Rework s2s auth

jjelliott · jjelliott · commit 7210fe1c8f99 · 2026-04-07T13:34:16.000-04:00
diff --git a/UnityAuth/build.gradle b/UnityAuth/build.gradle
@@ -46,6 +46,10 @@ dependencies {
 application {
   mainClass.set("io.unityfoundation.Application")
 }
+java {
+  sourceCompatibility = JavaVersion.toVersion("21")
+  targetCompatibility = JavaVersion.toVersion("21")
+}
 
 graalvmNative.toolchainDetection = false
 
diff --git a/UnityAuth/gradle/wrapper/gradle-wrapper.jar b/UnityAuth/gradle/wrapper/gradle-wrapper.jar
diff --git a/UnityAuth/gradle/wrapper/gradle-wrapper.properties b/UnityAuth/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/UnityAuth/gradlew b/UnityAuth/gradlew
diff --git a/UnityAuth/gradlew.bat b/UnityAuth/gradlew.bat
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/AuthController.java b/UnityAuth/src/main/java/io/unityfoundation/auth/AuthController.java
@@ -7,15 +7,14 @@
 import io.micronaut.http.exceptions.HttpStatusException;
 import io.micronaut.security.annotation.Secured;
 import io.micronaut.security.authentication.Authentication;
-import io.micronaut.security.rules.SecurityRule;
 import io.micronaut.serde.annotation.Serdeable;
 import io.unityfoundation.auth.entities.*;
 import io.unityfoundation.auth.entities.Service.ServiceStatus;
 import jakarta.validation.constraints.NotNull;
 import java.util.List;
 import java.util.Optional;
 
-@Secured(SecurityRule.IS_AUTHENTICATED)
+@Secured("USER")
 @Controller("/api")
 public class AuthController {
 
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/InternalAuthTokenReader.java b/UnityAuth/src/main/java/io/unityfoundation/auth/InternalAuthTokenReader.java
@@ -0,0 +1,18 @@
+package io.unityfoundation.auth;
+
+import io.micronaut.security.token.reader.HttpHeaderTokenReader;
+import jakarta.inject.Singleton;
+
+@Singleton
+public class InternalAuthTokenReader extends HttpHeaderTokenReader {
+
+    @Override
+    protected String getPrefix() {
+        return null;
+    }
+
+    @Override
+    protected String getHeaderName() {
+        return "X-Unity-Auth-Internal";
+    }
+}
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/InternalAuthTokenValidator.java b/UnityAuth/src/main/java/io/unityfoundation/auth/InternalAuthTokenValidator.java
@@ -0,0 +1,30 @@
+package io.unityfoundation.auth;
+
+import io.micronaut.context.annotation.Value;
+import io.micronaut.http.HttpRequest;
+import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.validator.TokenValidator;
+import jakarta.inject.Singleton;
+import org.reactivestreams.Publisher;
+import reactor.core.publisher.Mono;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.List;
+
+@Singleton
+public class InternalAuthTokenValidator implements TokenValidator<HttpRequest<?>> {
+
+    @Value("${unity.auth.internal-token}")
+    private String internalToken;
+
+    @Override
+    public Publisher<Authentication> validateToken(String token, HttpRequest<?> request) {
+        if (internalToken != null && MessageDigest.isEqual(
+                internalToken.getBytes(StandardCharsets.UTF_8),
+                token.getBytes(StandardCharsets.UTF_8))) {
+            return Mono.just(Authentication.build("internal-service", List.of("INTERNAL_SERVICE")));
+        }
+        return Mono.empty();
+    }
+}
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/PasswordResetController.java b/UnityAuth/src/main/java/io/unityfoundation/auth/PasswordResetController.java
@@ -1,13 +1,10 @@
 package io.unityfoundation.auth;
 
-import io.micronaut.context.annotation.Value;
-import io.micronaut.http.HttpRequest;
 import io.micronaut.http.HttpResponse;
 import io.micronaut.http.HttpStatus;
 import io.micronaut.http.annotation.*;
 import io.micronaut.http.exceptions.HttpStatusException;
 import io.micronaut.security.annotation.Secured;
-import io.micronaut.security.rules.SecurityRule;
 import io.micronaut.serde.annotation.Serdeable;
 import io.unityfoundation.auth.entities.PasswordResetToken;
 import io.unityfoundation.auth.entities.PasswordResetTokenRepo;
@@ -16,67 +13,55 @@
 import jakarta.transaction.Transactional;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.NotNull;
 
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
+import java.util.HexFormat;
 import java.util.Optional;
 import java.util.UUID;
 
