From 3ea1e01a1aa051f7ce250f1da44d9f1f3bc655b4 Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Fri, 28 Nov 2025 14:20:59 +0300 Subject: [PATCH 1/3] =?UTF-8?q?SUPPORT-9605:=20=D1=83=D0=B1=D1=80=D0=B0?= =?UTF-8?q?=D0=BB=20=D1=81=D0=BE=D0=B7=D0=B4=D0=B0=D0=BD=D0=B8=D0=B5=20?= =?UTF-8?q?=D1=82=D0=BE=D0=BA=D0=B5=D0=BD=D0=B0=20=D1=81=20finally?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../micord/ervu/security/esia/service/EsiaAuthService.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 9db721d2..a70c5ba5 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -280,7 +280,7 @@ public class EsiaAuthService { Thread.currentThread().getId(), timeSignSecret, timeRequestAccessToken, timeVerifySecret); } OrgInfo orgInfo = null; - String status = null, ervuId = null; + String status = null; try { orgInfo = getOrgInfo(esiaAccessTokenStr); hasRole = ulDataService.checkRole(esiaAccessTokenStr); @@ -289,8 +289,9 @@ public class EsiaAuthService { LOGGER.error("The user with id = " + prnOid + " does not have the required role"); throw new LocalizedException("access_denied", MESSAGE_SOURCE); } - ervuId = getErvuId(prnOid, orgInfo); + String ervuId = getErvuId(prnOid, orgInfo); status = AuditConstants.SUCCESS_STATUS_TYPE; + createTokenAndAddCookie(response, prnOid, ervuId, hasRole, fileUploadAllowed, expiresIn); } catch (JsonProcessingException e) { throw new EsiaException(e); @@ -303,7 +304,6 @@ public class EsiaAuthService { auditService.processAuthEvent(request, orgInfo, prnOid, status, AuditConstants.LOGIN_EVENT_TYPE); } - createTokenAndAddCookie(response, prnOid, ervuId, hasRole, fileUploadAllowed, expiresIn); } } From a9ae8d1b377d263e61be09a951ceda83ed7b98d8 Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Fri, 28 Nov 2025 14:25:01 +0300 Subject: [PATCH 2/3] SUPPORT-9605: uuid validation --- .../ervu/security/esia/service/EsiaAuthService.java | 6 +++--- .../main/java/ru/micord/ervu/util/StringUtils.java | 13 +++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index a70c5ba5..3b36a016 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -45,7 +45,6 @@ import ru.micord.ervu.security.esia.EsiaAuthInfoStore; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.context.SecurityContext; -import org.springframework.util.StringUtils; import ru.micord.ervu.security.esia.config.EsiaConfig; import org.springframework.beans.factory.annotation.Value; import ru.micord.ervu.kafka.model.Brhs; @@ -63,6 +62,7 @@ import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper; import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService; import ru.micord.ervu.security.webbpm.jwt.model.Token; import ru.micord.ervu.service.UploadAccessService; +import ru.micord.ervu.util.StringUtils; import ru.cg.webbpm.modules.core.runtime.api.LocalizedException; import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils; @@ -470,8 +470,8 @@ public class EsiaAuthService { ); ErvuOrgResponse ervuOrgResponse = objectMapper.readValue(kafkaResponse, ErvuOrgResponse.class); String ervuId = ervuOrgResponse.getData().getErvuId(); - if (!StringUtils.hasText(ervuId)) { - throw new EsiaException("No ervuId for prnOid = " + prnOid); + if (!StringUtils.isValidUUID(ervuId)) { + throw new EsiaException("No valid ervuId for prnOid = " + prnOid); } return ervuId; } diff --git a/backend/src/main/java/ru/micord/ervu/util/StringUtils.java b/backend/src/main/java/ru/micord/ervu/util/StringUtils.java index 0fdfaff0..ece65d52 100644 --- a/backend/src/main/java/ru/micord/ervu/util/StringUtils.java +++ b/backend/src/main/java/ru/micord/ervu/util/StringUtils.java @@ -1,10 +1,16 @@ package ru.micord.ervu.util; + +import java.util.regex.Pattern; + import static org.apache.commons.lang3.StringUtils.capitalize; import static org.apache.commons.lang3.StringUtils.substring; public final class StringUtils { + private static final Pattern UUID_PATTERN = Pattern.compile( + "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$" + ); private StringUtils() { } @@ -18,4 +24,11 @@ public final class StringUtils { middleNameInitial ); } + + public static boolean isValidUUID(String uuid) { + if (uuid == null) { + return false; + } + return UUID_PATTERN.matcher(uuid).matches(); + } } From ccbb887486f44d5ce7f63021130ecb08fb4ea4bf Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Fri, 28 Nov 2025 15:10:28 +0300 Subject: [PATCH 3/3] SUPPORT-9605: optimization --- .../micord/ervu/security/esia/service/EsiaAuthService.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 3b36a016..5d657bb3 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -191,6 +191,7 @@ public class EsiaAuthService { public void authEsiaTokensByCode(String esiaAuthCode, String state, HttpServletResponse response, HttpServletRequest request) { String esiaAccessTokenStr = null; + String esiaRefreshTokenStr = null; String prnOid = null; Long expiresIn = null; boolean hasRole = false; @@ -259,7 +260,7 @@ public class EsiaAuthService { throw new EsiaException("Token invalid. State from request not equals with state from response."); } esiaAccessTokenStr = tokenResponse.getAccessToken(); - String esiaRefreshTokenStr = tokenResponse.getRefreshToken(); + esiaRefreshTokenStr = tokenResponse.getRefreshToken(); startTime = System.currentTimeMillis(); String verifyResult = verifyToken(esiaAccessTokenStr); timeVerifySecret = System.currentTimeMillis() - startTime; @@ -269,8 +270,6 @@ public class EsiaAuthService { EsiaAccessToken esiaAccessToken = ulDataService.readToken(esiaAccessTokenStr); prnOid = esiaAccessToken.getSbjId(); expiresIn = tokenResponse.getExpiresIn(); - EsiaAuthInfoStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); - EsiaAuthInfoStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn); } catch (Exception e) { throw new EsiaException(e); @@ -291,6 +290,8 @@ public class EsiaAuthService { } String ervuId = getErvuId(prnOid, orgInfo); status = AuditConstants.SUCCESS_STATUS_TYPE; + EsiaAuthInfoStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); + EsiaAuthInfoStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn); createTokenAndAddCookie(response, prnOid, ervuId, hasRole, fileUploadAllowed, expiresIn); } catch (JsonProcessingException e) {