From 21edd41975ad43f0dd32fc3f1717c28ad381bb70 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Wed, 23 Aug 2023 15:29:46 +0200
Subject: [PATCH 01/22] feat: enable auto update build config vs code

---
 .vscode/settings.json | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 .vscode/settings.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..d53ecaf
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,4 @@
+{
+    "java.compile.nullAnalysis.mode": "automatic",
+    "java.configuration.updateBuildConfiguration": "automatic"
+}
\ No newline at end of file

From 7a4237987363e6c918c589296aecb8a03baf39c0 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Thu, 24 Aug 2023 10:55:43 +0200
Subject: [PATCH 02/22] refactor: update gradle and dependencies, merge
 irma_server_common into codebase

---
 build.gradle                                  |  36 +-
 gradle/wrapper/gradle-wrapper.properties      |   3 +-
 .../privacybydesign/email/Client.java         |   2 -
 .../email/EmailConfiguration.java             |   4 +-
 .../privacybydesign/email/EmailProvider.java  |   4 +-
 .../privacybydesign/email/EmailRestApi.java   |  11 +-
 .../privacybydesign/email/EmailSender.java    |   5 +-
 .../privacybydesign/email/EmailService.java   |   2 +-
 .../privacybydesign/email/EmailTokens.java    | 138 ++++++++
 .../email/common/BaseConfiguration.java       | 317 ++++++++++++++++++
 src/main/resources/jetty-env.xml              |   1 +
 .../email/EmailTokensTest.java                |  71 ++++
 12 files changed, 560 insertions(+), 34 deletions(-)
 create mode 100644 src/main/java/foundation/privacybydesign/email/EmailTokens.java
 create mode 100644 src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java
 create mode 100644 src/test/java/foundation/privacybydesign/email/EmailTokensTest.java

diff --git a/build.gradle b/build.gradle
index 48b6048..227067e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -2,9 +2,9 @@ group 'foundation.privacybydesign.email'
 version '1.1.0'
 
 apply plugin: 'war'
-apply plugin: 'org.akhikhl.gretty'
+apply plugin: 'org.gretty'
 
-sourceCompatibility = 1.7
+sourceCompatibility = 11
 
 buildscript {
     repositories {
@@ -13,12 +13,11 @@ buildscript {
         }
     }
     dependencies {
-        classpath "gradle.plugin.org.akhikhl.gretty:gretty:1.4.2"
+        classpath "org.gretty:gretty:4.0.3"
     }
 }
 
 repositories {
-    mavenLocal()
     maven {
         url "https://credentials.github.io/repos/maven2/"
     }
@@ -26,19 +25,26 @@ repositories {
 }
 
 dependencies {
-    compile 'org.glassfish.jersey.core:jersey-server:2.25'
-    compile 'org.glassfish.jersey.containers:jersey-container-servlet:2.25'
-    compile 'ch.qos.logback:logback-classic:1.1.7'
-    compile 'com.sun.mail:javax.mail:1.5.6'
-
-    compile 'org.irmacard.api:irma_api_common:1.2.2'
-    compile 'foundation.privacybydesign.common:irma_server_common:0.3.2'
-
-    testCompile group: 'junit', name: 'junit', version: '4.12'
+    implementation 'org.glassfish.jersey.core:jersey-server:3.0.0'
+    implementation 'org.glassfish.jersey.containers:jersey-container-servlet:3.0.0'
+    implementation 'org.glassfish.jersey.inject:jersey-hk2:3.0.0'
+    implementation 'ch.qos.logback:logback-classic:1.1.7'
+    implementation 'jakarta.mail:jakarta.mail-api:2.1.2'
+
+    implementation 'jakarta.ws.rs:jakarta.ws.rs-api:3.1.0'
+    
+    implementation 'io.jsonwebtoken:jjwt:0.9.1'
+    implementation 'com.google.code.gson:gson:2.8.9'
+    implementation 'org.apache.commons:commons-lang3:3.7'
+    implementation 'org.bouncycastle:bcpkix-jdk15on:1.70'
+    implementation 'org.bouncycastle:bcprov-jdk15on:1.67'
+    implementation 'jakarta.xml.bind:jakarta.xml.bind-api:3.0.1'
+    
+    implementation 'org.irmacard.api:irma_api_common:2.0.0'
+
+    testImplementation group: 'junit', name: 'junit', version: '4.13.1'
 }
 
 gretty {
     contextConfigFile = file('src/main/resources/jetty-env.xml')
-    scanInterval = 10
-    inplaceMode = "hard"
 }
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 53b9e38..5083229 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.9.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.1-bin.zip
+networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/src/main/java/foundation/privacybydesign/email/Client.java b/src/main/java/foundation/privacybydesign/email/Client.java
index 4050174..4f805b2 100644
--- a/src/main/java/foundation/privacybydesign/email/Client.java
+++ b/src/main/java/foundation/privacybydesign/email/Client.java
@@ -2,8 +2,6 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
 import java.util.HashMap;
 
 public class Client {
diff --git a/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java b/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java
index 6384327..94519f5 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java
@@ -1,6 +1,6 @@
 package foundation.privacybydesign.email;
 
-import foundation.privacybydesign.common.BaseConfiguration;
+import foundation.privacybydesign.email.common.BaseConfiguration;
 import io.jsonwebtoken.SignatureAlgorithm;
 import org.irmacard.api.common.util.GsonUtil;
 import org.slf4j.Logger;
@@ -12,7 +12,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
-public class EmailConfiguration extends BaseConfiguration {
+public class EmailConfiguration extends BaseConfiguration<EmailConfiguration> {
     private static Logger logger = LoggerFactory.getLogger(Client.class);
 
     static EmailConfiguration instance;
diff --git a/src/main/java/foundation/privacybydesign/email/EmailProvider.java b/src/main/java/foundation/privacybydesign/email/EmailProvider.java
index 447ddfd..e478696 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailProvider.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailProvider.java
@@ -1,8 +1,6 @@
 package foundation.privacybydesign.email;
 
-import foundation.privacybydesign.common.email.EmailTokens;
-
-import javax.mail.internet.AddressException;
+import jakarta.mail.internet.AddressException;
 
 /**
  * Test console application. Quite useless now, but was useful while writing
diff --git a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
index 2876bc1..8f454d3 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
@@ -1,7 +1,5 @@
 package foundation.privacybydesign.email;
 
-import foundation.privacybydesign.common.email.EmailTokens;
-import foundation.privacybydesign.common.filters.RateLimit;
 import org.irmacard.api.common.ApiClient;
 import org.irmacard.api.common.CredentialRequest;
 import org.irmacard.api.common.issuing.IdentityProviderRequest;
@@ -10,10 +8,10 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.mail.internet.AddressException;
-import javax.ws.rs.*;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import jakarta.mail.internet.AddressException;
+import jakarta.ws.rs.*;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
@@ -93,7 +91,6 @@ public Response sendEmail(@FormParam("email") String email,
     @POST
     @Path("/send-email-token")
     @Produces(MediaType.TEXT_PLAIN)
-    @RateLimit
     public Response sendEmailToken(@FormParam("email") String emailAddress,
                                    @FormParam("language") String language) {
         EmailConfiguration conf = EmailConfiguration.getInstance();
diff --git a/src/main/java/foundation/privacybydesign/email/EmailSender.java b/src/main/java/foundation/privacybydesign/email/EmailSender.java
index 27449f2..ef35b0f 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailSender.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailSender.java
@@ -4,9 +4,8 @@
 import org.slf4j.LoggerFactory;
 
 import java.util.Properties;
-import javax.mail.*;
-import javax.mail.internet.*;
-
+import jakarta.mail.*;
+import jakarta.mail.internet.*;
 
 /**
  * Simple class to send emails. Mail host/port/auth is configured in
diff --git a/src/main/java/foundation/privacybydesign/email/EmailService.java b/src/main/java/foundation/privacybydesign/email/EmailService.java
index af9ccf3..50a41f4 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailService.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailService.java
@@ -6,7 +6,7 @@
 
 import org.glassfish.jersey.server.ResourceConfig;
 
-import javax.ws.rs.*;
+import jakarta.ws.rs.*;
 
