Add Support GenerateOneTimeTokenRequestResolver

Closes gh-16291

Signed-off-by: Max Batischev <[email protected]>

Author: franticticktick

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,13 +18,15 @@
 
 import java.util.Collections;
 import java.util.Map;
+import java.util.Objects;
 
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ott.GenerateOneTimeTokenRequest;
 import org.springframework.security.authentication.ott.InMemoryOneTimeTokenService;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationProvider;
@@ -40,7 +42,9 @@
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.ott.DefaultGenerateOneTimeTokenRequestResolver;
 import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenFilter;
+import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenRequestResolver;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationConverter;
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
@@ -79,6 +83,8 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private AuthenticationProvider authenticationProvider;
 
+	private GenerateOneTimeTokenRequestResolver requestResolver;
+
 	public OneTimeTokenLoginConfigurer(ApplicationContext context) {
 		this.context = context;
 	}
@@ -135,6 +141,7 @@ private void configureOttGenerateFilter(H http) {
 		GenerateOneTimeTokenFilter generateFilter = new GenerateOneTimeTokenFilter(getOneTimeTokenService(http),
 				getOneTimeTokenGenerationSuccessHandler(http));
 		generateFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.tokenGeneratingUrl));
+		generateFilter.setRequestResolver(getGenerateRequestResolver(http));
 		http.addFilter(postProcess(generateFilter));
 		http.addFilter(DefaultResourcesFilter.css());
 	}
@@ -301,6 +308,28 @@ private AuthenticationFailureHandler getAuthenticationFailureHandler() {
 		return this.authenticationFailureHandler;
 	}
 
+	/**
+	 * Use this {@link GenerateOneTimeTokenRequestResolver} when resolving
+	 * {@link GenerateOneTimeTokenRequest} from {@link HttpServletRequest}. By default,
+	 * the {@link DefaultGenerateOneTimeTokenRequestResolver} is used.
+	 * @param requestResolver the {@link GenerateOneTimeTokenRequestResolver}
+	 * @since 6.5
+	 */
+	public OneTimeTokenLoginConfigurer<H> generateRequestResolver(GenerateOneTimeTokenRequestResolver requestResolver) {
+		Assert.notNull(requestResolver, "requestResolver cannot be null");
+		this.requestResolver = requestResolver;
+		return this;
+	}
+
+	private GenerateOneTimeTokenRequestResolver getGenerateRequestResolver(H http) {
+		if (this.requestResolver != null) {
+			return this.requestResolver;
+		}
+		GenerateOneTimeTokenRequestResolver bean = getBeanOrNull(http, GenerateOneTimeTokenRequestResolver.class);
+		this.requestResolver = Objects.requireNonNullElseGet(bean, DefaultGenerateOneTimeTokenRequestResolver::new);
+		return this.requestResolver;
+	}
+
 	private OneTimeTokenService getOneTimeTokenService(H http) {
 		if (this.oneTimeTokenService != null) {
 			return this.oneTimeTokenService;

config/src/main/kotlin/org/springframework/security/config/annotation/web/OneTimeTokenLoginDsl.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import org.springframework.security.config.annotation.web.configurers.ott.OneTim
 import org.springframework.security.web.authentication.AuthenticationConverter
 import org.springframework.security.web.authentication.AuthenticationFailureHandler
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler
+import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenRequestResolver
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler
 
 /**
@@ -34,6 +35,7 @@ import org.springframework.security.web.authentication.ott.OneTimeTokenGeneratio
  * @property authenticationConverter Use this [AuthenticationConverter] when converting incoming requests to an authentication
  * @property authenticationFailureHandler the [AuthenticationFailureHandler] to use when authentication
  * @property authenticationSuccessHandler the [AuthenticationSuccessHandler] to be used
+ * @property generateRequestResolver the [GenerateOneTimeTokenRequestResolver] to be used
  * @property defaultSubmitPageUrl sets the URL that the default submit page will be generated
  * @property showDefaultSubmitPage configures whether the default one-time token submit page should be shown
  * @property loginProcessingUrl the URL to process the login request
@@ -47,6 +49,7 @@ class OneTimeTokenLoginDsl {
     var authenticationConverter: AuthenticationConverter? = null
     var authenticationFailureHandler: AuthenticationFailureHandler? = null
     var authenticationSuccessHandler: AuthenticationSuccessHandler? = null
+    var generateRequestResolver: GenerateOneTimeTokenRequestResolver? = null
     var defaultSubmitPageUrl: String? = null
     var loginProcessingUrl: String? = null
     var tokenGeneratingUrl: String? = null
@@ -63,6 +66,11 @@ class OneTimeTokenLoginDsl {
                     authenticationFailureHandler
                 )
             }
+            generateRequestResolver?.also {
+                oneTimeTokenLoginConfigurer.generateRequestResolver(
+                        generateRequestResolver
+                )
+            }
             authenticationSuccessHandler?.also {
                 oneTimeTokenLoginConfigurer.authenticationSuccessHandler(
                     authenticationSuccessHandler

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,9 @@
 package org.springframework.security.config.annotation.web.configurers.ott;
 
 import java.io.IOException;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.ZoneOffset;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -29,6 +32,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
+import org.springframework.security.authentication.ott.GenerateOneTimeTokenRequest;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -40,6 +44,8 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.ott.DefaultGenerateOneTimeTokenRequestResolver;
+import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenRequestResolver;
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.csrf.CsrfToken;
@@ -194,6 +200,55 @@ Please provide it as a bean or pass it to the oneTimeTokenLogin() DSL.
 					""");
 	}
 
+	@Test
+	void oneTimeTokenWhenCustomTokenExpirationTimeSetThenAuthenticate() throws Exception {
+		this.spring.register(OneTimeTokenConfigWithCustomTokenExpirationTime.class).autowire();
+		this.mvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/login/ott"));
+
+		OneTimeToken token = TestOneTimeTokenGenerationSuccessHandler.lastToken;
+
+		this.mvc.perform(post("/login/ott").param("token", token.getTokenValue()).with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
+		assertThat(getCurrentMinutes(token.getExpiresAt())).isEqualTo(10);
+	}
+
+	private int getCurrentMinutes(Instant expiresAt) {
+		int expiresMinutes = expiresAt.atZone(ZoneOffset.UTC).getMinute();
+		int currentMinutes = Instant.now().atZone(ZoneOffset.UTC).getMinute();
+		return expiresMinutes - currentMinutes;
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@EnableWebSecurity
+	@Import(UserDetailsServiceConfig.class)
+	static class OneTimeTokenConfigWithCustomTokenExpirationTime {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.authorizeHttpRequests((authz) -> authz
+							.anyRequest().authenticated()
+					)
+					.oneTimeTokenLogin((ott) -> ott
+							.tokenGenerationSuccessHandler(new TestOneTimeTokenGenerationSuccessHandler())
+					);
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		GenerateOneTimeTokenRequestResolver generateOneTimeTokenRequestResolver() {
+			DefaultGenerateOneTimeTokenRequestResolver delegate = new DefaultGenerateOneTimeTokenRequestResolver();
+			return (request) -> {
+				GenerateOneTimeTokenRequest generate = delegate.resolve(request);
+				return new GenerateOneTimeTokenRequest(generate.getUsername(), Duration.ofSeconds(600));
+			};
+		}
+
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	@EnableWebSecurity
 	@Import(UserDetailsServiceConfig.class)