Implement OTT

Author: AB-xdev

spring-security-advanced-authentication-ui-demo/src/main/java/software/xdev/security/MainWebSecurity.java

@@ -14,6 +14,8 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
 import org.springframework.security.web.savedrequest.NullRequestCache;
@@ -65,13 +67,24 @@ public SecurityFilterChain configure(
 				.referrerPolicy(r -> r.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN))
 				.contentSecurityPolicy(csp -> csp.policyDirectives(this.getCSP())))
 			.formLogin(Customizer.withDefaults())
+			.oneTimeTokenLogin(c -> c.tokenGenerationSuccessHandler(
+				(request, response, oneTimeToken) -> {
+					// Do nothing - Dummy
+				}))
 			.oauth2Login(c -> c.defaultSuccessUrl("/"))
 			.authorizeHttpRequests(urlRegistry -> urlRegistry.anyRequest().authenticated())
 			.requestCache(c -> c.requestCache(new NullRequestCache()));
 
 		return http.build();
 	}
 
+	// Required for OTT
+	@Bean
+	public UserDetailsService userDetailsService()
+	{
+		return new InMemoryUserDetailsManager();
+	}
+	
 	// Example CSP
 	protected String getCSP()
 	{

spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/advanced/filters/AdvancedLoginPageGeneratingFilter.java

@@ -59,6 +59,14 @@ public class AdvancedLoginPageGeneratingFilter
 
 	protected String formLoginSignInText = "Sign in";
 
+	protected String oneTimeTokenHeaderText = "Request a One-Time Token";
+	
+	protected String oneTimeTokenUsernameParameter = "username";
+	
+	protected String oneTimeTokenUsernameText = "Username";
+	
+	protected String oneTimeTokenSendTokenText = "Send token";
+	
 	protected String ssoLoginHeaderText = "Login with";
 
 	protected String footer = "";
@@ -156,6 +164,30 @@ public AdvancedLoginPageGeneratingFilter formLoginSignInText(final String formLo
 		return this;
 	}
 
+	public AdvancedLoginPageGeneratingFilter oneTimeTokenHeaderText(final String oneTimeTokenHeaderText)
+	{
+		this.oneTimeTokenHeaderText = oneTimeTokenHeaderText;
+		return this;
+	}
+	
+	public AdvancedLoginPageGeneratingFilter oneTimeTokenUsernameText(final String oneTimeTokenUsernameText)
+	{
+		this.oneTimeTokenUsernameText = oneTimeTokenUsernameText;
+		return this;
+	}
+	
+	public AdvancedLoginPageGeneratingFilter oneTimeTokenUsernameParameter(final String oneTimeTokenUsernameParameter)
+	{
+		this.oneTimeTokenUsernameParameter = oneTimeTokenUsernameParameter;
+		return this;
+	}
+	
+	public AdvancedLoginPageGeneratingFilter oneTimeTokenSendTokenText(final String oneTimeTokenSendTokenText)
+	{
+		this.oneTimeTokenSendTokenText = oneTimeTokenSendTokenText;
+		return this;
+	}
+	
 	public AdvancedLoginPageGeneratingFilter ssoLoginHeaderText(final String ssoLoginHeaderText)
 	{
 		this.ssoLoginHeaderText = ssoLoginHeaderText;
@@ -208,10 +240,11 @@ protected String generateBody(
 		return "  " + this.createBodyElement()
 			+ "     " + this.createContainerElement()
 			+ "     " + this.createMainElement()
-			+ this.createError(loginError, errorMsg)
-			+ this.createLogoutSuccess(logoutSuccess)
+			+ this.renderError(loginError, errorMsg)
+			+ this.renderLogoutSuccess(logoutSuccess)
 			+ this.header
 			+ this.createFormLogin(request, contextPath)
+			+ this.createOneTimeTokenLogin(request, contextPath)
 			+ (this.hasSSOLogin() ? this.createHeaderLoginWith() : "")
 			+ this.createOAuth2LoginPagePart(contextPath)
 			+ this.createSaml2LoginPagePart(contextPath)
@@ -266,6 +299,18 @@ protected String createMainElement()
 			+ "'>";
 	}
 
+	@Override
+	protected String renderError(final boolean isError, final String message)
+	{
+		if(!isError)
+		{
+			return "";
+		}
+		return "<div class=\"alert alert-danger\" role=\"alert\">" + HtmlUtils.htmlEscape(message) + "</div>";
+	}
+	
+	// region Render FormLogin
+	
 	@SuppressWarnings("java:S1192")
 	protected String createFormLogin(final HttpServletRequest request, final String contextPath)
 	{
@@ -290,24 +335,63 @@ protected String createFormLogin(final HttpServletRequest request, final String
 			+ "</form>";
 	}
 
-	protected String createFormLoginSignInButton()
-	{
-		return "<button class=\"btn btn-block btn-primary w-100\" type=\"submit\">"
-			+ this.formLoginSignInText
-			+ "</button>";
-	}
-	
-	@Override
 	protected String createRememberMe(final String paramName)
 	{
-		return "<div class=\"form-check text-start my-2\">"
+		return "<div class=\"form-check text-start mt-1\">"
 			+ "<label for='remember-me' class=\"form-check-label\">"
 			+ this.formLoginRememberMeText
 			+ "</label>"
 			+ "<input class=\"form-check-input\" type='checkbox' name='" + paramName + "' id='remember-me'/>"
 			+ "</div>";
 	}
 