 @ApplicationPath("/")
 public class EmailService extends ResourceConfig {
diff --git a/src/main/java/foundation/privacybydesign/email/EmailTokens.java b/src/main/java/foundation/privacybydesign/email/EmailTokens.java
new file mode 100644
index 0000000..32605e0
--- /dev/null
+++ b/src/main/java/foundation/privacybydesign/email/EmailTokens.java
@@ -0,0 +1,138 @@
+package foundation.privacybydesign.email;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.Mac;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import javax.crypto.spec.SecretKeySpec;
+import jakarta.xml.bind.DatatypeConverter;
+/**
+ * Create and verify tokens that can be used in email verification messages.
+ *
+ * Based on this idea:
+ *   https://aykevl.nl/2015/01/south-stateless-authenticated-sessions-http-golang
+ * In short, a token has the format payload:timestamp:signature
+ * where the payload can be any email address (email addresses may not
+ * contain colons according to the HTML5 <input type=email> field so it
+ * should be fine). The timestamp is the creation timestamp. The signature is
+ * over the payload:timestamp part. This way it is relatively easy to expire
+ * tokens (set a different validity) or revoke (change the key).
+ *
+ * The tokens aren't too long, just 55 bytes + the payload. And by using the
+ * URL version of base64 the potentially problematic '/' and '+' characters
+ * are avoided so tokens can be easily put in a URL without escaping.
+ */
+public class EmailTokens {
+    private static Logger logger = LoggerFactory.getLogger(EmailTokens.class);
+    private static String SIGNING_ALGORITHM = "HmacSHA256";
+
+    private Mac mac;
+    private long tokenValidity;
+
+    public EmailTokens(String signingKey, long tokenValidity) {
+        this.tokenValidity = tokenValidity;
+
+        // HMAC calculated using this sample:
+        // https://gist.github.com/ishikawa/88599/3195bdeecabeb38aa62872ab61877aefa6aef89e
+        SecretKeySpec key = new SecretKeySpec(signingKey.getBytes(), SIGNING_ALGORITHM);
+        try {
+            mac = Mac.getInstance(SIGNING_ALGORITHM);
+            mac.init(key);
+        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+            // This should not normally happen
+            throw new RuntimeException("Unknown key?");
+        }
+    }
+
+    /**
+     * Create a token: a value with a creation time and signature.
+     * Can be used to create e.g. authentication tokens.
+     */
+    public String createToken(String value) {
+        // We could also use a bigger radix for the timestamp to make it
+        // smaller (for example, a radix of 36 uses only 6 bytes instead of 10).
+        String timestamp = Long.toString(System.currentTimeMillis() / 1000);
+
+        return value + ":" + timestamp + ":" + signToken(value + ":" + timestamp);
+    }
+
+    /**
+     * Sign a token (value+timestamp) with a HMAC. Output the digest of the
+     * HMAC as base64 url-encoded string.
+     */
+    private String signToken(String token) {
+        // See https://aykevl.nl/2015/01/south-stateless-authenticated-sessions-http-golang
+        // for background on the system.
+        byte[] digestBytes = mac.doFinal(token.getBytes());
+        String digest = DatatypeConverter.printBase64Binary(digestBytes);
+        digest = digest.substring(0, 43); // strip tailing '='
+        digest = digest // convert to base64 URL encoding
+                .replace('+', '-')
+                .replace('/', '_');
+
+        return digest;
+    }
+
+    /**
+     * Verify the token. If it is verified and not expired, return the value.
+     * Otherwise, return null.
+     */
+    public String verifyToken(String token) {
+        // Parse token
+        String[] parts = token.split(":");
+        if (parts.length != 3) {
+            // invalid syntax
+            logger.error("Token {} does not have 3 parts", token);
+            return null;
+        }
+        String value = parts[0];
+        String timestamp = parts[1];
+        String digestText = parts[2];
+
+        long creationTime;
+        try {
+            creationTime = Long.parseLong(timestamp);
+        } catch (NumberFormatException e) {
+            // Invalid syntax
+            logger.error("Token {} has non-integer creation time", token);
+            return null;
+        }
+
+        // Verify expired tokens
+        long currentTime = System.currentTimeMillis() / 1000;
+        if (currentTime > creationTime+tokenValidity) {
+            // Token is no longer valid.
+            logger.error("Token {} has expired", token);
+            return null;
+        }
+
+        // Verify signature
+        String calculatedDigestText = signToken(value + ":" + timestamp);
+        if (isEqualsConstantTime(digestText.toCharArray(),
+                calculatedDigestText.toCharArray())) {
+            return value;
+        } else {
+            logger.error("Token {} has invalid HMAC", token);
+            return null;
+        }
+    }
+
+    /**
+     * Compare two byte arrays in constant time.
+     */
+    public static boolean isEqualsConstantTime(char[] a, char[] b) {
+        if (a.length != b.length) {
+            return false;
+        }
+
+        byte result = 0;
+        for (int i = 0; i < a.length; i++) {
+            result |= a[i] ^ b[i];
+        }
+        return result == 0;
+    }
+    
+}
\ No newline at end of file
diff --git a/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java b/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java
new file mode 100644
index 0000000..31fe9f3
--- /dev/null
+++ b/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java
@@ -0,0 +1,317 @@
+package foundation.privacybydesign.email.common;
+
+import com.google.gson.JsonSyntaxException;
+import org.apache.commons.lang3.SystemUtils;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
+import org.irmacard.api.common.util.GsonUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.*;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.security.*;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.HashMap;
+
+public class BaseConfiguration<T> {
+    // Override these in a static {} block
+    public static Class<? extends BaseConfiguration<?>> clazz;
+    public static Logger logger = LoggerFactory.getLogger(BaseConfiguration.class);
+    public static String filename = "config.json";
+    public static String environmentVarPrefix = "IRMA_CONF_";
+    public static String confDirEnvironmentVarName = "IRMA_CONF";
+    public static String confDirName;
+    public static boolean printOnLoad = false;
+    public static boolean testing = false;
+
+    // Return this from a static getInstance()
+    public static BaseConfiguration<?> instance;
+    private static URI confPath;
+
+
+    public static void load() {
+        try {
+            String json = new String(getResource(filename));
+            instance = GsonUtil.getGson().fromJson(json, clazz);
+            logger.info("Using configuration directory: " + BaseConfiguration.getConfigurationDirectory().toString());
+        } catch (IOException|JsonSyntaxException e) {
+            logger.info("WARNING: could not load configuration file. Using default values or environment vars");
+            instance = GsonUtil.getGson().fromJson("{}", clazz);
+        }
+        instance.loadEnvVars();
+
+        if (printOnLoad) {
+            logger.info("Configuration:");
+            logger.info(instance.toString());
+        }
+    }
+
+    public static BaseConfiguration<?> getInstance() {
+        if (instance == null)
+            load();
+        return instance;
+    }
+
+    public static FileInputStream getResourceStream(String filename) throws IOException {
+        return new FileInputStream(new File(getConfigurationDirectory().resolve(filename)));
+    }
+
+    public static byte[] getResource(String filename) throws IOException {
+        return convertSteamToByteArray(getResourceStream(filename), 2048);
+    }
+
+    public static byte[] convertSteamToByteArray(InputStream stream, int size) throws IOException {
+        byte[] buffer = new byte[size];
+        ByteArrayOutputStream os = new ByteArrayOutputStream();
+
+        int line;
+        while ((line = stream.read(buffer)) != -1) {
+            os.write(buffer, 0, line);
+        }
+        stream.close();
+
+        os.flush();
+        os.close();
+        return os.toByteArray();
+    }
+
+    public static PublicKey getPublicKey(String filename) throws KeyManagementException {
+        try {
+            byte[] bytes = filename.endsWith(".pem") ? readPemFile(filename) : getResource(filename);
+            return decodePublicKey(bytes);
+        } catch (IOException e) {
+            throw new KeyManagementException(e);
+        }
+    }
+
+    private static byte[] readPemFile(String filename) throws FileNotFoundException, IOException {
+        PemReader pemReader = new PemReader(new InputStreamReader(getResourceStream(filename)));
+        PemObject pemObject = pemReader.readPemObject();
+        pemReader.close();
+        return pemObject.getContent();
+    }
+
+    public static  PublicKey decodePublicKey(byte[] bytes) throws KeyManagementException {
+        try {
+            if (bytes == null || bytes.length == 0)
+                throw new KeyManagementException("Could not read public key");
+            X509EncodedKeySpec spec = new X509EncodedKeySpec(bytes);
+            return KeyFactory.getInstance("RSA").generatePublic(spec);
+        } catch (NoSuchAlgorithmException|InvalidKeySpecException e) {
+            throw new KeyManagementException(e);
+        }
+    }
+
+    public static PrivateKey getPrivateKey(String filename) throws KeyManagementException {
+        try {
+            return decodePrivateKey(getResource(filename));
+        } catch (IOException e) {
+            throw new KeyManagementException(e);
+        }
+    }
+
+    public static PrivateKey decodePrivateKey(byte[] rawKey) throws KeyManagementException {
+        try {
+            if (rawKey == null || rawKey.length == 0)
+                throw new KeyManagementException("Could not read private key");
+
+            PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(rawKey);
+            return KeyFactory.getInstance("RSA").generatePrivate(spec);
+        } catch (NoSuchAlgorithmException |InvalidKeySpecException e) {
+            throw new KeyManagementException(e);
+        }
+    }
+
+    /**
+     * Override configuration with environment variables, if set
+     * Uses reflection to set variables, because otherwise it would be impossible to set all variable at once in a loop
+     */
+    public void loadEnvVars() {
+        for (Field f : BaseConfiguration.clazz.getDeclaredFields()) {
+            if ( Modifier.isTransient(f.getModifiers()) || Modifier.isStatic(f.getModifiers())) {
+                // Skip transient and static fields
+                continue;
+            }
+
+            Object envValue = getEnv(environmentVarPrefix + f.getName(), f.getType());
+            if (envValue != null) {
+                try {
+                    f.set(this, envValue);
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace();
+                }
+            }
+        }
+    }
+
+    /**
+     * Obtain an environment variable and parse it to the right type
+     * @param confEntry name of environment variable
+     * @param cls class to be parsed into (either Integer, Boolean, String, HashMap)
+     * @param <T> type of the variable
+     * @return a parsed variable in the right type (T) or null if environment variable isn't set
+     */
+    public static <T> T getEnv(String confEntry, Class<T> cls) {
+        confEntry = confEntry.toUpperCase();
+        String env = System.getenv(confEntry);
+        if (env== null || env.length() == 0) {
+            return null;
+        }
+
+        T overrideValue;
+
+        try {
+            if (cls == int.class) {
+                try {
+                    Integer parsed = Integer.parseInt(env);
+                    overrideValue =  cls.cast(parsed);
+                } catch (NumberFormatException e) {
+                    logger.warn("Could not parse config entry as int: " + confEntry + " with value: " + env);
+                    return null;
+                }
+            } else if (cls == boolean.class) {
+                Boolean parsed = Boolean.parseBoolean(env);
+                overrideValue = cls.cast(parsed);
+            } else if (cls == String.class) {
+                overrideValue = cls.cast(env);
+            } else if (cls == HashMap.class){ // Try to parse as hashmap for authorized_??? entries
+                try {
+                    overrideValue = cls.cast(GsonUtil.getGson().fromJson(env, cls));
+                } catch (JsonSyntaxException e) {
+                    logger.warn("Could not parse config entry as json: " + confEntry + " with value: " + env);
+                    return null;
+                }
+            } else {
+                throw new IllegalArgumentException("Invalid class specified, must be one of: Integer, Boolean, String, HashMap");
+            }
+        } catch (ClassCastException e){
+            logger.warn("Could not cast config entry: " + confEntry + " with value: " + env);
+            return null;
+        }
+
+        logger.info("Overriding config entry " + confEntry + " with value: " + env);
+        return overrideValue;
+    }
+
+    /**
+     * If a path was set in the $confDirEnvironmentVarName environment variable, return it
+     */
+    public static URI getEnvironmentVariableConfDir() throws URISyntaxException {
+        String envDir = System.getenv(confDirEnvironmentVarName);
+        if (envDir == null || envDir.length() == 0)
+            return null;
+        return pathToURI(envDir, true);
+    }
+
+    /**
+     * Returns true if the specified path is a valid configuration directory. A directory
+     * is considered a valid configuration directory if it contains a file called $filename.
+     */
+    public static boolean isConfDirectory(URI candidate) {
+        return candidate != null && new File(candidate.resolve(filename)).isFile();
+    }
+
+    /**
+     * Get the path to the Java resources directory, i.e., src/main/resources or src/test/resources;
+     * note that it must contain the file called $filename or "config.test.json" for this to work
+     */
+    public static URI GetJavaResourcesDirectory() throws URISyntaxException {
+        // The only way to actually get the resource folder, as opposed to the classes folder,
+        // seems to be to ask for an existing file or directory within the resources. That is,
+        // BaseConfiguration.class.getClassLoader().getResource("/") or variants thereof
+        // give an incorrect path.
+        String testfile = BaseConfiguration.testing ? "config.test.json" : filename;
+        URL url = BaseConfiguration.class.getClassLoader().getResource(testfile);
+        if (url != null) // Construct an URI of the parent path
+            return pathToURI(new File(url.getPath()).getParent(), true);
+        else
+            return null;
+    }
+
+    public static URI pathToURI(String path, boolean trailingSlash) throws URISyntaxException {
+        if (trailingSlash && !path.endsWith("/"))
+            path = path + "/";
+        if (SystemUtils.IS_OS_WINDOWS)
+            path = path.replace("\\", "/");
+        // path might contain file: or file:/ or file:// or file:/// or none of them
+        // Just throw them all away so we can fix it properly
+        path = path.replaceFirst("^file:/*", "");
+        if (SystemUtils.IS_OS_WINDOWS) // Sometimes we get file:///C/blah, that doesn't work
+            path = path.replaceFirst("^(\\w)/", "$1:/");
+        return new URI("file:///" + path);
+    }
+
+    /**
+     * Get the configuration directory.
+     * @throws IllegalStateException If no suitable configuration directory was found
+     * @throws IllegalArgumentException If the path from the $confDirEnvironmentVarName environment variable was
+     *                                  not a valid path
+     */
+    public static URI getConfigurationDirectory() throws IllegalStateException, IllegalArgumentException {
+        if (confPath != null)
+            return confPath;
+
+        try {
+            // If we're running unit tests, only accept src/test/resources
+            URI resourcesCandidate = GetJavaResourcesDirectory();
+            if (BaseConfiguration.testing) {
+                if (resourcesCandidate != null) {
+                    logger.info("Running tests: taking src/test/resources as configuration directory");
+                    confPath = resourcesCandidate;
+                    return confPath;
+                }
+                else {
+                    throw new IllegalStateException("No configuration found in in src/test/resources. " +
+                            "(Have you run `git submodule init && git submodule update`?)");
+                }
+            }
+
+            // If a path was given in the $confDirEnvironmentVarName environment variable, prefer it
+            URI envCandidate = getEnvironmentVariableConfDir();
+            if (envCandidate != null) {
+                if (isConfDirectory(envCandidate)) {
+                    logger.info("Taking configuration directory specified by environment variable " + confDirEnvironmentVarName);
+                    confPath = envCandidate;
+                    return confPath;
+                } else {
+                    // If the user specified an incorrect path (s)he will want to know, so bail out here
+                    throw new IllegalArgumentException("Specified path in " + confDirEnvironmentVarName
+                            + " is not a valid configuration directory");
+                }
+            }
+
+            // See if a number of other fixed candidates are suitable
+            ArrayList<URI> candidates = new ArrayList<>(4);
+            candidates.add(resourcesCandidate);
+            if (confDirName != null) {
+                candidates.add(pathToURI("/etc/" + confDirName, true));
+                candidates.add(pathToURI("C:/" + confDirName, true));
+                candidates.add(pathToURI(System.getProperty("user.home")+"/"+confDirName, true));
+            }
+
+            for (URI candidate : candidates) {
+                if (isConfDirectory(candidate)) {
+                    confPath = candidate;
+                    return confPath;
+                }
+            }
+
+            throw new IllegalStateException("No valid configuration directory found");
+        } catch (URISyntaxException e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+
+    @Override
+    public String toString() {
+        return GsonUtil.getGson().toJson(this);
+    }
+}
\ No newline at end of file
diff --git a/src/main/resources/jetty-env.xml b/src/main/resources/jetty-env.xml
index 60bc1c8..4d9ca44 100644
--- a/src/main/resources/jetty-env.xml
+++ b/src/main/resources/jetty-env.xml
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
 <Configure class="org.eclipse.jetty.webapp.WebAppContext">
     <!-- Disable scanning of jars, this can mess stuff up bigtime, but
          it makes booting a whole lot faster, see:
diff --git a/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java b/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
new file mode 100644
index 0000000..a102cdf
--- /dev/null
+++ b/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
@@ -0,0 +1,71 @@
+package foundation.privacybydesign.email;
+
+import foundation.privacybydesign.email.EmailTokens;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+/**
+ * Test class for valid and invalid (malformed, expired, tampered) signatures.
+ *
+ * TODO: maybe we should throw an error in the EmailTokens class so we know
+ * that we're actually testing the right thing (and the token isn't simply
+ * malformed while we're testing an expired one).
+ *
+ * TODO: mock the time for better testability.
+ */
+public class EmailTokensTest {
+    private EmailTokens signer = new EmailTokens("password", 60);
+    private String validToken = signer.createToken("testtoken");
+
+    @Test
+    public void testValidToken() {
+        assertEquals("valid token failed to verify",
+                signer.verifyToken(validToken), "testtoken");
+    }
+
+    @Test
+    public void testExpiredToken() {
+        assertNull("expired token must be null",
+                signer.verifyToken("testtoken:1499377646:sadRkftPRiBhl1eXrgUwDFwYOfwm-Zkdg_ubOABkVXM"));
+    }
+
+    @Test
+    public void testMalformedToken() {
+        assertNull("malformed token must be null",
+                signer.verifyToken(validToken.replace(
+                        "testtoken:",
+                        "testtoken.")));
+    }
+
+    @Test
+    public void testTamperedTimeToken1() {
+        assertNull("token with a changed time must be null",
+                signer.verifyToken(validToken.replace(
+                        "testtoken:1",
+                        "testtoken:2")));
+    }
+
+    @Test
+    public void testTamperedTimeToken2() {
+        assertNull("token with a changed time must be null",
+                signer.verifyToken(validToken.replace(
+                        "testtoken:1",
+                        "testtoken:0")));
+    }
+
+    @Test
+    public void testTamperedMessageToken() {
+        assertNull("token with a changed payload must be null",
+                signer.verifyToken(validToken.replace(
+                        "testtoken:",
+                        "testmessg:")));
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testEmailTokensWithoutPassword() {
+        // A password *must* be provided, so this will throw an error.
+        new EmailTokens("", 60);
+    }
+}
\ No newline at end of file

