update

build/docker/Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=${BASE_IMAGE:-registry.access.redhat.com/ubi8/openjdk-17-runtime:1.18-2.1705573231}
+ARG BASE_IMAGE=${BASE_IMAGE:-registry.access.redhat.com/ubi8/openjdk-17-runtime:1.19-4}
 FROM ${BASE_IMAGE}
 
 LABEL base-image=${BASE_IMAGE}

client/package.json

@@ -10,26 +10,26 @@
     "preview": "vite preview"
   },
   "dependencies": {
-    "axios": "^1.6.5",
+    "axios": "^1.6.8",
     "classnames": "^2.5.1",
     "is-mobile": "^4.0.0",
     "qrcode": "^1.5.3",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
     "react-markdown": "^9.0.1",
-    "react-router-dom": "^6.21.2",
+    "react-router-dom": "^6.23.0",
     "remark-gfm": "^4.0.0"
   },
   "devDependencies": {
-    "@types/react": "^18.2.43",
-    "@types/react-dom": "^18.2.17",
+    "@types/react": "^18.3.1",
+    "@types/react-dom": "^18.3.0",
     "@vitejs/plugin-basic-ssl": "^1.0.2",
     "@vitejs/plugin-react": "^4.2.1",
-    "eslint": "^8.55.0",
-    "eslint-plugin-react": "^7.33.2",
-    "eslint-plugin-react-hooks": "^4.6.0",
-    "eslint-plugin-react-refresh": "^0.4.5",
-    "vite": "^5.0.8"
+    "eslint": "^8.57.0",
+    "eslint-plugin-react": "^7.34.1",
+    "eslint-plugin-react-hooks": "^4.6.2",
+    "eslint-plugin-react-refresh": "^0.4.6",
+    "vite": "^5.2.11"
   },
   "overrides": {
     "qrcode": {

client/src/pages/OpenMobileApp/OpenMobileApp.jsx

@@ -161,6 +161,7 @@ const OpenMobileApp = () => {
           {openBankIDUrl && (
             <a
               href={openBankIDUrl}
+              referrerPolicy="origin"
               className='button secondary guide-button'
             >
               {translate('open-bankid-app')}

pom.xml

@@ -46,69 +46,67 @@
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-clean-plugin -->
         <version.maven.clean.plugin>3.3.2</version.maven.clean.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-deploy-plugin -->
-        <version.maven.deploy.plugin>3.1.1</version.maven.deploy.plugin>
+        <version.maven.deploy.plugin>3.1.2</version.maven.deploy.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-assembly-plugin -->
-        <version.maven.assembly.plugin>3.6.0</version.maven.assembly.plugin>
+        <version.maven.assembly.plugin>3.7.1</version.maven.assembly.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-dependency-plugin -->
         <version.maven.dependency.plugin>3.6.1</version.maven.dependency.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-war-plugin -->
         <version.maven.war.plugin>3.4.0</version.maven.war.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-resources-plugin -->
         <version.maven.resources.plugin>3.3.1</version.maven.resources.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-compiler-plugin -->
-        <version.maven.compiler.plugin>3.12.1</version.maven.compiler.plugin>
+        <version.maven.compiler.plugin>3.13.0</version.maven.compiler.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-toolchains-plugin -->
-        <version.maven.toolchain.plugin>3.1.0</version.maven.toolchain.plugin>
+        <version.maven.toolchain.plugin>3.2.0</version.maven.toolchain.plugin>
         <!-- https://mvnrepository.com/artifact/com.github.eirslett/frontend-maven-plugin -->
         <version.maven.frontend.plugin>1.15.0</version.maven.frontend.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-jar-plugin -->
-        <version.org.apache.plugins.maven-jar-plugin>3.3.0</version.org.apache.plugins.maven-jar-plugin>
+        <version.org.apache.plugins.maven-jar-plugin>3.4.1</version.org.apache.plugins.maven-jar-plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin -->
         <version.org.apache.maven.plugins.maven-enforcer-plugin>3.4.1</version.org.apache.maven.plugins.maven-enforcer-plugin>
         <!-- https://mvnrepository.com/artifact/org.codehaus.mojo/flatten-maven-plugin -->
         <version.org.codehaus.mojo.flatten-maven-plugin>1.6.0</version.org.codehaus.mojo.flatten-maven-plugin>
 
