improving path handling, working on authorization flow

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>

de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/Backend.java

@@ -15,6 +15,8 @@ import java.util.Optional;
 import org.json.JSONObject;
 
 public class Backend extends PathHandler {
+	private static final String CLIENT_ID = "client_id";
+	private static final String REDIRECT_URI = "redirect_uri";
 	private final SessionService sessions;
 	private final UserService    users;
 
@@ -23,57 +25,81 @@ public class Backend extends PathHandler {
 		users    = userService;
 	}
 
-	private void doLogin(HttpExchange ex) throws IOException {
+	private boolean authorize(HttpExchange ex, Session session) throws IOException {
+		var json = json(ex);
+		var clientId = json.getString(CLIENT_ID);
+		var redirect = json.getString(REDIRECT_URI);
+		System.out.println(json);
+		return sendEmptyResponse(HTTP_NOT_FOUND,ex);
+	}
+
+	private boolean doLogin(HttpExchange ex) throws IOException {
 		var body = json(ex);
 
 		var username = body.has(USERNAME) ? body.getString(USERNAME) : null;
 		var password = body.has(PASSWORD) ? body.getString(PASSWORD) : null;
 
 		Optional<User> user = users.load(username, password);
-		if (user.isPresent()) {
-			var session = sessions.createSession(user.get());
-			sendUserAndCookie(ex, session);
-			return;
-		}
-		sendEmptyResponse(HTTP_UNAUTHORIZED, ex);
+		if (user.isPresent()) return sendUserAndCookie(ex, sessions.createSession(user.get()));
+		return sendEmptyResponse(HTTP_UNAUTHORIZED, ex);
 	}
 
 	@Override
-	public void handle(HttpExchange ex) throws IOException {
-		String path   = relativePath(ex);
-		String method = ex.getRequestMethod();
-		System.out.printf("%s %s…", method, path);
-
-		var session = getSession(ex);
-		if ("login".equals(path) && POST.equals(method)) {
-			doLogin(ex);  // TODO: prevent brute force
-			return;
-		}
-		if (session.isEmpty()) {
-			sendEmptyResponse(HTTP_UNAUTHORIZED, ex);
-			System.err.println("unauthorized");
-			return;
-		}
+	public boolean doGet(String path, HttpExchange ex) throws IOException {
+		System.out.printf("GET %s…\n", path);
 		switch (path) {
-			case "user":
-				sendUserAndCookie(ex, session.get());
-				return;
+			case "/openid-configuration":
+				return openidConfig(ex);
+		}
+		return sendEmptyResponse(HTTP_NOT_FOUND, ex);
+	}
+
+	@Override
+	public boolean doPost(String path, HttpExchange ex) throws IOException {
+		System.out.printf("POST %s…\n", path);
+
+		// pre-login paths
+		switch (path) {
+			case "/login":
+				return doLogin(ex);
+		}
+		var optSession = getSession(ex);
+		if (optSession.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED, ex);
+
+		// post-login paths
+		var session = optSession.get();
+		switch (path) {
+			case "/authorize":
+				return authorize(ex,session);
+			case "/user":
+				return sendUserAndCookie(ex, session);
 		}
 		System.err.println("not implemented");
-		sendEmptyResponse(HTTP_NOT_FOUND, ex);
+		return sendEmptyResponse(HTTP_NOT_FOUND, ex);
 	}
 
 	private Optional<Session> getSession(HttpExchange ex) {
 		return SessionToken.from(ex).map(SessionToken::sessionId).flatMap(sessions::retrieve);
 	}
 
-	private void sendUserAndCookie(HttpExchange ex, Session session) throws IOException {
+	private boolean openidConfig(HttpExchange ex) throws IOException {
+		var        uri	= ex.getRequestURI().toString();
+		JSONObject json = new JSONObject();
+
+		json.put("authorization_endpoint", prefix(ex) + "/web/authorization.html");
+		return sendContent(ex, json);
+	}
+
+
+	private boolean sendUserAndCookie(HttpExchange ex, Session session) throws IOException {
 		var bytes   = new JSONObject(session.user().map(false)).toString().getBytes(UTF_8);
 		var headers = ex.getResponseHeaders();
 
 		headers.add(CONTENT_TYPE, JSON);
 		new SessionToken(session.id()).addTo(headers);
 		ex.sendResponseHeaders(200, bytes.length);
-		ex.getResponseBody().write(bytes);
+		var out = ex.getResponseBody();
+		out.write(bytes);
+		return true;
 	}
 }