From ba8ce451221642001adbf74584caeacb93d59d3b Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Mon, 28 Aug 2023 12:55:12 +0200
Subject: [PATCH 03/22] chore: remove unused class

---
 .../privacybydesign/email/EmailProvider.java  | 24 -------------------
 1 file changed, 24 deletions(-)
 delete mode 100644 src/main/java/foundation/privacybydesign/email/EmailProvider.java

diff --git a/src/main/java/foundation/privacybydesign/email/EmailProvider.java b/src/main/java/foundation/privacybydesign/email/EmailProvider.java
deleted file mode 100644
index e478696..0000000
--- a/src/main/java/foundation/privacybydesign/email/EmailProvider.java
+++ /dev/null
@@ -1,24 +0,0 @@
-package foundation.privacybydesign.email;
-
-import jakarta.mail.internet.AddressException;
-
-/**
- * Test console application. Quite useless now, but was useful while writing
- * this application.
- */
-public class EmailProvider {
-    public static void main(String[] args) throws AddressException {
-        EmailConfiguration conf = EmailConfiguration.getInstance();
-
-        // Test email with signature
-        EmailTokens signer = new EmailTokens(conf.getSecretKey(), conf.getEmailTokenValidity());
-        String token = signer.createToken(conf.getMailFrom());
-
-        String mailBody = String.format(conf.getVerifyEmailBody("en"),
-                "#verify-email/" + token);
-
-        System.out.println("Sending test email...");
-        EmailSender.send(conf.getMailFrom(), "mail verification", mailBody);
-        System.out.println("Done.");
-    }
-}
\ No newline at end of file

From 5917342c8e99ce0568ce70b26eed049fdbcfd042 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Mon, 28 Aug 2023 13:02:10 +0200
Subject: [PATCH 04/22] improve: return 500 when sending mail fails

---
 build.gradle                                  |  6 +--
 .../privacybydesign/email/EmailRestApi.java   |  6 +++
 .../privacybydesign/email/EmailSender.java    | 46 ++++++++-----------
 3 files changed, 28 insertions(+), 30 deletions(-)

diff --git a/build.gradle b/build.gradle
index 227067e..394f267 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,8 +29,7 @@ dependencies {
     implementation 'org.glassfish.jersey.containers:jersey-container-servlet:3.0.0'
     implementation 'org.glassfish.jersey.inject:jersey-hk2:3.0.0'
     implementation 'ch.qos.logback:logback-classic:1.1.7'
-    implementation 'jakarta.mail:jakarta.mail-api:2.1.2'
-
+    implementation 'com.sun.mail:jakarta.mail:2.0.1'
     implementation 'jakarta.ws.rs:jakarta.ws.rs-api:3.1.0'
     
     implementation 'io.jsonwebtoken:jjwt:0.9.1'
@@ -39,7 +38,7 @@ dependencies {
     implementation 'org.bouncycastle:bcpkix-jdk15on:1.70'
     implementation 'org.bouncycastle:bcprov-jdk15on:1.67'
     implementation 'jakarta.xml.bind:jakarta.xml.bind-api:3.0.1'
-    
+
     implementation 'org.irmacard.api:irma_api_common:2.0.0'
 
     testImplementation group: 'junit', name: 'junit', version: '4.13.1'
@@ -47,4 +46,5 @@ dependencies {
 
 gretty {
     contextConfigFile = file('src/main/resources/jetty-env.xml')
+    extraResourceBase 'webapp/build'
 }
diff --git a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
index 8f454d3..ccf2374 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
@@ -77,6 +77,9 @@ public Response sendEmail(@FormParam("email") String email,
         } catch (UnsupportedEncodingException e) {
             logger.error("Invalid return URL: {}: {}", client.getReturnURL(), e.getMessage());
             return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
+        } catch (Exception e) {
+            logger.error("Sending mail failed:\n{}", e.getMessage());
+            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
         }
         return Response.status(Response.Status.OK).entity(OK_RESPONSE).build();
     }
@@ -125,6 +128,9 @@ public Response sendEmailToken(@FormParam("email") String emailAddress,
             logger.error("Invalid address: {}", e.getMessage());
             return Response.status(Response.Status.BAD_REQUEST).entity
                     (ERR_ADDRESS_MALFORMED).build();
+        } catch (Exception e) {
+            logger.error("Sending mail failed:\n{}", e.getMessage());
+            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
         }
         return Response.status(Response.Status.OK).entity
                 (OK_RESPONSE).build();
diff --git a/src/main/java/foundation/privacybydesign/email/EmailSender.java b/src/main/java/foundation/privacybydesign/email/EmailSender.java
index ef35b0f..255a8d6 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailSender.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailSender.java
@@ -1,8 +1,5 @@
 package foundation.privacybydesign.email;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import java.util.Properties;
 import jakarta.mail.*;
 import jakarta.mail.internet.*;
@@ -14,7 +11,6 @@
  * TODO: join this with org.irmacard.keyshare.web.email.EmailSender
  */
 public class EmailSender {
-    private static Logger logger = LoggerFactory.getLogger(EmailSender.class);
 
     /**
      * Send an email using a configured SMTP server.
@@ -24,11 +20,11 @@ public class EmailSender {
      * @param body Email text body
      * @throws AddressException
      */
-    public static void send(String toAddresses, String subject, String body) throws AddressException {
+    public static void send(String toAddresses, String subject, String body) throws AddressException, MessagingException {
         send(toAddresses, subject, body, null, false);
     }
 
-    public static void send(String toAddresses, String subject, String body, String replyto, boolean html, Object... o) throws AddressException{
+    public static void send(String toAddresses, String subject, String body, String replyto, boolean html, Object... o) throws AddressException, MessagingException{
         InternetAddress[] addresses = InternetAddress.parse(toAddresses);
         if (addresses.length != 1)
             throw new AddressException("Invalid amount of (comma-separated) addresses given (should be 1)");
@@ -56,29 +52,25 @@ protected PasswordAuthentication getPasswordAuthentication() {
             session = Session.getInstance(props);
         }
 