+	protected String createFormLoginSignInButton()
+	{
+		return "<button class=\"btn btn-block btn-primary w-100 mt-1\" type=\"submit\">"
+			+ this.formLoginSignInText
+			+ "</button>";
+	}
+	
+	// endregion
+	// region Render OTT
+	
+	protected String createOneTimeTokenLogin(final HttpServletRequest request, final String contextPath)
+	{
+		if(!this.oneTimeTokenEnabled)
+		{
+			return "";
+		}
+		
+		return this.createOneTimeTokenLoginHeader()
+			+ "<form id=\"ott-form\" class=\"mb-3\" method=\"post\" action=\"" + contextPath
+			+ this.generateOneTimeTokenUrl + "\">"
+			+ "<div class='form-floating'>"
+			+ "  <input type='text' class='form-control' name=\"" + this.oneTimeTokenUsernameParameter + "\""
+			+ " id='ott-username' placeholder=\"" + this.oneTimeTokenUsernameText + "\" required>"
+			+ "  <label for='username'>" + this.oneTimeTokenUsernameParameter + "</label>"
+			+ "</div>"
+			+ this.renderHiddenInputs(request)
+			+ this.createOneTimeTokenLoginSignInButton()
+			+ "</form>";
+	}
+	
+	protected String createOneTimeTokenLoginHeader()
+	{
+		return "<h5 class=\"h5 mb-2 fw-normal\">"
+			+ this.oneTimeTokenHeaderText
+			+ "</h5>";
+	}
+	
+	protected String createOneTimeTokenLoginSignInButton()
+	{
+		return "<button class=\"btn btn-block btn-primary w-100 mt-1\" type=\"submit\">"
+			+ this.oneTimeTokenSendTokenText
+			+ "</button>";
+	}
+	
+	// endregion
+	// region Render SSO
+	
 	protected boolean hasSSOLogin()
 	{
 		return this.oauth2LoginEnabled || this.saml2LoginEnabled;
@@ -379,6 +463,13 @@ protected String createSSOLoginPagePart(
 			+ "</table>";
 	}
 
+	// endregion
+	
+	protected String renderHiddenInputs(final HttpServletRequest request)
+	{
+		return this.renderHiddenInputs(this.resolveHiddenInputs.apply(request).entrySet());
+	}
+	
 	protected record ButtonBuildingData(
 		String url,
 		String name,

spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/advanced/filters/AdvancedLogoutPageGeneratingFilter.java

@@ -106,4 +106,11 @@ protected String generateBody(final HttpServletRequest request)
 			+ "    </div>"
 			+ "  </body>";
 	}
+	
+	// Don't use template engine (with Regex) to improve performance
+	@Override
+	protected String renderHiddenInputs(final HttpServletRequest request)
+	{
+		return this.renderHiddenInputs(this.resolveHiddenInputs.apply(request).entrySet());
+	}
 }

spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/advanced/filters/AdvancedSharedPageGeneratingFilter.java

@@ -18,6 +18,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
 
 import software.xdev.spring.security.web.authentication.ui.extendable.filters.ExtendableDefaultPageGeneratingFilter;
@@ -47,9 +48,9 @@ public interface AdvancedSharedPageGeneratingFilter<S extends AdvancedSharedPage
 	S addHeaderMeta(String name, String content);
 
 	default String generateHeader(
-		Map<String, String> headerMetas,
-		String pageTitle,
-		List<String> headerElements)
+		final Map<String, String> headerMetas,
+		final String pageTitle,
+		final List<String> headerElements)
 	{
 		return "  <head>"
 			+ "    <meta charset='utf-8'>"
@@ -61,4 +62,18 @@ default String generateHeader(
 			+ headerElements.stream().map(s -> "    " + s).collect(Collectors.joining())
 			+ "  </head>";
 	}
+	
+	default String renderHiddenInputs(final Set<Map.Entry<String, String>> entries)
+	{
+		final StringBuilder sb = new StringBuilder(50);
+		for(final Map.Entry<String, String> input : entries)
+		{
+			sb.append("<input name=\"");
+			sb.append(input.getKey());
+			sb.append("\" type=\"hidden\" value=\"");
+			sb.append(input.getValue());
+			sb.append("\" />\n");
+		}
+		return sb.toString();
+	}
 }

spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/extendable/filters/ExtendableDefaultLoginPageGeneratingFilter.java

@@ -137,7 +137,12 @@ public void setResolveHeaders(final Function<HttpServletRequest, Map<String, Str
 	@Override
 	public boolean isEnabled()
 	{
-		return this.formLoginEnabled || this.oauth2LoginEnabled || this.saml2LoginEnabled;
+		// Improvement: OTT and Passkeys are missing!!!
+		return this.formLoginEnabled
+			|| this.oneTimeTokenEnabled
+			|| this.oauth2LoginEnabled
+			|| this.saml2LoginEnabled
+			|| this.passkeysEnabled;
 	}
 
 	@Override
@@ -384,8 +389,11 @@ protected String renderFormLogin(
 	}
 
 	protected String renderOneTimeTokenLogin(
-		final HttpServletRequest request, final boolean loginError, final boolean logoutSuccess,
-		final String contextPath, final String errorMsg)
+		final HttpServletRequest request,
+		final boolean loginError,
+		final boolean logoutSuccess,
+		final String contextPath,
+		final String errorMsg)
 	{
 		if(!this.oneTimeTokenEnabled)
 		{