From ed46ad8a0d2f8d6f047ea2cea8d52121da57c40d Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Mon, 28 Oct 2024 09:30:14 +0300
Subject: [PATCH] SUPPORT-8593: Fix

---
 .../esia/service/EsiaAuthService.java         | 60 ++++++++++++-------
 1 file changed, 38 insertions(+), 22 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
index 24836cd..736530b 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@@ -204,9 +204,9 @@ public class EsiaAuthService {
         throw new RuntimeException(tokenResponse.getError_description());
       }
       String accessToken = tokenResponse.getAccess_token();
-      boolean verifyResult = verifyToken(accessToken);
-      if (!verifyResult) {
-        throw new RuntimeException("Token not valid");
+      String verifyResult = verifyToken(accessToken);
+      if (verifyResult != null) {
+        throw new RuntimeException(verifyResult);
       }
       String refreshToken = tokenResponse.getRefresh_token();
       EsiaAccessToken esiaAccessToken = personalDataService.readToken(accessToken);
@@ -288,9 +288,9 @@ public class EsiaAuthService {
         throw new RuntimeException(tokenResponse.getError_description());
       }
       String accessToken = tokenResponse.getAccess_token();
-      boolean verifyResult = verifyToken(accessToken);
-      if (!verifyResult) {
-        throw new RuntimeException("Token not valid");
+      String verifyResult = verifyToken(accessToken);
+      if (verifyResult != null) {
+        throw new RuntimeException(verifyResult);
       }
       String newRefreshToken = tokenResponse.getRefresh_token();
       EsiaAccessToken esiaAccessToken = personalDataService.readToken(accessToken);
@@ -398,24 +398,42 @@ public class EsiaAuthService {
     return person;
   }
 
-  private boolean verifyToken(String accessToken) {
-    EsiaAccessToken esiaAccessToken = personalDataService.readToken(accessToken);
-    EsiaHeader esiaHeader = personalDataService.readHeader(accessToken);
-    if (!esiaHeader.getSbt().equals("access") || !esiaHeader.getTyp().equals("JWT")) {
-      return false;
+  private String verifyToken(String accessToken) {
+    EsiaAccessToken esiaAccessToken = ulDataService.readToken(accessToken);
+    EsiaHeader esiaHeader = ulDataService.readHeader(accessToken);
+    if (!esiaHeader.getSbt().equals("access")) {
+      return "Token invalid. Token sbt: " + esiaHeader.getSbt() + " invalid";
     }
-    if (esiaAccessToken.getClient_id().equals(esiaConfig.getClientId()) && esiaAccessToken.getIss().equals(esiaConfig.getEsiaBaseUri())) {
-      LocalDateTime iatTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getIat()), ZoneId.systemDefault());
-      LocalDateTime expTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getExp()), ZoneId.systemDefault());
-      LocalDateTime currentTime = LocalDateTime.now();
-      if (currentTime.isAfter(iatTime) && expTime.isAfter(iatTime)) {
-        return signVerify(accessToken);
+    if (!esiaHeader.getTyp().equals("JWT")) {
+      return "Token invalid. Token type: " + esiaHeader.getTyp() + " invalid";
+    }
+    if (!esiaAccessToken.getClient_id().equals(esiaConfig.getClientId())) {
+      return "Token invalid. Token clientId: " + esiaAccessToken.getClient_id() + " invalid";
+    }
+    if (!esiaAccessToken.getIss().equals(esiaConfig.getEsiaBaseUri())) {
+      return "Token invalid. The token publisher does not comply with the standard accepted in the ESIA";
+    }
+    LocalDateTime iatTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getIat()),
+        ZoneId.systemDefault()
+    );
+    LocalDateTime expTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getExp()),
+        ZoneId.systemDefault()
+    );
+    LocalDateTime currentTime = LocalDateTime.now();
+    if (!currentTime.isAfter(iatTime) || !expTime.isAfter(iatTime)) {
+      return "Token invalid. Token expired";
+    }
+    HttpResponse<String> response = signVerify(accessToken);
+    if (response.statusCode() != 200) {
+      if (response.statusCode() == 401) {
+        return "Token invalid. " + response.body();
       }
+      return "Error in verify module. Error status " + response.statusCode();
     }
-    return false;
+    return null;
   }
 
-  private boolean signVerify(String accessToken) {
+  private HttpResponse<String> signVerify(String accessToken) {
     try {
       HttpRequest request = HttpRequest.newBuilder()
           .uri(URI.create(esiaConfig.getSignVerifyUrl()))
@@ -426,9 +444,7 @@ public class EsiaAuthService {
           .connectTimeout(Duration.ofSeconds(esiaConfig.getConnectionTimeout()))
           .build()
           .send(request, HttpResponse.BodyHandlers.ofString());
-      errorHandler(response);
-      return true;
-
+      return response;
     }
     catch (Exception e) {
       throw new RuntimeException(e);