-        try {
-            Message message = new MimeMessage(session);
-            message.setFrom(new InternetAddress(EmailConfiguration.getInstance().getMailFrom()));
-            message.setRecipients(Message.RecipientType.TO, addresses);
-            message.setSubject(subject);
-            if (replyto != null && replyto.length() > 0)
-                message.setReplyTo(new Address[]{new InternetAddress(replyto)});
+        Message message = new MimeMessage(session);
+        message.setFrom(new InternetAddress(EmailConfiguration.getInstance().getMailFrom()));
+        message.setRecipients(Message.RecipientType.TO, addresses);
+        message.setSubject(subject);
+        if (replyto != null && replyto.length() > 0)
+            message.setReplyTo(new Address[]{new InternetAddress(replyto)});
 
-            if (o != null && o.length > 0)
-                body = String.format(body, o);
+        if (o != null && o.length > 0)
+            body = String.format(body, o);
 
-            if (html) {
-                MimeBodyPart messageBodyPart = new MimeBodyPart();
-                messageBodyPart.setContent(body, "text/html");
-                Multipart multipart = new MimeMultipart();
-                multipart.addBodyPart(messageBodyPart);
-                message.setContent(multipart);
-            } else {
-                message.setText(body);
-            }
-            Transport.send(message);
-        } catch (MessagingException e) {
-            logger.error("Sending mail failed:\n{}", e.getMessage());
+        if (html) {
+            MimeBodyPart messageBodyPart = new MimeBodyPart();
+            messageBodyPart.setContent(body, "text/html");
+            Multipart multipart = new MimeMultipart();
+            multipart.addBodyPart(messageBodyPart);
+            message.setContent(multipart);
+        } else {
+            message.setText(body);
         }
+        Transport.send(message);
     }
 }

From 353e48474672f644dfb6772c39f578b95151a040 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 09:41:13 +0200
Subject: [PATCH 05/22] feat: dockerize app for easier development

---
 .gitignore                            |  1 +
 Dockerfile                            | 28 ++++++++++++
 README.md                             | 64 ++++++++++++++++++++++++---
 docker-compose.yml                    | 63 ++++++++++++++++++++++++++
 src/main/resources/config.sample.json | 17 +++----
 webapp/config.example.js              |  4 +-
 6 files changed, 161 insertions(+), 16 deletions(-)
 create mode 100644 Dockerfile
 create mode 100644 docker-compose.yml

diff --git a/.gitignore b/.gitignore
index 4e868ec..3fdb836 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,7 @@ webapp/build
 .settings/
 bin/
 artifacts/
+.DS_Store
 
 !src/main/webapp/WEB-INF
 src/main/webapp/*
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..09b2f33
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,28 @@
+
+FROM yarnpkg/node-yarn:latest as webappbuild
+
+ARG LANGUAGE=en
+
+# Build the webapp
+COPY ./webapp/ /webapp/
+WORKDIR /webapp
+RUN yarn install && ./build.sh ${LANGUAGE}
+
+FROM gradle:7.6-jdk11 as javabuild
+
+# Build the java app
+COPY ./ /app/
+WORKDIR /app
+RUN gradle build
+
+FROM tomee:9.0-jre11
+
+# Copy the webapp to the webapps directory
+COPY --from=webappbuild /webapp/build/ /usr/local/tomee/webapps/ROOT/
+
+# Copy the war file to the webapps directory
+COPY --from=javabuild /app/build/libs/irma_email_issuer-1.1.0.war /usr/local/tomee/webapps/
+
+EXPOSE 8080
+
+CMD ["catalina.sh", "run"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 158f650..afc4a99 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,68 @@
 
-# Email server
+# irma_email_issuer
 
 Add an email address for use in your [Yivi app](https://github.com/privacybydesign/irma_mobile).
 
+## Running (development)
+The easiest way to run the irma_email_issuer for development purposes is via Docker.
 
-## Setting up the server
+### Configuration
+Various configuration files, keys and settings need to be in place to be able to build and run the apps.
+
+1. To generate the required keys for the issuer, run:
+```bash
+$ utils/keygen.sh ./src/main/resources/sk ./src/main/resources/pk
+```
+
+2. Create the Java app configuration:
+Copy the file `src/main/resources/config.sample.json` to `src/main/resources/main/config.json`.
+
+4. Update docker-compose.yml with your local IP address:
+Set the `- "--url=http://ip-address:8088"` parameter inside `docker-compose.yml` to match the IP address of your development machine. For example:
+```yml
+    entrypoint:
+      - "--url=http://192.168.1.105:8088"
+```
+Note: do not use `127.0.0.1` or `0.0.0.0` as IP addresses as this will result in the app not being able to find the issuer.
+
+### Run
+Use docker-compose to spin up the containers:
+```bash
+$ docker-compose up
+```
+
+By default, docker-compose caches docker images, so on a second run the previous built images will be used. A fresh build can be enforced using the --build flag.
+```bash
+$ docker-compose up --build
+```
+
+## Manual
+
+Using this construction you need to run the irma server and 
 
 1. Generate JWT keys for the issuer
 ```bash
-./utils/keygen.sh ./src/main/resources/sk ./src/main/resources/pk
+$ utils/keygen.sh ./src/main/resources/sk ./src/main/resources/pk
 ```
+
 2. Copy the file `src/main/resources/config.sample.json` to
- `build/resources/main/config.json` and modify it.
-3. Run `gradle appRun` in the root directory of this project.
-4. Navigate to `http://localhost:8080/irma_email_issuer/api/hello`
+ `src/main/resources/main/config.json` and modify it.
+todo: voorbeeld
+
+3. Build the webapp
+```bash
+$ cd webapp && yarn install && yarn build en && cd ../
+```
+If you want to build another language, for example Dutch, change `build en` to `build nl`.
+
+4. Copy the file `webapp/config.example.js` to `webapp/build/assets/config.js` and modify it 
+
+5. Run `gradle appRun` in the root directory of this project.
+
+To open the webapp navigate to `http://localhost:8080`. The API is accessible via `http://localhost:8080/irma_email_issuer/api`
+
+## Test
+You can run the tests, defined in `src/test/java/foundation/privacybydesign/email`, using the following command:
+```bash
+$ gradle test
+```
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..6040884
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,63 @@
+version: "3.8"
+name: irma_email_issuer
+
+services:
+  # Irma issuer service
+  irmaserver:
+    image: ghcr.io/privacybydesign/irma:v0.13.2
+    container_name: irma_server
+    working_dir: /irmago
+    ports:
+      - 8088:8088
+    expose:
+      - 8088
+    networks:
+      - irma-net
+    entrypoint:
+      - "irma"
+      - "server"
+      - "--no-auth=false"
+      - "--requestors={\"irma_email_issuer\":{\"auth_method\":\"publickey\",\"key_file\": \"/config/pk.pem\"} }"
+      - "--port=8088"
+      - "--jwt-privkey-file=/config/sk.pem"
+      - "--url=http://ip-address:8088" # Your localhost IP-address here. This is required for the app to be able to connect to the issuer
+    volumes:
+      - ./src/main/resources/:/config/
+
+  # Mailhog service
+  mailhog:
+    image: mailhog/mailhog
+    networks:
+      # We use a localhost alias such that the test configuration also works for users who run it without Docker.
+      irma-net:
+        aliases:
+          - mailhog.localhost
+    ports:
+      - 1025:1025
+      - 8025:8025 # Port of the web interface
+
+  # Service that runs the SMS issuer webapp and api
+  irma_email_issuer:
+      platform: linux/x86_64
+      build:
+        context: .
+        dockerfile: Dockerfile
+      container_name: irma_email_issuer
+      volumes:
+        # Make keys and config files available for Java app
+        - ./src/resources/main/:/config/
+        # Make config.js available for webapp
+        - ./webapp/config.example.js:/usr/local/tomee/webapps/ROOT/assets/config.js:ro"
+      ports:
+        - 8080:8080
+      expose:
+        - 8080
+      networks:
+        - irma-net
+
+# Docker Desktop for MacOS does not support exposing ports when using host networking. Therefore,
+# we have to use bridge networking and expose the ports manually.
+# https://github.com/docker/for-mac/issues/1031
+networks:
+  irma-net:
+    driver: bridge
\ No newline at end of file
diff --git a/src/main/resources/config.sample.json b/src/main/resources/config.sample.json
index 7ef0628..772db5a 100644
--- a/src/main/resources/config.sample.json
+++ b/src/main/resources/config.sample.json
@@ -4,21 +4,22 @@
     "nl": "Voeg e-mailadres toe aan je Yivi-app"
   },
   "server_url": {
-    "en": "http://localhost:8080/irma_email_issuer",
-    "nl": "http://localhost:8080/irma_email_issuer"
+    "en": "http://localhost:8080",
+    "nl": "http://localhost:8080"
   },
-  "mail_host": "smtp.science.ru.nl",
-  "mail_port": 25,
+  "mail_host": "mailhog.localhost",
+  "mail_port": 1025,
   "mail_user": "",
   "mail_password": "",
-  "mail_from_address": "Yivi Email Issuer <yivi@privacybydesign.foundation>",
-  "secret_key": "",
+  "mail_starttls_required": false,
+  "mail_from_address": "noreply@yivi.app",
+  "secret_key": "somesecretkey",
   "token_validity": 86400,
   "private_key_path": "sk.der",
   "server_name": "irma_email_issuer",
   "human_readable_name": "Privacy by Design Foundation",
-  "scheme_manager": "pbdf",
-  "email_issuer": "pbdf",
+  "scheme_manager": "irma-demo",
+  "email_issuer": "sidn-pbdf",
   "email_credential": "email",
   "email_attribute": "email",
   "domain_attribute": "domain"
diff --git a/webapp/config.example.js b/webapp/config.example.js
index 75e32f6..0409c0d 100644
--- a/webapp/config.example.js
+++ b/webapp/config.example.js
@@ -1,4 +1,4 @@
 var config = {
-  IRMASERVER: '',
-  EMAILSERVER: '',
+  IRMASERVER: 'http://localhost:8088',
+  EMAILSERVER: 'http://localhost:8080/irma_email_issuer-1.1.0/api',
 };

From f218521837f04bee3702ba6c8671f96236f57fff Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 09:42:03 +0200
Subject: [PATCH 06/22] fix: corrupt multipart mailbody

---
 .../java/foundation/privacybydesign/email/EmailSender.java | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/main/java/foundation/privacybydesign/email/EmailSender.java b/src/main/java/foundation/privacybydesign/email/EmailSender.java
index 255a8d6..42e9e73 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailSender.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailSender.java
@@ -63,14 +63,11 @@ protected PasswordAuthentication getPasswordAuthentication() {
             body = String.format(body, o);
 
         if (html) {
-            MimeBodyPart messageBodyPart = new MimeBodyPart();
-            messageBodyPart.setContent(body, "text/html");
-            Multipart multipart = new MimeMultipart();
-            multipart.addBodyPart(messageBodyPart);
-            message.setContent(multipart);
+            message.setContent(body, "text/html");
         } else {
             message.setText(body);
         }
+
         Transport.send(message);
     }
 }

From 98254a2920c282444e0fd418a34f7cbd77114d69 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 11:28:34 +0200
Subject: [PATCH 07/22] security: prevent log injection and long overflow