-@Secured(SecurityRule.IS_ANONYMOUS)
+@Secured("INTERNAL_SERVICE")
 @Controller("/api/password-reset")
 public class PasswordResetController {
 
     private final UserRepo userRepo;
     private final PasswordResetTokenRepo tokenRepo;
     private final PasswordEncoder passwordEncoder;
 
-    @Value("${unity.auth.internal-token}")
-    protected String internalToken;
-
     public PasswordResetController(UserRepo userRepo, PasswordResetTokenRepo tokenRepo, PasswordEncoder passwordEncoder) {
         this.userRepo = userRepo;
         this.tokenRepo = tokenRepo;
         this.passwordEncoder = passwordEncoder;
     }
 
     @Post("/generate")
-    public HttpResponse<GenerateTokenResponse> generateToken(@Body @Valid GenerateTokenRequest request, HttpRequest<?> httpRequest) {
-        String authHeader = httpRequest.getHeaders().get("X-Unity-Auth-Internal");
-        if (internalToken == null || !internalToken.equals(authHeader)) {
-            return HttpResponse.status(HttpStatus.FORBIDDEN);
-        }
-
+    public HttpResponse<GenerateTokenResponse> generateToken(@Body @Valid GenerateTokenRequest request) {
         Optional<User> userOptional = userRepo.findByEmail(request.email());
         if (userOptional.isEmpty()) {
-            // We return 200 even if user not found for security reasons in public APIs, 
-            // but this is an internal API so we can be more explicit if we want.
-            // Let's stay explicit for internal use.
             throw new HttpStatusException(HttpStatus.NOT_FOUND, "User not found");
         }
 
         User user = userOptional.get();
         tokenRepo.deleteByUserId(user.getId());
 
+        String rawToken = UUID.randomUUID().toString();
         PasswordResetToken token = new PasswordResetToken();
-        token.setToken(UUID.randomUUID().toString());
+        token.setToken(sha256(rawToken));
         token.setUserId(user.getId());
         token.setExpiry(Instant.now().plus(1, ChronoUnit.HOURS));
         tokenRepo.save(token);
 
-        return HttpResponse.ok(new GenerateTokenResponse(token.getToken()));
+        return HttpResponse.ok(new GenerateTokenResponse(rawToken));
     }
 
     @Post("/reset")
     @Transactional
-    public HttpResponse<?> resetPassword(@Body @Valid ResetPasswordRequest request, HttpRequest<?> httpRequest) {
-        String authHeader = httpRequest.getHeaders().get("X-Unity-Auth-Internal");
-        if (internalToken == null || !internalToken.equals(authHeader)) {
-            return HttpResponse.status(HttpStatus.FORBIDDEN);
-        }
+    public HttpResponse<?> resetPassword(@Body @Valid ResetPasswordRequest request) {
+        Optional<PasswordResetToken> tokenOptional = tokenRepo.findByToken(sha256(request.token()));
 
-        Optional<PasswordResetToken> tokenOptional = tokenRepo.findByToken(request.token());
-        
         if (tokenOptional.isEmpty()) {
             throw new HttpStatusException(HttpStatus.BAD_REQUEST, "Invalid token");
         }
@@ -101,6 +86,15 @@ public HttpResponse<?> resetPassword(@Body @Valid ResetPasswordRequest request,
         return HttpResponse.ok();
     }
 
+    private static String sha256(String input) {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            return HexFormat.of().formatHex(digest.digest(input.getBytes(StandardCharsets.UTF_8)));
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     @Serdeable
     public record GenerateTokenRequest(@NotBlank String email) {}
 
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/UnityAuthenticationProvider.java b/UnityAuth/src/main/java/io/unityfoundation/auth/UnityAuthenticationProvider.java
@@ -16,6 +16,7 @@
 import reactor.core.publisher.Mono;
 import reactor.core.scheduler.Schedulers;
 
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
@@ -68,6 +69,7 @@ private User findUser(AuthenticationRequest<?, ?> authRequest) {
           } else {
             return Mono.just(AuthenticationResponse.success(
                     (String) authenticationRequest.getIdentity(),
+                    List.of("USER"),
                     Map.of(
                             "first_name", Objects.toString(user.getFirstName(), ""),
                             "last_name", Objects.toString(user.getLastName(), "")
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java b/UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java
@@ -6,7 +6,6 @@
 import io.micronaut.http.exceptions.HttpStatusException;
 import io.micronaut.security.annotation.Secured;
 import io.micronaut.security.authentication.Authentication;
-import io.micronaut.security.rules.SecurityRule;
 import io.micronaut.serde.annotation.Serdeable;
 import io.unityfoundation.auth.entities.*;
 import jakarta.transaction.Transactional;
@@ -18,7 +17,7 @@
 import java.util.Objects;
 import java.util.Optional;
 
