatePassword(password: String) {
_uiState.value = _uiState.value.copy(
password = password,
passwordError = null,
errorMessage = null
)
if (currentState.password.isBlank()) {
_uiState.value = currentState.copy(passwordError = "Passwort ist erforderlich")
return
}
fun login() {
val currentState = _uiState.value
// Start the login process
_uiState.value = currentState.copy(
isLoading = true,
errorMessage = null,
usernameError = null,
passwordError = null
)
// Validate input
if (currentState.username.isBlank()) {
_uiState.value = currentState.copy(usernameError = "Benutzername ist erforderlich")
return
}
if (currentState.password.isBlank()) {
_uiState.value = currentState.copy(passwordError = "Passwort ist erforderlich")
return
}
// Start the login process
_uiState.value = currentState.copy(
isLoading = true,
errorMessage = null,
usernameError = null,
passwordError = null
viewModelScope.launch {
try {
val loginResponse = authApiClient.login(
username = currentState.username,
password = currentState.password
)
viewModelScope.launch {
if (loginResponse.success && loginResponse.token != null) {
// Store the JWT token
authTokenManager.setToken(loginResponse.token)
_uiState.value = _uiState.value.copy(
isLoading = false,
isAuthenticated = true,
errorMessage = null
)
// Fire-and-forget: Trigger Backend Sync so the user exists in Members
viewModelScope.launch {
try {
val loginResponse = authApiClient.login(
username = currentState.username,
password = currentState.password
)
if (loginResponse.success && loginResponse.token != null) {
// Store the JWT token
authTokenManager.setToken(loginResponse.token)
_uiState.value = _uiState.value.copy(
isLoading = false,
isAuthenticated = true,
errorMessage = null
)
// Fire-and-forget: Trigger Backend Sync so the user exists in Members
viewModelScope.launch {
try {
val client = AuthenticatedHttpClient.create()
client.post("${AppConfig.GATEWAY_URL}/api/members/sync") {
addAuthHeader()
}
} catch (_: Exception) {
// Non-fatal: Wir zeigen Sync-Fehler im Login nicht an
}
}
} else {
_uiState.value = _uiState.value.copy(
isLoading = false,
errorMessage = loginResponse.message ?: "Anmeldung fehlgeschlagen"
)
}
} catch (e: Exception) {
_uiState.value = _uiState.value.copy(
isLoading = false,
errorMessage = "Verbindungsfehler: ${e.message}"
)
val client = AuthenticatedHttpClient.create()
client.post("${AppConstants.GATEWAY_URL}/api/members/sync") {
addAuthHeader()
}
} catch (_: Exception) {
// Non-fatal: Wir zeigen Sync-Fehler im Login nicht an
}
}
} else {
_uiState.value = _uiState.value.copy(
isLoading = false,
errorMessage = loginResponse.message ?: "Anmeldung fehlgeschlagen"
)
}
} catch (e: Exception) {
_uiState.value = _uiState.value.copy(
isLoading = false,
errorMessage = "Verbindungsfehler: ${e.message}"
)
}
}
}
fun logout() {
authTokenManager.clearToken()
_uiState.value = LoginUiState()
}
fun logout() {
authTokenManager.clearToken()
_uiState.value = LoginUiState()
}
fun checkAuthenticationStatus() {
val isAuthenticated = authTokenManager.hasValidToken()
_uiState.value = _uiState.value.copy(isAuthenticated = isAuthenticated)
}
fun checkAuthenticationStatus() {
val isAuthenticated = authTokenManager.hasValidToken()
_uiState.value = _uiState.value.copy(isAuthenticated = isAuthenticated)
}
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/oauth/AuthCallbackParams.kt
+12
View File
@@ -0,0 +1,12 @@
package at.mocode.clients.authfeature.oauth
data class CallbackParams(val code: String, val state: String?)
expect object AuthCallbackParams {
/**
* Parse OAuth callback parameters from the current environment.