---
 .../privacybydesign/email/EmailTokens.java    | 20 ++++++++++++-------
 .../email/EmailTokensTest.java                |  8 +++++++-
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/src/main/java/foundation/privacybydesign/email/EmailTokens.java b/src/main/java/foundation/privacybydesign/email/EmailTokens.java
index 32605e0..5a19516 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailTokens.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailTokens.java
@@ -85,7 +85,7 @@ public String verifyToken(String token) {
         String[] parts = token.split(":");
         if (parts.length != 3) {
             // invalid syntax
-            logger.error("Token {} does not have 3 parts", token);
+            logger.error("Token does not have 3 parts");
             return null;
         }
         String value = parts[0];
@@ -97,15 +97,21 @@ public String verifyToken(String token) {
             creationTime = Long.parseLong(timestamp);
         } catch (NumberFormatException e) {
             // Invalid syntax
-            logger.error("Token {} has non-integer creation time", token);
+            logger.error("Token has non-integer creation time");
             return null;
         }
 
         // Verify expired tokens
-        long currentTime = System.currentTimeMillis() / 1000;
-        if (currentTime > creationTime+tokenValidity) {
-            // Token is no longer valid.
-            logger.error("Token {} has expired", token);
+        try {
+            long currentTime = System.currentTimeMillis() / 1000;
+            if (currentTime > Math.addExact(creationTime, tokenValidity)) {
+                // Token is no longer valid.
+                logger.error("Token has expired");
+                return null;
+            }
+        } catch (ArithmeticException e) {
+            // Adding times resulted in a long overflow.
+            logger.error("Token has invalid creation time");
             return null;
         }
 
@@ -115,7 +121,7 @@ public String verifyToken(String token) {
                 calculatedDigestText.toCharArray())) {
             return value;
         } else {
-            logger.error("Token {} has invalid HMAC", token);
+            logger.error("Token has invalid HMAC");
             return null;
         }
     }
diff --git a/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java b/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
index a102cdf..5c00747 100644
--- a/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
+++ b/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
@@ -1,6 +1,5 @@
 package foundation.privacybydesign.email;
 
-import foundation.privacybydesign.email.EmailTokens;
 import org.junit.Test;
 
 import static org.junit.Assert.assertEquals;
@@ -55,6 +54,13 @@ public void testTamperedTimeToken2() {
                         "testtoken:0")));
     }
 
+    @Test
+    public void testTamperedTimeToken3() {      
+        Long maxVal = Long.MAX_VALUE;
+        assertNull("token with a changed time causing an overflow must be null",
+                signer.verifyToken("testtoken:" + maxVal + ":sadRkftPRiBhl1eXrgUwDFwYOfwm-Zkdg_ubOABkVXM"));
+    } 
+
     @Test
     public void testTamperedMessageToken() {
         assertNull("token with a changed payload must be null",

From df0106702cf280c4a8a14e7e5a35df446248090a Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 11:52:11 +0200
Subject: [PATCH 08/22] fix: convert boxed variable to primitive

---
 .../foundation/privacybydesign/email/EmailTokensTest.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java b/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
index 5c00747..566f40d 100644
--- a/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
+++ b/src/test/java/foundation/privacybydesign/email/EmailTokensTest.java
@@ -55,11 +55,11 @@ public void testTamperedTimeToken2() {
     }
 
     @Test
-    public void testTamperedTimeToken3() {      
-        Long maxVal = Long.MAX_VALUE;
+    public void testTamperedTimeToken3() {
+        long maxVal = Long.MAX_VALUE;
         assertNull("token with a changed time causing an overflow must be null",
                 signer.verifyToken("testtoken:" + maxVal + ":sadRkftPRiBhl1eXrgUwDFwYOfwm-Zkdg_ubOABkVXM"));
-    } 
+    }
 
     @Test
     public void testTamperedMessageToken() {

From ef5f7187923b703e8612cbbf28acb961fa5a8d93 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 12:22:31 +0200
Subject: [PATCH 09/22] security: uncontrolled data used in path expression

---
 README.md                                     |  2 +-
 .../privacybydesign/email/EmailRestApi.java   | 26 +++++++++++++++----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index afc4a99..913fdf3 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ $ utils/keygen.sh ./src/main/resources/sk ./src/main/resources/pk
 2. Create the Java app configuration:
 Copy the file `src/main/resources/config.sample.json` to `src/main/resources/main/config.json`.
 
-4. Update docker-compose.yml with your local IP address:
+3. Update docker-compose.yml with your local IP address:
 Set the `- "--url=http://ip-address:8088"` parameter inside `docker-compose.yml` to match the IP address of your development machine. For example:
 ```yml
     entrypoint:
diff --git a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
index ccf2374..eb0ee2c 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
@@ -50,9 +50,8 @@ public Response sendEmail(@FormParam("email") String email,
         if (client == null)
             return Response.status(Response.Status.UNAUTHORIZED).build();
 
-        if (lang == null || lang.length() == 0)
-            lang = EmailConfiguration.getInstance().getDefaultLanguage();
-
+        lang = parseLanguage(lang);
+     
         // We only accept lowercase email addresses.
         if (!email.equals(email.toLowerCase())) {
             logger.error("Address contains uppercase characters");
@@ -107,8 +106,8 @@ public Response sendEmailToken(@FormParam("email") String emailAddress,
         // Test email with signature
         String token = signer.createToken(emailAddress);
 
-        if (language == null || language.length() == 0)
-            language = EmailConfiguration.getInstance().getDefaultLanguage();
+        language = parseLanguage(language);
+
         String mailBodyTemplate = conf.getVerifyEmailBody(language);
         if (mailBodyTemplate == null) {
             return Response.status(Response.Status.BAD_REQUEST).entity
@@ -192,4 +191,21 @@ public Response verifyEmailToken(@FormParam("token") String token) throws KeyMan
         return Response.status(Response.Status.OK)
                 .entity(jwt).build();
     }
+
+    /**
+     * Return a sanitized language code or the default language based on the given input
+     * 
+     * @param language the language code to sanitize
+     * @return String with language code
+     */
+    private String parseLanguage(String language){
+        if (language == null || language.length() == 0){
+            language = EmailConfiguration.getInstance().getDefaultLanguage();
+        }
+        else {
+            // Only allow letters in the language code to prevent path and other injection attacts
+            language = language.replaceAll("[^a-zA-Z]", "");
+        }
+        return language;
+    }
 }

From b8501867c730727d6681feed445ea5ab947cf297 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 13:32:13 +0200
Subject: [PATCH 10/22] fix: typo

---
 .../privacybydesign/email/common/BaseConfiguration.java       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java b/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java
index 31fe9f3..c91c1e6 100644
--- a/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java
+++ b/src/main/java/foundation/privacybydesign/email/common/BaseConfiguration.java
@@ -65,10 +65,10 @@ public static FileInputStream getResourceStream(String filename) throws IOExcept
     }
 
     public static byte[] getResource(String filename) throws IOException {
-        return convertSteamToByteArray(getResourceStream(filename), 2048);
+        return convertStreamToByteArray(getResourceStream(filename), 2048);
     }
 
-    public static byte[] convertSteamToByteArray(InputStream stream, int size) throws IOException {
+    public static byte[] convertStreamToByteArray(InputStream stream, int size) throws IOException {
         byte[] buffer = new byte[size];
         ByteArrayOutputStream os = new ByteArrayOutputStream();
 

From 9d705a3c883f5e5ed10eaaab4303598391dcb746 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Tue, 29 Aug 2023 13:34:05 +0200
Subject: [PATCH 11/22] improve: remove superfluous default command

---
 Dockerfile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 09b2f33..acbcce3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,4 @@ COPY --from=webappbuild /webapp/build/ /usr/local/tomee/webapps/ROOT/
 # Copy the war file to the webapps directory
 COPY --from=javabuild /app/build/libs/irma_email_issuer-1.1.0.war /usr/local/tomee/webapps/
 
-EXPOSE 8080
-
-CMD ["catalina.sh", "run"]
\ No newline at end of file
+EXPOSE 8080
\ No newline at end of file

From 5c8e2d6b19e7378ad69f20838a2d252b79d19db9 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Wed, 30 Aug 2023 09:23:26 +0200
Subject: [PATCH 12/22] improve: use ip address as env var, prevent naming
 clash

---
 docker-compose.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 6040884..f0cc7db 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,7 +5,6 @@ services:
   # Irma issuer service
   irmaserver:
     image: ghcr.io/privacybydesign/irma:v0.13.2
-    container_name: irma_server
     working_dir: /irmago
     ports:
       - 8088:8088
@@ -20,7 +19,7 @@ services:
       - "--requestors={\"irma_email_issuer\":{\"auth_method\":\"publickey\",\"key_file\": \"/config/pk.pem\"} }"
       - "--port=8088"
       - "--jwt-privkey-file=/config/sk.pem"
-      - "--url=http://ip-address:8088" # Your localhost IP-address here. This is required for the app to be able to connect to the issuer
+      - "--url=http://${IP}:8088"
     volumes:
       - ./src/main/resources/:/config/
 
@@ -42,10 +41,9 @@ services:
       build:
         context: .
         dockerfile: Dockerfile
-      container_name: irma_email_issuer
       volumes:
         # Make keys and config files available for Java app
-        - ./src/resources/main/:/config/
+        - ./src/main/resources/:/config/
         # Make config.js available for webapp
         - ./webapp/config.example.js:/usr/local/tomee/webapps/ROOT/assets/config.js:ro"
       ports:

From 590f20e5fbb440f3f259bac75f10f32495dfbc73 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Wed, 30 Aug 2023 09:24:06 +0200
Subject: [PATCH 13/22] improve: update documentation and fix typo's

---
 README.md | 35 ++++++++++++++---------------------
 1 file changed, 14 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 913fdf3..b09ebf3 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 
 # irma_email_issuer
 
-Add an email address for use in your [Yivi app](https://github.com/privacybydesign/irma_mobile).
+Add an email address for use in your [Yivi app](https://github.com/privacybydesign/irmamobile).
 
 ## Running (development)
 The easiest way to run the irma_email_issuer for development purposes is via Docker.
@@ -15,41 +15,31 @@ $ utils/keygen.sh ./src/main/resources/sk ./src/main/resources/pk
 ```
 
 2. Create the Java app configuration:
-Copy the file `src/main/resources/config.sample.json` to `src/main/resources/main/config.json`.
-
-3. Update docker-compose.yml with your local IP address:
-Set the `- "--url=http://ip-address:8088"` parameter inside `docker-compose.yml` to match the IP address of your development machine. For example:
-```yml
-    entrypoint:
-      - "--url=http://192.168.1.105:8088"
-```
-Note: do not use `127.0.0.1` or `0.0.0.0` as IP addresses as this will result in the app not being able to find the issuer.
+Copy the file `src/main/resources/config.sample.json` to `src/main/resources/config.json`.
 
 ### Run
-Use docker-compose to spin up the containers:
+Use docker-compose up combined with your localhost IP address as environment variable to spin up the containers:
 ```bash
-$ docker-compose up
+$ IP=192.168.1.105 docker-compose up
 ```
+Note: do not use `127.0.0.1` or `0.0.0.0` as IP addresses as this will result in the app not being able to find the issuer.
 
