lock down share info secrets a bit

barneyb · barneyb · commit d9d08192f69a · 2025-09-28T19:47:05.000-07:00
diff --git a/src/main/java/com/brennaswitzer/cookbook/util/ShareHelper.java b/src/main/java/com/brennaswitzer/cookbook/util/ShareHelper.java
@@ -5,6 +5,8 @@
 import com.brennaswitzer.cookbook.domain.Named;
 import com.brennaswitzer.cookbook.payload.ShareInfo;
 import com.google.common.annotations.VisibleForTesting;
+import com.nimbusds.jose.jwk.source.ImmutableSecret;
+import com.nimbusds.jose.proc.SecurityContext;
 import org.apache.commons.codec.digest.HmacAlgorithms;
 import org.apache.commons.codec.digest.HmacUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -14,35 +16,39 @@
 @Component
 public class ShareHelper {
 
+    private ImmutableSecret<SecurityContext> secret;
+
     @Autowired
-    private AppProperties appProperties;
+    public void setAppProperties(AppProperties appProperties) {
+        this.secret = new ImmutableSecret<>(
+                appProperties.getAuth()
+                        .getTokenSecret()
+                        .getBytes());
+    }
 
     public <T extends Identified> ShareInfo getInfo(Class<T> clazz, T object) {
         return new ShareInfo(object.getId(),
                              SlugUtils.toSlug(object instanceof Named named
                                                       ? named.getName()
                                                       : clazz.getSimpleName(), 40),
-                             getSecret(clazz, object.getId()));
+                             getHmacSecret(clazz, object.getId()));
     }
 
     @VisibleForTesting
-    String getSecret(Class<?> clazz, Long id) {
+    String getHmacSecret(Class<?> clazz, Long id) {
         Assert.notNull(clazz, "Cannot generate a secret for the null class");
         Assert.notNull(id, "Cannot generate a secret for the null id");
-        return new HmacUtils(
-                HmacAlgorithms.HMAC_SHA_1,
-                appProperties.getAuth().getTokenSecret().getBytes()
-        ).hmacHex(
-                (clazz.getName() + '#' + id).getBytes()
-        );
+        return new HmacUtils(HmacAlgorithms.HMAC_SHA_1,
+                             secret.getSecret())
+                .hmacHex((clazz.getName() + '#' + id).getBytes());
     }
 
     @SuppressWarnings("BooleanMethodIsAlwaysInverted")
     public boolean isSecretValid(Class<?> clazz, Long id, String secret) {
         Assert.notNull(clazz, "Cannot validate a secret for the null class");
         Assert.notNull(id, "Cannot validate a secret for the null id");
         Assert.notNull(secret, "Cannot validate the null secret");
-        return secret.equals(getSecret(clazz, id));
+        return secret.equals(getHmacSecret(clazz, id));
     }
 
 }
diff --git a/src/test/java/com/brennaswitzer/cookbook/util/ShareHelperTest.java b/src/test/java/com/brennaswitzer/cookbook/util/ShareHelperTest.java
@@ -1,17 +1,22 @@
 package com.brennaswitzer.cookbook.util;
 
+import com.brennaswitzer.cookbook.config.AppProperties;
 import com.brennaswitzer.cookbook.domain.Identified;
 import com.brennaswitzer.cookbook.domain.Named;
+import com.brennaswitzer.cookbook.domain.Recipe;
 import com.brennaswitzer.cookbook.payload.ShareInfo;
 import lombok.Value;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
+import org.mockito.Mock;
 import org.mockito.Spy;
 import org.mockito.junit.jupiter.MockitoExtension;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.mockito.Mockito.doReturn;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.when;
 
 @ExtendWith(MockitoExtension.class)
 class ShareHelperTest {
@@ -20,6 +25,19 @@ class ShareHelperTest {
     @Spy
     private ShareHelper helper;
 
+    @Mock
+    private AppProperties appProperties;
+
+    @Mock
+    private AppProperties.Auth auth;
+
+    @BeforeEach
+    void setUp() {
+        when(appProperties.getAuth()).thenReturn(auth);
+        when(auth.getTokenSecret()).thenReturn("some-random-key");
+        helper.setAppProperties(appProperties);
+    }
+
     @Value
     private static class Shareable implements Identified, Named {
 
@@ -31,17 +49,24 @@ private static class Shareable implements Identified, Named {
     @Test
     void getInfo() {
         long id = 123L;
-        String secret = "secret";
-        doReturn(secret)
-                .when(helper)
-                .getSecret(Shareable.class, id);
+        String anonSecret = "329bb9790fd6c157e68cb4187cf52b11b6e9f4ba";
 
         ShareInfo info = helper.getInfo(Shareable.class,
                                         new Shareable(id, "A Thinger!"));
 
         assertEquals(id, info.getId());
         assertEquals("a-thinger", info.getSlug());
-        assertEquals(secret, info.getSecret());
+        assertTrue(helper.isSecretValid(Shareable.class, id, info.getSecret()));
+        assertTrue(helper.isSecretValid(Shareable.class, id, anonSecret));
+    }
+
+    @Test
+    void getHmacSecret() {
+        long id = 877123L;
+        String anonSecret = helper.getHmacSecret(Recipe.class, id);
+
+        assertEquals("6922b21b1364896cdfbd6ad930a50975c15a198a", anonSecret);
+        assertTrue(helper.isSecretValid(Recipe.class, id, anonSecret));
     }
 
 }