* - JS (web): reads window.location.search for `code` and `state` and removes them from the URL.
* - JVM (desktop): returns null.
*/
fun parse(): CallbackParams?
}
clients/auth-feature/src/commonMain/kotlin/at/mocode/clients/authfeature/oauth/OAuthPkce.kt
+34
View File
@@ -0,0 +1,34 @@
package at.mocode.clients.authfeature.oauth
import at.mocode.clients.shared.core.AppConstants
data class PkceState(
val state: String,
val codeVerifier: String,
val codeChallenge: String,
val method: String = "S256"
)
object OAuthParams {
const val RESPONSE_TYPE = "code"
const val SCOPE = "openid"
}
/**
* expect/actual service to support PKCE across JS and JVM.
* For the desktop (JVM) target we currently do not start a browser flow,
* but we provide hashing to keep API parity.
*/
expect object OAuthPkceService {
/** Starts a PKCE auth attempt and stores transient state in memory. */
suspend fun startAuth(): PkceState
/** Returns currently active state if any (not persisted). */
fun current(): PkceState?
/** Clears transient state (after success/failure). */
fun clear()
/** Builds the authorize URL for the current state. */
fun buildAuthorizeUrl(state: PkceState, redirectUri: String = AppConstants.webRedirectUri()): String
}
clients/auth-feature/src/jsMain/kotlin/at/mocode/clients/authfeature/oauth/AuthCallbackParamsJs.kt
+19
View File
@@ -0,0 +1,19 @@
package at.mocode.clients.authfeature.oauth
import kotlinx.browser.window
actual object AuthCallbackParams {
actual fun parse(): CallbackParams? {
val search = window.location.search
if (search.isBlank()) return null
val params = js("new URLSearchParams(arguments[0])").unsafeCast<(String) -> dynamic>()(search)
val code = params.get("code") as String?
val state = params.get("state") as String?
return if (!code.isNullOrBlank()) {
// Clean up query params to avoid re-processing on recomposition
val url = window.location.origin + window.location.pathname
window.history.replaceState(null, "", url)
CallbackParams(code, state)
} else null
}
}
clients/auth-feature/src/jsMain/kotlin/at/mocode/clients/authfeature/oauth/OAuthPkceJs.kt
+81
View File
@@ -0,0 +1,81 @@
package at.mocode.clients.authfeature.oauth
import at.mocode.clients.shared.core.AppConstants
import kotlinx.browser.window
import kotlinx.coroutines.await
import org.khronos.webgl.ArrayBuffer
import org.khronos.webgl.Uint8Array
import kotlin.js.Promise
import kotlin.random.Random
private var currentPkce: PkceState? = null
private fun base64UrlFromBytes(bytes: ByteArray): String {
// Build binary string from bytes
val sb = StringBuilder(bytes.size)
for (b in bytes) sb.append(b.toInt().toChar())
val b64 = window.btoa(sb.toString())
return b64.replace("+", "-").replace("/", "_").trimEnd('=')
}
private fun base64UrlFromArrayBuffer(buf: ArrayBuffer): String {
val arr = Uint8Array(buf)
var binary = ""
val len = arr.length
for (i in 0 until len) {
val v = (arr.asDynamic()[i] as Number).toInt()
binary += fromCharCode(v)
}
val b64 = window.btoa(binary)
return b64.replace("+", "-").replace("/", "_").trimEnd('=')
}
private fun randomUrlSafe(length: Int): String {
val bytes = Random.Default.nextBytes(length)
// Use base64url for entropy; ensure URL-safe by replacing padding removed already
return base64UrlFromBytes(bytes)
}
private fun sha256(input: String): Promise<ArrayBuffer> {
val enc: dynamic = js("new TextEncoder()")