 By default, docker-compose caches docker images, so on a second run the previous built images will be used. A fresh build can be enforced using the --build flag.
 ```bash
-$ docker-compose up --build
+$ IP=192.168.1.105 docker-compose up --build
 ```
 
 ## Manual
-
-Using this construction you need to run the irma server and 
+The Java api and JavaScript frontend can be built and run manually using the following commands:
 
 1. Generate JWT keys for the issuer
 ```bash
 $ utils/keygen.sh ./src/main/resources/sk ./src/main/resources/pk
 ```
 
-2. Copy the file `src/main/resources/config.sample.json` to
- `src/main/resources/main/config.json` and modify it.
-todo: voorbeeld
+2. Copy the file `src/main/resources/config.sample.json` to `src/main/resources/config.json` and modify it.
 
-3. Build the webapp
+3. Build the webapp:
 ```bash
 $ cd webapp && yarn install && yarn build en && cd ../
 ```
@@ -57,9 +47,12 @@ If you want to build another language, for example Dutch, change `build en` to `
 
 4. Copy the file `webapp/config.example.js` to `webapp/build/assets/config.js` and modify it 
 
-5. Run `gradle appRun` in the root directory of this project.
+5. Run the following command in the root directory of this project:
+```bash
+$ gradle appRun
+```
 
-To open the webapp navigate to `http://localhost:8080`. The API is accessible via `http://localhost:8080/irma_email_issuer/api`
+To open the webapp navigate to http://localhost:8080. The API is accessible via http://localhost:8080/irma_email_issuer/api
 
 ## Test
 You can run the tests, defined in `src/test/java/foundation/privacybydesign/email`, using the following command:

From 5e0ca446643d18e3684ffcd3d4f37e835c52e1cb Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Wed, 30 Aug 2023 15:49:53 +0200
Subject: [PATCH 14/22] fix: allow web.xml

---
 .gitignore                      |  3 ++-
 src/main/webapp/WEB-INF/web.xml | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 src/main/webapp/WEB-INF/web.xml

diff --git a/.gitignore b/.gitignore
index 3fdb836..9cb72cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ bin/
 artifacts/
 .DS_Store
 
-!src/main/webapp/WEB-INF
 src/main/webapp/*
+!src/main/webapp/WEB-INF/
+
 .idea/
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 0000000..b937676
--- /dev/null
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,19 @@
+<web-app  xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+                        http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+    version="3.1">
+    <servlet>
+        <servlet-name>foundation.privacybydesign.email.EmailService</servlet-name>
+        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
+        <init-param>
+            <param-name>javax.ws.rs.Application</param-name>
+            <param-value>foundation.privacybydesign.email.EmailService</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>foundation.privacybydesign.email.EmailService</servlet-name>
+        <url-pattern>/api/*</url-pattern>
+    </servlet-mapping>
+</web-app>

From 59e0a39f82a48f54da1ad58fa235d77765c76274 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Thu, 31 Aug 2023 08:40:09 +0200
Subject: [PATCH 15/22] chore: revive custom clients functionality

---
 .gitignore                                       |  1 -
 .../email/EmailConfiguration.java                |  4 ++++
 .../privacybydesign/email/EmailService.java      |  2 +-
 .../resources/clientmails/customclient-en.html   | 15 +++++++++++++++
 .../resources/clientmails/customclient-nl.html   | 15 +++++++++++++++
 src/main/resources/config.sample.json            | 16 +++++++++++++++-
 6 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 src/main/resources/clientmails/customclient-en.html
 create mode 100644 src/main/resources/clientmails/customclient-nl.html

diff --git a/.gitignore b/.gitignore
index 9cb72cb..0c7dbc7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,6 @@
 build/
 .gradle/
 src/main/resources/config.json
-src/main/resources/clientmails/*
 *.der
 *.pem
 node_modules
diff --git a/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java b/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java
index 94519f5..4b17703 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailConfiguration.java
@@ -109,6 +109,10 @@ public PrivateKey getPrivateKey() throws KeyManagementException {
     public SignatureAlgorithm getJwtAlgorithm() { return SignatureAlgorithm.RS256; }
 
     public Client getClient(String token) {
+        if (clients == null || !clients.containsKey(token)) {
+            return null;
+        }
+        
         return clients.get(token);
     }
 
diff --git a/src/main/java/foundation/privacybydesign/email/EmailService.java b/src/main/java/foundation/privacybydesign/email/EmailService.java
index 50a41f4..95c628a 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailService.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailService.java
@@ -6,7 +6,7 @@
 
 import org.glassfish.jersey.server.ResourceConfig;
 
-import jakarta.ws.rs.*;
+import jakarta.ws.rs.ApplicationPath;
 
 @ApplicationPath("/")
 public class EmailService extends ResourceConfig {
diff --git a/src/main/resources/clientmails/customclient-en.html b/src/main/resources/clientmails/customclient-en.html
new file mode 100644
index 0000000..a8ee419
--- /dev/null
+++ b/src/main/resources/clientmails/customclient-en.html
@@ -0,0 +1,15 @@
+<!doctype html>
+<html>
+    <head>
+        <title>Add e-mail address to Yivi app</title>
+    </head>
+
+    <body>
+        <div>
+            <p>Click the link to add the e-mail address to your Yivi app.</p>
+            <div>
+                <a href="%s">Add e-mail address to your Yivi app</a>
+            </div>
+        </div>
+    </body>
+</html>
diff --git a/src/main/resources/clientmails/customclient-nl.html b/src/main/resources/clientmails/customclient-nl.html
new file mode 100644
index 0000000..07f46b5
--- /dev/null
+++ b/src/main/resources/clientmails/customclient-nl.html
@@ -0,0 +1,15 @@
+<!doctype html>
+<html>
+    <head>
+        <title>Voeg e-mailadres toe aan Yivi-app</title>
+    </head>
+
+    <body>
+        <div>
+            <p>Klik op de link om het e-mailadres toe te voegen aan je Yivi-app.</p>
+            <div>
+                <a href="%s">Voeg e-mailadres toe aan je Yivi-app</a>
+            </div>
+        </div>
+    </body>
+</html>
diff --git a/src/main/resources/config.sample.json b/src/main/resources/config.sample.json
index 772db5a..9597489 100644
--- a/src/main/resources/config.sample.json
+++ b/src/main/resources/config.sample.json
@@ -22,5 +22,19 @@
   "email_issuer": "sidn-pbdf",
   "email_credential": "email",
   "email_attribute": "email",
-  "domain_attribute": "domain"
+  "domain_attribute": "domain",
+  "clients" : {
+    "customclient": {
+      "return_url": "",
+      "reply_to_email": "",
+      "name": "A custom client",
+      "email_files": {
+        "nl": "customclient-nl.html",
+        "en": "customclient-en.html"
+      },
+      "email_subject": {
+        "en": "Add email address to your Yivi app",
+        "nl": "Voeg e-mailadres toe aan je Yivi-app"
+      }
+  }}
 }

From 171298abe176b52a9b95503b3a2469349648e998 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Thu, 31 Aug 2023 08:42:41 +0200
Subject: [PATCH 16/22] feat: implement ratelimiting

---
 .../email/CleanupBackgroundJob.java           |  43 +++++
 .../privacybydesign/email/EmailRestApi.java   |  46 ++++-
 .../email/ratelimit/MemoryRateLimit.java      | 165 ++++++++++++++++++
 .../email/ratelimit/RateLimit.java            |  76 ++++++++
 .../privacybydesign/email/RateLimitTest.java  |  46 +++++
 5 files changed, 373 insertions(+), 3 deletions(-)
 create mode 100644 src/main/java/foundation/privacybydesign/email/CleanupBackgroundJob.java
 create mode 100644 src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java
 create mode 100644 src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java
 create mode 100644 src/test/java/foundation/privacybydesign/email/RateLimitTest.java

diff --git a/src/main/java/foundation/privacybydesign/email/CleanupBackgroundJob.java b/src/main/java/foundation/privacybydesign/email/CleanupBackgroundJob.java
new file mode 100644
index 0000000..d9db4eb
--- /dev/null
+++ b/src/main/java/foundation/privacybydesign/email/CleanupBackgroundJob.java
@@ -0,0 +1,43 @@
+package foundation.privacybydesign.email;
+
+import foundation.privacybydesign.email.ratelimit.MemoryRateLimit;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import jakarta.servlet.ServletContextEvent;
+import jakarta.servlet.ServletContextListener;
+import jakarta.servlet.annotation.WebListener;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Clean up in-memory data structures once in a while.
+ */
+@WebListener
+public class CleanupBackgroundJob implements ServletContextListener {
+    private static Logger logger = LoggerFactory.getLogger(CleanupBackgroundJob.class);
+    private ScheduledExecutorService scheduler;
+
+    @Override
+    public void contextInitialized(ServletContextEvent event) {
+        logger.info("Setting up background cleanup task");
+        scheduler = Executors.newSingleThreadScheduledExecutor();
+
+        scheduler.scheduleAtFixedRate(new Runnable() {
+            @Override public void run() {
+                try {
+                    MemoryRateLimit.getInstance().periodicCleanup();
+                } catch (Exception e) {
+                    logger.error("Failed to run periodic cleanup:");
+                    e.printStackTrace();
+                }
+            }
+        }, 5, 5, TimeUnit.MINUTES);
+    }
+
+    @Override
+    public void contextDestroyed(ServletContextEvent event) {
+        scheduler.shutdownNow();
+    }
+}
diff --git a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
index eb0ee2c..e935cc2 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
@@ -8,8 +8,12 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import foundation.privacybydesign.email.ratelimit.MemoryRateLimit;
+import foundation.privacybydesign.email.ratelimit.RateLimit;
 import jakarta.mail.internet.AddressException;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.*;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import java.io.UnsupportedEncodingException;
@@ -26,11 +30,14 @@
 @Path("")
 public class EmailRestApi {
     private static Logger logger = LoggerFactory.getLogger(EmailRestApi.class);
+    private static RateLimit rateLimiter = MemoryRateLimit.getInstance();
 
     private static final String ERR_ADDRESS_MALFORMED = "error:email-address-malformed";
     private static final String ERR_INVALID_TOKEN = "error:invalid-token";
     private static final String ERR_INVALID_LANG = "error:invalid-language";
     private static final String OK_RESPONSE = "OK"; // value doesn't really matter
+    private static final String PROXY_IP_HEADER = "X-Real-IP";
+    private static final String ERR_RATE_LIMITED = "error:ratelimit";
 
     private EmailTokens signer;
 
@@ -42,7 +49,8 @@ public EmailRestApi() {
     @POST
     @Path("/send-email")
     @Produces(MediaType.TEXT_PLAIN)
-    public Response sendEmail(@FormParam("email") String email,
+    public Response sendEmail(@Context HttpServletRequest req,
+                              @FormParam("email") String email,
                               @FormParam("language") String lang,
                               @HeaderParam("Authorization") String auth) {
         EmailConfiguration conf = EmailConfiguration.getInstance();
@@ -58,8 +66,24 @@ public Response sendEmail(@FormParam("email") String email,
             return Response.status(Response.Status.BAD_REQUEST).entity(ERR_ADDRESS_MALFORMED).build();
         }
 