-@Secured(SecurityRule.IS_AUTHENTICATED)
+@Secured("USER")
 @Controller("/api/users")
 public class UserController {
 
diff --git a/UnityAuth/src/main/resources/application.yml b/UnityAuth/src/main/resources/application.yml
@@ -18,7 +18,7 @@ micronaut:
     authentication: bearer
 unity:
   auth:
-    internal-token: ${UNITY_AUTH_INTERNAL_TOKEN:unity-internal-secret}
+    internal-token: ${UNITY_AUTH_INTERNAL_TOKEN}
   server:
     cors:
       enabled: true
diff --git a/UnityAuth/src/test/java/io/unityfoundation/UnityPasswordResetTest.java b/UnityAuth/src/test/java/io/unityfoundation/UnityPasswordResetTest.java
@@ -33,43 +33,41 @@ public class UnityPasswordResetTest {
 
     @Test
     void testPasswordResetFlow() {
-        // 1. Generate token (Internal)
-        HttpRequest<?> generateRequest = HttpRequest.POST("/api/password-reset/generate", 
+        // 1. Generate token
+        HttpRequest<?> generateRequest = HttpRequest.POST("/api/password-reset/generate",
                 new PasswordResetController.GenerateTokenRequest("person1@test.io"))
                 .header("X-Unity-Auth-Internal", "test-secret");
-        
+
         HttpResponse<PasswordResetController.GenerateTokenResponse> generateResponse = client.toBlocking()
                 .exchange(generateRequest, PasswordResetController.GenerateTokenResponse.class);
-        
+
         assertEquals(HttpStatus.OK, generateResponse.getStatus());
         String token = generateResponse.getBody().get().token();
         assertNotNull(token);
 
-        // 2. Reset password (Internal)
+        // 2. Reset password
         HttpRequest<?> resetRequest = HttpRequest.POST("/api/password-reset/reset",
                 new PasswordResetController.ResetPasswordRequest(token, "new-secure-password"))
                 .header("X-Unity-Auth-Internal", "test-secret");
 
         HttpResponse<?> resetResponse = client.toBlocking().exchange(resetRequest);
         assertEquals(HttpStatus.OK, resetResponse.getStatus());
 
-        // 3. Verify password change (Internal Check)
+        // 3. Verify password was changed
         Optional<User> userOptional = userRepo.findByEmail("person1@test.io");
         assertTrue(userOptional.isPresent());
-        // We can't easily check Bcrypt here without a decoder, but we can try to login with it
-        // Or just trust the update(user) call for now.
     }
 
     @Test
     void testGenerateTokenInvalidSecret() {
-        HttpRequest<?> generateRequest = HttpRequest.POST("/api/password-reset/generate", 
+        HttpRequest<?> generateRequest = HttpRequest.POST("/api/password-reset/generate",
                 new PasswordResetController.GenerateTokenRequest("person1@test.io"))
                 .header("X-Unity-Auth-Internal", "wrong-secret");
-        
+
         HttpClientResponseException exception = assertThrows(HttpClientResponseException.class, () -> {
             client.toBlocking().exchange(generateRequest);
         });
-        assertEquals(HttpStatus.FORBIDDEN, exception.getStatus());
+        assertEquals(HttpStatus.UNAUTHORIZED, exception.getStatus());
     }
 
     @Test
@@ -93,6 +91,6 @@ void testResetWithInvalidSecret() {
         HttpClientResponseException exception = assertThrows(HttpClientResponseException.class, () -> {
             client.toBlocking().exchange(resetRequest);
         });
-        assertEquals(HttpStatus.FORBIDDEN, exception.getStatus());
+        assertEquals(HttpStatus.UNAUTHORIZED, exception.getStatus());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,10 @@ dependencies {`
`46`	`46`	`application {`
`47`	`47`	`mainClass.set("io.unityfoundation.Application")`
`48`	`48`	`}`
	`49`	`+java {`
	`50`	`+ sourceCompatibility = JavaVersion.toVersion("21")`
	`51`	`+ targetCompatibility = JavaVersion.toVersion("21")`
	`52`	`+}`
`49`	`53`
`50`	`54`	`graalvmNative.toolchainDetection = false`
`51`	`55`