[hyperledger#5851] Add error messages on authentication failures with…

… username and password (hyperledger#6212) * Add error messages on authentication failures with username and password Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Add a constant for the 'password' Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Add test to check empty login and check response in body is not empty Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Correct format (spotless) Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Update ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Update ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Update JsonRpcHttpServiceLoginTest.java use containsIgnoringCase Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> * Add a CHANGELOG entry for PR 6212 Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> --------- Signed-off-by: David Lutzardo <jdlutzardo@izertis.com> Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> Signed-off-by: jflo <justin+github@florentine.us>
jflo · Dec 18, 2023 · 9a01128 · 9a01128
1 parent 03e8a9c
commit 9a01128
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@
 - Add `rpc-gas-cap` to allow users to set gas limit to the RPC methods used to simulate transactions[#6156](https://github.com/hyperledger/besu/pull/6156)
 - Fix the unavailability of `address` field when returning an `Account` entity on GraphQL in case of unreachable world state [#6198](https://github.com/hyperledger/besu/pull/6198)
 - Update OpenJ9 Docker image to latest version [#6226](https://github.com/hyperledger/besu/pull/6226)
+- Add error messages on authentication failures with username and password [#6212](https://github.com/hyperledger/besu/pull/6212)
 
 ### Bug fixes
 - Fix Docker image name clash between Besu and evmtool [#6194](https://github.com/hyperledger/besu/pull/6194)

diff --git a/...rg/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java b/...rg/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java
@@ -46,6 +46,7 @@
 public class DefaultAuthenticationService implements AuthenticationService {
 
   public static final String USERNAME = "username";
+  public static final String PASSWORD = "password";
   private final JWTAuth jwtAuthProvider;
   @VisibleForTesting public final JWTAuthOptions jwtAuthOptions;
   private final Optional<AuthenticationProvider> credentialAuthProvider;
@@ -171,19 +172,21 @@ private void login(
       final RoutingContext routingContext, final AuthenticationProvider credentialAuthProvider) {
     final JsonObject requestBody = routingContext.body().asJsonObject();
 
-    if (requestBody == null) {
+    if (requestBody == null
+        || requestBody.getValue(USERNAME) == null
+        || requestBody.getValue(PASSWORD) == null) {
       routingContext
           .response()
           .setStatusCode(HttpResponseStatus.BAD_REQUEST.code())
           .setStatusMessage(HttpResponseStatus.BAD_REQUEST.reasonPhrase())
-          .end();
+          .end("Authentication failed: username and password are required.");
       return;
     }
 
     // Check user
     final JsonObject authParams = new JsonObject();
     authParams.put(USERNAME, requestBody.getValue(USERNAME));
-    authParams.put("password", requestBody.getValue("password"));
+    authParams.put(PASSWORD, requestBody.getValue(PASSWORD));
     final Credentials credentials = new UsernamePasswordCredentials(authParams);
 
     credentialAuthProvider.authenticate(
@@ -194,7 +197,7 @@ private void login(
                 .response()
                 .setStatusCode(HttpResponseStatus.UNAUTHORIZED.code())
                 .setStatusMessage(HttpResponseStatus.UNAUTHORIZED.reasonPhrase())
-                .end();
+                .end("Authentication failed: the username or password is incorrect.");
           } else {
             final User user = r.result();
 

diff --git a/.../src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/.../src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java
@@ -203,6 +203,18 @@ public static void shutdownServer() {
     service.stop().join();
   }
 
+  @Test
+  public void loginWithEmptyCredentials() throws IOException {
+    final RequestBody body = RequestBody.create("{}", JSON);
+    final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build();
+    try (final Response resp = client.newCall(request).execute()) {
+      assertThat(resp.code()).isEqualTo(400);
+      assertThat(resp.message()).isEqualTo("Bad Request");
+      final String bodyString = resp.body().string();
+      assertThat(bodyString).containsIgnoringCase("username and password are required");
+    }
+  }
+
   @Test
   public void loginWithBadCredentials() throws IOException {
     final RequestBody body =
@@ -211,6 +223,8 @@ public void loginWithBadCredentials() throws IOException {
     try (final Response resp = client.newCall(request).execute()) {
       assertThat(resp.code()).isEqualTo(401);
       assertThat(resp.message()).isEqualTo("Unauthorized");
+      final String bodyString = resp.body().string();
+      assertThat(bodyString).containsIgnoringCase("the username or password is incorrect");
     }
   }