-        String token = signer.createToken(email);
         try {
+            String ip = req.getHeader(PROXY_IP_HEADER);
+            if (ip == null) {
+                ip = req.getRemoteAddr();
+            }
+
+            long retryAfter = rateLimiter.rateLimited(ip, email);
+            if (retryAfter > 0) {
+                // 429 Too Many Requests
+                // https://tools.ietf.org/html/rfc6585#section-4
+                return Response.status(429)
+                        .entity(ERR_RATE_LIMITED)
+                        .header("Retry-After", (int) Math.ceil(retryAfter / 1000.0))
+                        .build();
+            }
+
+            String token = signer.createToken(email);
+
             String url = conf.getServerURL(lang) + "#verify-email/" + token
                     + "/" + URLEncoder.encode(client.getReturnURL(), StandardCharsets.UTF_8.toString());
             EmailSender.send(
@@ -93,7 +117,8 @@ public Response sendEmail(@FormParam("email") String email,
     @POST
     @Path("/send-email-token")
     @Produces(MediaType.TEXT_PLAIN)
-    public Response sendEmailToken(@FormParam("email") String emailAddress,
+    public Response sendEmailToken(@Context HttpServletRequest req,
+                                   @FormParam("email") String emailAddress,
                                    @FormParam("language") String language) {
         EmailConfiguration conf = EmailConfiguration.getInstance();
 
@@ -103,6 +128,21 @@ public Response sendEmailToken(@FormParam("email") String emailAddress,
             return Response.status(Response.Status.BAD_REQUEST).entity(ERR_ADDRESS_MALFORMED).build();
         }
 
+        String ip = req.getHeader(PROXY_IP_HEADER);
+        if (ip == null) {
+            ip = req.getRemoteAddr();
+        }
+
+        long retryAfter = rateLimiter.rateLimited(ip, emailAddress);
+        if (retryAfter > 0) {
+            // 429 Too Many Requests
+            // https://tools.ietf.org/html/rfc6585#section-4
+            return Response.status(429)
+                    .entity(ERR_RATE_LIMITED)
+                    .header("Retry-After", (int) Math.ceil(retryAfter / 1000.0))
+                    .build();
+        }
+
         // Test email with signature
         String token = signer.createToken(emailAddress);
 
diff --git a/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java b/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java
new file mode 100644
index 0000000..9115ffc
--- /dev/null
+++ b/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java
@@ -0,0 +1,165 @@
+package foundation.privacybydesign.email.ratelimit;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * Store rate limits in memory. Useful for debugging and rate limits that
+ * aren't very long.
+ *
+ * How it works:
+ * How much budget a user has, is expressed in a timestamp. The timestamp is
+ * initially some period in the past, but with every usage (countIP and
+ * countPhone) this timestamp is incremented. For IP address counting, this
+ * is a fixed amount (currently 10 seconds), but for phone numbers this
+ * amount is exponential.
+ *
+ * An algorithm with a similar goal is the Token Bucket algorithm. This
+ * algorithm probably works well, but seemed harder to implement.
+ * https://en.wikipedia.org/wiki/Token_bucket
+ */
+public class MemoryRateLimit extends RateLimit {
+    private static final long SECOND = 1000; // 1000ms = 1s
+    private static final long MINUTE = SECOND * 60;
+    private static final long HOUR = MINUTE * 60;
+    private static final long DAY = HOUR * 24;
+    private static final int IP_TIMEOUT = 10 * 1000; // timeout in seconds
+    private static final int IP_TRIES = 3;           // number of tries on first visit
+
+    private static MemoryRateLimit instance;
+
+    private final Map<String, Long> ipLimits;
+    private final Map<String, Limit> emailLimits;
+
+    public MemoryRateLimit() {
+        ipLimits = new ConcurrentHashMap<>();
+        emailLimits = new ConcurrentHashMap<>();
+    }
+
+    public static MemoryRateLimit getInstance() {
+        if (instance == null) {
+            instance = new MemoryRateLimit();
+        }
+        return instance;
+    }
+
+    private long startLimitIP(long now) {
+        return now - IP_TIMEOUT*IP_TRIES;
+    }
+
+    @Override
+    protected synchronized long nextTryIP(String ip, long now) {
+        // Allow at most 1 try in each period (TIMEOUT), but kick in only
+        // after 3 tries. Thus while the user can do only 1 try per period
+        // over longer periods, the initial budget is 3 periods.
+        long limit = 0; // First try - last try was "long in the past".
+        if (ipLimits.containsKey(ip)) {
+            // Ah, there was a request before.
+            limit = ipLimits.get(ip);
+        }
+
+        long startLimit = startLimitIP(now);
+        if (limit < startLimit) {
+            // First visit or previous visit was long ago.
+            // Act like the last try was 3 periods ago.
+            limit = startLimit;
+        }
+
+        // Add a period to the current limit.
+        limit += IP_TIMEOUT;
+        return limit;
+    }
+
+    @Override
+    protected synchronized void countIP(String ip, long now) {
+        long nextTry = nextTryIP(ip, now);
+        if (nextTry > now) {
+            throw new IllegalStateException("counting rate limit while over the limit");
+        }
+        ipLimits.put(ip, nextTry);
+    }
+
+    // Is the user over the rate limit per e-mail address?
+    @Override
+    protected synchronized long nextTryEmail(String email, long now) {
+        // Rate limiter durations (sort-of logarithmic):
+        // 1   10 second
+        // 2   5 minute
+        // 3   1 hour
+        // 4   24 hour
+        // 5+  1 per day
+        // Keep log 5 days for proper limiting.
+
+        Limit limit = emailLimits.get(email);
+        if (limit == null) {
+            limit = new Limit(now);
+            emailLimits.put(email, limit);
+        }
+        long nextTry; // timestamp when the next request is allowed
+        switch (limit.tries) {
+            case 0: // try 1: always succeeds
+                nextTry = limit.timestamp;
+                break;
+            case 1: // try 2: allowed after 10 seconds
+                nextTry = limit.timestamp + 10 * SECOND;
+                break;
+            case 2: // try 3: allowed after 5 minutes
+                nextTry = limit.timestamp + 5 * MINUTE;
+                break;
+            case 3: // try 4: allowed after 3 hours
+                nextTry = limit.timestamp + 3 * HOUR;
+                break;
+            case 4: // try 5: allowed after 24 hours
+                nextTry = limit.timestamp + 24 * HOUR;
+                break;
+            default:
+                throw new IllegalStateException("invalid tries count");
+        }
+        return nextTry;
+    }
+
+    // Count the usage of this rate limit - adding to the budget for this
+    // e-mail address.
+    @Override
+    protected synchronized void countEmail(String email, long now) {
+        long nextTry = nextTryEmail(email, now);
+        Limit limit = emailLimits.get(email);
+        if (nextTry > now) {
+            throw new IllegalStateException("counting rate limit while over the limit");
+        }
+        limit.tries = Math.min(limit.tries+1, 5); // add 1, max at 5
+        // If the last usage was e.g. ≥2 days ago, we should allow them 2 tries
+        // extra tries this day.
+        long lastTryDaysAgo = (now-limit.timestamp)/DAY;
+        long bonusTries = limit.tries - lastTryDaysAgo;
+        if (bonusTries >= 1) {
+            limit.tries = (int)bonusTries;
+        }
+        limit.timestamp = now;
+    }
+
+    public void periodicCleanup() {
+        long now = System.currentTimeMillis();
+        // Use enhanced for loop, because an iterator makes sure concurrency issues cannot occur.
+        for (Map.Entry<String, Long> entry : ipLimits.entrySet()) {
+            if (entry.getValue() < startLimitIP(now)) {
+                ipLimits.remove(entry.getKey());
+            }
+        }
+        for (Map.Entry<String, Limit> entry : emailLimits.entrySet()) {
+            if (entry.getValue().timestamp < now - 5*DAY) {
+                emailLimits.remove(entry.getKey());
+            }
+        }
+    }
+}
+
+class Limit {
+    long timestamp;
+    int tries;
+
+    Limit(long now) {
+        tries = 0;
+        timestamp = now;
+    }
+}
diff --git a/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java b/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java
new file mode 100644
index 0000000..6703b9d
--- /dev/null
+++ b/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java
@@ -0,0 +1,76 @@
+package foundation.privacybydesign.email.ratelimit;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+/**
+ * Base class for rate limiting. Subclasses provide storage methods (memory
+ * for easier debugging and database for production).
+ */
+public abstract class RateLimit {
+    private static Logger logger = LoggerFactory.getLogger(RateLimit.class);
+
+    /** Take an IP address and an e-mail address and rate limit them.
+     * @param remoteAddr IP address (IPv4 or IPv6 in any format)
+     * @param email e-mail address
+     * @return the number of milliseconds that the client should wait - 0 if
+     *         it shouldn't wait.
+     */
+    public long rateLimited(String remoteAddr, String email) {
+        String addr = getAddressPrefix(remoteAddr);
+        long now = System.currentTimeMillis();
+        long ipRetryAfter = nextTryIP(addr, now);
+        long phoneRetryAfter = nextTryEmail(email, now);
+        long retryAfter = Math.max(ipRetryAfter, phoneRetryAfter);
+        if (retryAfter > now) {
+            logger.warn("Denying request from {}: rate limit (ip and/or email) exceeded", addr);
+            // Don't count this request if it has been denied.
+            return retryAfter - now;
+        }
+        countIP(addr, now);
+        countEmail(email, now);
+        return 0;
+    }
+
+    /** Insert an IP address (IPv4 or IPv6) and get a canonicalized version.
+     *  For IPv6, also truncate to /56 (recommended residential block).
+     *
+     *  This is a public method to ease testing.
+     */
+    public static String getAddressPrefix(String remoteAddr) {
+        byte[] rawAddr;
+        try {
+            InetAddress addr = InetAddress.getByName(remoteAddr);
+            rawAddr = addr.getAddress();
+        } catch (UnknownHostException e) {
+            // Shouldn't be possible - we're using IP addresses here, not
+            // host names.
+            throw new RuntimeException("host name lookup on IP address?");
+        }
+        if (rawAddr.length == 4) { // IPv4
+            // take the whole IP address
+        } else if (rawAddr.length == 16) { // IPv6
+            // Use only the first /56 bytes, set the rest to 0.
+            for (int i=7; i<16; i++) {
+                rawAddr[i] = 0;
+            }
+        } else {
+            // I hope this will never happen.
+            throw new RuntimeException("no IPv4 or IPv6?");
+        }
+        try {
+            return InetAddress.getByAddress(rawAddr).getHostAddress();
+        } catch (UnknownHostException e) {
+            // Should Not Happen™
+            throw new RuntimeException("host name lookup on IP address?");
+        }
+    }
+
+    protected abstract long nextTryIP(String ip, long now);
+    protected abstract long nextTryEmail(String email, long now);
+    protected abstract void countIP(String ip, long now);
+    protected abstract void countEmail(String email, long now);
+}
diff --git a/src/test/java/foundation/privacybydesign/email/RateLimitTest.java b/src/test/java/foundation/privacybydesign/email/RateLimitTest.java
new file mode 100644
index 0000000..95380b5
--- /dev/null
+++ b/src/test/java/foundation/privacybydesign/email/RateLimitTest.java
@@ -0,0 +1,46 @@
+package foundation.privacybydesign.email;
+
+import org.junit.Test;
+
+import foundation.privacybydesign.email.ratelimit.RateLimit;
+
+import static junit.framework.TestCase.assertFalse;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test whether the canonicalization algorithm for IP addresses works well.
+ */
+public class RateLimitTest {
+    @Test
+    public void testIPv4Address() {
+        assertEquals("1.2.3.4",
+                RateLimit.getAddressPrefix("1.2.3.4"));
+    }
+
+    @Test
+    public void testIPv6AddressLocal() {
+        assertEquals("0:0:0:0:0:0:0:0",
+                RateLimit.getAddressPrefix("0:0:0:0:0:0:0:1"));
+    }
+
+    @Test
+    public void testIPv6AddressRegular() {
+        assertEquals("2a00:123:4567:8900:0:0:0:0",
+                RateLimit.getAddressPrefix("2a00:0123:4567:89ab:cdef:fedc:ba98:7654"));
+    }
+
+    @Test
+    public void testIPv6Equals() {
+        String addr1 = RateLimit.getAddressPrefix("2a00:0123:4567:89ab:cdef:fedc:ba98:7654");
+        String addr2 = RateLimit.getAddressPrefix("2a00:0123:4567:89ac:cdef:fedc:ba98:7654");
+        assertTrue("IPv6 addresses should match", addr1.equals(addr2));
+    }
+
+    @Test
+    public void testIPv6Unequals() {
+        String addr1 = RateLimit.getAddressPrefix("2a00:0123:4567:89ab:cdef:fedc:ba98:7654");
+        String addr2 = RateLimit.getAddressPrefix("2a00:0123:4567:88ab:cdef:fedc:ba98:7654");
+        assertFalse("IPv6 addresses should not match", addr1.equals(addr2));
+    }
+}