         <!-- Versions of 3rd party packages -->
         <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies -->
-        <version.org.springframework.boot>3.2.2</version.org.springframework.boot>
+        <version.org.springframework.boot>3.2.5</version.org.springframework.boot>
         <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-maven-plugin -->
-        <version.org.springframework.maven.plugin>3.2.2</version.org.springframework.maven.plugin>
+        <version.org.springframework.maven.plugin>3.2.5</version.org.springframework.maven.plugin>
         <!-- https://mvnrepository.com/artifact/org.owasp.encoder/encoder -->
         <version.org.owasp.encoder>1.2.3</version.org.owasp.encoder>
         <!-- https://mvnrepository.com/artifact/net.logstash.logback/logstash-logback-encoder -->
         <version.net.logstash.logback.logstash-logback-encoder>7.4</version.net.logstash.logback.logstash-logback-encoder>
         <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on -->
-        <version.bouncycastle.jdk18>1.77</version.bouncycastle.jdk18>
+        <version.bouncycastle.jdk18>1.78.1</version.bouncycastle.jdk18>
         <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom -->
-        <jackson-bom.version>2.16.1</jackson-bom.version>
-        <!-- https://mvnrepository.com/artifact/com.jayway.jsonpath/json-path -->
-        <json-path.version>2.9.0</json-path.version>
+        <jackson-bom.version>2.16.2</jackson-bom.version>
 
         <!-- Version of testing plugins to use -->
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-surefire-plugin -->
         <version.surefire.plugin>3.2.5</version.surefire.plugin>
         <!-- https://mvnrepository.com/artifact/org.jacoco/jacoco-maven-plugin -->
-        <version.jacoco.plugin>0.8.11</version.jacoco.plugin>
+        <version.jacoco.plugin>0.8.12</version.jacoco.plugin>
         <!-- https://mvnrepository.com/artifact/org.mockito/mockito-inline -->
         <version.org.mockito.mockito>5.2.0</version.org.mockito.mockito>
         <!-- https://mvnrepository.com/artifact/org.mockito/mockito-junit-jupiter -->
-        <version.org.mockito.junit>5.10.0</version.org.mockito.junit>
+        <version.org.mockito.junit>5.11.0</version.org.mockito.junit>
 
         <!-- Version of code analysis plugins to use -->
         <!-- https://mvnrepository.com/artifact/com.github.spotbugs/spotbugs-maven-plugin -->
-        <version.spotbugs.plugin>4.8.3.0</version.spotbugs.plugin>
+        <version.spotbugs.plugin>4.8.4.0</version.spotbugs.plugin>
         <!-- https://mvnrepository.com/artifact/com.h3xstream.findsecbugs/findsecbugs-plugin -->
-        <version.com.h3xstream.findsecbugs.findsecbugs-plugin>1.12.0</version.com.h3xstream.findsecbugs.findsecbugs-plugin>
+        <version.com.h3xstream.findsecbugs.findsecbugs-plugin>1.13.0</version.com.h3xstream.findsecbugs.findsecbugs-plugin>
         <!-- https://mvnrepository.com/artifact/com.puppycrawl.tools/checkstyle -->
-        <version.com.puppycrawl.tools.checkstyle>10.13.0</version.com.puppycrawl.tools.checkstyle>
+        <version.com.puppycrawl.tools.checkstyle>10.16.0</version.com.puppycrawl.tools.checkstyle>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-checkstyle-plugin -->
         <version.checkstyle.plugin>3.3.1</version.checkstyle.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-pmd-plugin -->
-        <version.pmd.plugin>3.21.2</version.pmd.plugin>
+        <version.pmd.plugin>3.22.0</version.pmd.plugin>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-jxr-plugin -->
         <version.jxr.plugin>3.3.2</version.jxr.plugin>
         <!-- https://mvnrepository.com/artifact/com.github.spotbugs/spotbugs-annotations -->
-        <version.com.github.spotbugs.annotations>4.8.3</version.com.github.spotbugs.annotations>
+        <version.com.github.spotbugs.annotations>4.8.4</version.com.github.spotbugs.annotations>
 
         <!-- The Node.js version to download -->
         <version.node.js>v20.11.0</version.node.js>

server/pom.xml

@@ -30,11 +30,6 @@
 
     <dependencyManagement>
         <dependencies>
-            <dependency>
-                <groupId>com.jayway.jsonpath</groupId>
-                <artifactId>json-path</artifactId>
-                <version>${json-path.version}</version>
-            </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson</groupId>
                 <artifactId>jackson-bom</artifactId>

server/src/main/java/com/bankid/codefront/CodeFrontApplication.java

@@ -33,6 +33,7 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 
 package com.bankid.codefront;
 