val data = enc.encode(input)
val subtle: dynamic = window.asDynamic().crypto.subtle
return subtle.digest("SHA-256", data) as Promise<ArrayBuffer>
}
actual object OAuthPkceService {
actual suspend fun startAuth(): PkceState {
val codeVerifier = randomUrlSafe(64)
val challengeBuf = sha256(codeVerifier).await()
val codeChallenge = base64UrlFromArrayBuffer(challengeBuf)
val state = randomUrlSafe(16)
val pkce = PkceState(state, codeVerifier, codeChallenge)
currentPkce = pkce
return pkce
}
actual fun current(): PkceState? = currentPkce
actual fun clear() {
currentPkce = null
}
actual fun buildAuthorizeUrl(state: PkceState, redirectUri: String): String {
val params = listOf(
"response_type" to OAuthParams.RESPONSE_TYPE,
"client_id" to AppConstants.KEYCLOAK_CLIENT_ID,
"redirect_uri" to redirectUri,
"scope" to OAuthParams.SCOPE,
"state" to state.state,
"code_challenge" to state.codeChallenge,
"code_challenge_method" to state.method
).joinToString("&") { (k, v) -> "$k=" + encodeURIComponent(v) }
return AppConstants.authorizeEndpoint() + "?" + params
}
}
@Suppress("UnsafeCastFromDynamic")
private fun encodeURIComponent(value: String): String = js("encodeURIComponent")(value)
@Suppress("UnsafeCastFromDynamic")
private fun fromCharCode(code: Int): String = js("String.fromCharCode")(code)
clients/auth-feature/src/jvmMain/kotlin/at/mocode/clients/authfeature/oauth/AuthCallbackParamsJvm.kt
+5
View File
@@ -0,0 +1,5 @@
package at.mocode.clients.authfeature.oauth
actual object AuthCallbackParams {
actual fun parse(): CallbackParams? = null
}
clients/auth-feature/src/jvmMain/kotlin/at/mocode/clients/authfeature/oauth/OAuthPkceJvm.kt
+55
View File
@@ -0,0 +1,55 @@
package at.mocode.clients.authfeature.oauth
import at.mocode.clients.shared.core.AppConstants
import java.security.MessageDigest
import java.security.SecureRandom
import java.util.Base64
private var currentPkceJvm: PkceState? = null
private fun base64UrlNoPad(bytes: ByteArray): String =
Base64.getUrlEncoder().withoutPadding().encodeToString(bytes)
private fun randomUrlSafe(length: Int): String {
// Generate bytes and Base64 URL encode (will be > length due to encoding)
val rnd = SecureRandom()
val bytes = ByteArray(length)
rnd.nextBytes(bytes)
return base64UrlNoPad(bytes)
}
private fun sha256Base64Url(input: String): String {
val md = MessageDigest.getInstance("SHA-256")
val digest = md.digest(input.toByteArray(Charsets.UTF_8))
return base64UrlNoPad(digest)
}
actual object OAuthPkceService {
actual suspend fun startAuth(): PkceState {
val codeVerifier = randomUrlSafe(64)
val codeChallenge = sha256Base64Url(codeVerifier)
val state = randomUrlSafe(16)
val pkce = PkceState(state, codeVerifier, codeChallenge)
currentPkceJvm = pkce
return pkce
}
actual fun current(): PkceState? = currentPkceJvm
actual fun clear() {
currentPkceJvm = null
}
actual fun buildAuthorizeUrl(state: PkceState, redirectUri: String): String {
val params = listOf(
"response_type" to OAuthParams.RESPONSE_TYPE,
"client_id" to AppConstants.KEYCLOAK_CLIENT_ID,
"redirect_uri" to redirectUri,
"scope" to OAuthParams.SCOPE,
"state" to state.state,
"code_challenge" to state.codeChallenge,
"code_challenge_method" to state.method
).joinToString("&") { (k, v) -> "$k=" + java.net.URLEncoder.encode(v, Charsets.UTF_8) }
return AppConstants.authorizeEndpoint() + "?" + params
}
}