+import com.bankid.codefront.config.AppConfig;
 import com.bankid.codefront.config.BankIDRelyingPartyConfig;
 import com.bankid.codefront.config.HeadersConfig;
 import org.springframework.boot.SpringApplication;
@@ -48,7 +49,7 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * The starting point for our application.
  */
 @SpringBootApplication(exclude = {UserDetailsServiceAutoConfiguration.class})
-@EnableConfigurationProperties({BankIDRelyingPartyConfig.class, HeadersConfig.class})
+@EnableConfigurationProperties({AppConfig.class, BankIDRelyingPartyConfig.class, HeadersConfig.class})
 @SuppressWarnings({"FinalClass", "HideUtilityClassConstructor"})
 public class CodeFrontApplication {
 

server/src/main/java/com/bankid/codefront/bankid/relyingparty/RpApi.java

@@ -42,7 +42,9 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 import com.bankid.codefront.models.bankid.relyingparty.StartSignatureRequest;
 import com.bankid.codefront.models.bankid.relyingparty.StartTransactionResponse;
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.MapperFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -286,7 +288,9 @@ public CollectResponse collect(String orderRef) {
 
         try {
             CollectRequest request = new CollectRequest(orderRef);
-            ObjectMapper mapper = new ObjectMapper();
+            ObjectMapper mapper = JsonMapper.builder()
+                .enable(MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS)
+                .build();
             String jsonRequest = mapper.writeValueAsString(request);
 
             long startTime = System.currentTimeMillis();

server/src/main/java/com/bankid/codefront/config/AppConfig.java

@@ -0,0 +1,61 @@
+/*
+BSD 3-Clause License
+
+Copyright (c) 2022, Finansiell ID-Teknik BID AB
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+package com.bankid.codefront.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+/**
+ * Represents the general configuration settings.
+ */
+@ConfigurationProperties("app.bankid")
+public class AppConfig {
+
+    private String domain;
+
+    /**
+     * Set the page domain.
+     * @param domain of the page.
+     */
+    public void setDomain(String domain) {
+        this.domain = domain;
+    }
+
+    /**
+     * Returns the domain.
+     * @return the domain.
+     */
+    public String getDomain() {
+        return this.domain;
+    }
+}

server/src/main/java/com/bankid/codefront/models/bankid/relyingparty/AdditionalWebData.java

@@ -0,0 +1,126 @@
+/*
+BSD 3-Clause License
+
+Copyright (c) 2022, Finansiell ID-Teknik BID AB
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+package com.bankid.codefront.models.bankid.relyingparty;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+/**
+ * Represents additional web page data from relying party.
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class AdditionalWebData {
+    private static final int REFERRING_DOMAIN_MIN_LENGTH = 3;
+    private static final int USER_AGENT_MAX_LENGTH = 256;
+    private static final int DEVICE_IDENTIFIER_MAX_LENGTH = 64;
+
+    /**
+     * The domain that start the BankID app.
+     *
+     * <p>Example: www.testbank.bankid.com</p>
+     *
+     * <p>String. 3 - 253 characters</p>
+     */
+    private final String referringDomain;
+    /**
+     * The user agent of the RP web page.
+     * String. 1 - 256 characters
+     */
+    private final String userAgent;
+    /**
+     * The identifier of the device running the RP client. Use a web cookie or a hash of it.
+     * String. 1 - 64 characters
+     */
+    private final String deviceIdentifier;
+
+    /**
+     * Initialize the object.
+     *
+     * @param referringDomain - The domain that start the BankID app.
+     * @param userAgent - The user agent of the RP web page.
+     * @param deviceIdentifier - The identifier of the device running the RP client.
+     */
+    public AdditionalWebData(String referringDomain, String userAgent, String deviceIdentifier) {
+        if (referringDomain == null || referringDomain.length() < REFERRING_DOMAIN_MIN_LENGTH) {
+            throw new IllegalArgumentException(
+                "referringDomain cannot be null or smaller than " + REFERRING_DOMAIN_MIN_LENGTH
+            );
+        }
+        if (userAgent == null || userAgent.isBlank()) {
+            throw new IllegalArgumentException("userAgent cannot be null or empty");
+        }
+        if (deviceIdentifier == null || deviceIdentifier.isBlank()) {
+            throw new IllegalArgumentException("deviceIdentifier cannot be null or empty");
+        }
+
+        this.referringDomain = referringDomain;
+
+        // Trim user agent
+        if (userAgent.length() > USER_AGENT_MAX_LENGTH) {
+            userAgent = userAgent.substring(0, USER_AGENT_MAX_LENGTH);
+        }
+
+        this.userAgent = userAgent;
+
+        // Trim device identifier
+        if (deviceIdentifier.length() > DEVICE_IDENTIFIER_MAX_LENGTH) {
+            deviceIdentifier = deviceIdentifier.substring(0, DEVICE_IDENTIFIER_MAX_LENGTH);
+        }
+
+        this.deviceIdentifier = deviceIdentifier;
+    }
+
+    /**
+     * Returns the referring domain.
+     * @return the referring domain.
+     */
+    public String getReferringDomain() {
+        return this.referringDomain;
+    }
+
+    /**
+     * Returns the user agent.
+     * @return the user agent.
+     */
+    public String getUserAgent() {
+        return this.userAgent;
+    }
+
+    /**
+     * Returns the device identifier.
+     * @return the device identifier.
+     */
+    public String getDeviceIdentifier() {
+        return this.deviceIdentifier;
+    }
+}