From 1161e6f1a7f5f6980f06b4a512f5bee23ac03671 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Thu, 31 Aug 2023 09:22:31 +0200
Subject: [PATCH 17/22] feat: show ratelimiting errors in ui

---
 webapp/common.js      | 40 ++++++++++++++++++++++++++++++++++++----
 webapp/en/messages.js |  9 ++++++++-
 webapp/nl/messages.js |  9 ++++++++-
 3 files changed, 52 insertions(+), 6 deletions(-)

diff --git a/webapp/common.js b/webapp/common.js
index 97bb0c0..42c2ce0 100644
--- a/webapp/common.js
+++ b/webapp/common.js
@@ -80,14 +80,46 @@ function addEmail(e) {
             $('#email-form input').prop('disabled', false).val('');
         })
         .fail(function(e) {
-            // Address format problem?
-            setStatus('danger', MESSAGES[e.responseText] || MESSAGES['unknown-problem']);
+            var errormsg = e.responseText;
+            console.error('failed to submit email address:', errormsg);
+
+            if (!errormsg || !MESSAGES[errormsg]) {
+                errormsg = 'error:internal';
+            }
+
+            if (errormsg == 'error:ratelimit') {
+                var retryAfter = e.getResponseHeader('Retry-After');
+ 
+                // In JavaScript, we can mostly ignore the fact we're dealing
+                // with a string here and treat it as an integer...
+                if (retryAfter < 60) {
+                    var timemsg = MESSAGES['seconds'];
+                    if (retryAfter == 1) {
+                        var timemsg = MESSAGES['second'];
+                    }
+                } else if (retryAfter < 60*60) {
+                    retryAfter = Math.round(retryAfter / 60);
+                    var timemsg = MESSAGES['minutes'];
+                    if (retryAfter == 1) {
+                        var timemsg = MESSAGES['minute'];
+                    }
+                } else {
+                    retryAfter = Math.round(retryAfter / 60 / 60);
+                    var timemsg = MESSAGES['hours'];
+                    if (retryAfter == 1) {
+                        var timemsg = MESSAGES['hour'];
+                    }
+                }
+                setStatus('danger', MESSAGES[errormsg].replace('%time%',
+                    timemsg.replace('%n%', retryAfter)));
+            } else {
+                setStatus('danger', MESSAGES[errormsg]);
+            }
+
             setWindow('email-add');
 
             // Make editable again
             $('#email-form input').prop('disabled', false);
-
-            console.error('fail', e.responseText);
         });
 }
 
diff --git a/webapp/en/messages.js b/webapp/en/messages.js
index 8714cb7..89b7c7f 100644
--- a/webapp/en/messages.js
+++ b/webapp/en/messages.js
@@ -6,7 +6,6 @@ var MESSAGES = {
     'sending-verification-email': 'An e-mail is being sent to:<br><b class="email">%address%</b>',
     'sent-verification-email': 'An e-mail has been sent to:<br><b class="email">%address%</b>',
     'verifying-email-token': 'E-mail address is being verified ...',
-    'unknown-problem': 'Unknown problem',
     'error:invalid-token': 'Link in the e-mail is out-of-date or invalid',
     'email-failed-to-verify': 'Unknown problem during verification of the e-mail address',
     'email-add-verified': 'E-mail address verified',
@@ -17,4 +16,12 @@ var MESSAGES = {
     'submit-email-add': 'Add address',
     'submit-email-confirm': 'Confirm',
     'issuers-overview-page': 'https://privacybydesign.foundation/issuance/',
+    'error:internal': 'Internal error. Please contact Yivi if this happens more often.',
+    'error:ratelimit': 'Please try again in %time%.',
+    'second': '%n% seconds',
+    'seconds': '%n% seconds',
+    'minute': '%n% minute',
+    'minutes': '%n% minutes',
+    'hour': '%n% hour',
+    'hours': '%n% hour',
 };
diff --git a/webapp/nl/messages.js b/webapp/nl/messages.js
index 514a21e..84401b3 100644
--- a/webapp/nl/messages.js
+++ b/webapp/nl/messages.js
@@ -6,7 +6,6 @@ var MESSAGES = {
     'sending-verification-email': 'Een e-mail wordt gestuurd naar:<br><b class="email">%address%</b>',
     'sent-verification-email': 'Er is een e-mail gestuurd naar:<br><b class="email">%address%</b>',
     'verifying-email-token': 'Het e-mailadres wordt geverifieerd...',
-    'unknown-problem': 'Onbekend probleem',
     'error:invalid-token': 'De link in de e-mail is verouderd of ongeldig',
     'email-failed-to-verify': 'Onbekend probleem tijdens het verifiëren van het e-mail adres',
     'email-add-verified': 'Het e-mailadres geverifieerd',
@@ -17,4 +16,12 @@ var MESSAGES = {
     'submit-email-add': 'Voeg adres toe',
     'submit-email-confirm': 'Bevestig',
     'issuers-overview-page': 'https://privacybydesign.foundation/uitgifte/',
+    'error:internal': 'Interne fout. Neem contact op met Yivi als dit vaker voorkomt.',
+    'error:ratelimit': 'Probeer het opnieuw over %time%.',
+    'second': '%n% seconde',
+    'seconds': '%n% seconden',
+    'minute': '%n% minuut',
+    'minutes': '%n% minuten',
+    'hour': '%n% uur',
+    'hours': '%n% uur',
 };

From bf65c51a51c120e8a37be41ebf1e7d6cecc2a8e0 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Wed, 6 Sep 2023 09:27:37 +0200
Subject: [PATCH 18/22] improve: remove ip ratelimiting, set limits more
 tolerable

---
 .../privacybydesign/email/EmailRestApi.java   | 14 +---
 .../email/ratelimit/MemoryRateLimit.java      | 83 +++++--------------
 .../email/ratelimit/RateLimit.java            | 54 ++----------
 .../privacybydesign/email/RateLimitTest.java  | 39 ++-------
 4 files changed, 37 insertions(+), 153 deletions(-)

diff --git a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
index e935cc2..c065f97 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
@@ -36,7 +36,6 @@ public class EmailRestApi {
     private static final String ERR_INVALID_TOKEN = "error:invalid-token";
     private static final String ERR_INVALID_LANG = "error:invalid-language";
     private static final String OK_RESPONSE = "OK"; // value doesn't really matter
-    private static final String PROXY_IP_HEADER = "X-Real-IP";
     private static final String ERR_RATE_LIMITED = "error:ratelimit";
 
     private EmailTokens signer;
@@ -67,12 +66,8 @@ public Response sendEmail(@Context HttpServletRequest req,
         }
 
         try {
-            String ip = req.getHeader(PROXY_IP_HEADER);
-            if (ip == null) {
-                ip = req.getRemoteAddr();
-            }
 
-            long retryAfter = rateLimiter.rateLimited(ip, email);
+            long retryAfter = rateLimiter.rateLimited(email);
             if (retryAfter > 0) {
                 // 429 Too Many Requests
                 // https://tools.ietf.org/html/rfc6585#section-4
@@ -128,12 +123,7 @@ public Response sendEmailToken(@Context HttpServletRequest req,
             return Response.status(Response.Status.BAD_REQUEST).entity(ERR_ADDRESS_MALFORMED).build();
         }
 
-        String ip = req.getHeader(PROXY_IP_HEADER);
-        if (ip == null) {
-            ip = req.getRemoteAddr();
-        }
-
-        long retryAfter = rateLimiter.rateLimited(ip, emailAddress);
+        long retryAfter = rateLimiter.rateLimited(emailAddress);
         if (retryAfter > 0) {
             // 429 Too Many Requests
             // https://tools.ietf.org/html/rfc6585#section-4
diff --git a/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java b/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java
index 9115ffc..cd463ec 100644
--- a/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java
+++ b/src/main/java/foundation/privacybydesign/email/ratelimit/MemoryRateLimit.java
@@ -9,9 +9,8 @@
  *
  * How it works:
  * How much budget a user has, is expressed in a timestamp. The timestamp is
- * initially some period in the past, but with every usage (countIP and
- * countPhone) this timestamp is incremented. For IP address counting, this
- * is a fixed amount (currently 10 seconds), but for phone numbers this
+ * initially some period in the past, but with every usage (countEmail) 
+ * this timestamp is incremented. For e-mail addresses this
  * amount is exponential.
  *
  * An algorithm with a similar goal is the Token Bucket algorithm. This
@@ -23,16 +22,12 @@ public class MemoryRateLimit extends RateLimit {
     private static final long MINUTE = SECOND * 60;
     private static final long HOUR = MINUTE * 60;
     private static final long DAY = HOUR * 24;
-    private static final int IP_TIMEOUT = 10 * 1000; // timeout in seconds
-    private static final int IP_TRIES = 3;           // number of tries on first visit
 
     private static MemoryRateLimit instance;
 
-    private final Map<String, Long> ipLimits;
     private final Map<String, Limit> emailLimits;
 
     public MemoryRateLimit() {
-        ipLimits = new ConcurrentHashMap<>();
         emailLimits = new ConcurrentHashMap<>();
     }
 
@@ -43,53 +38,17 @@ public static MemoryRateLimit getInstance() {
         return instance;
     }
 
-    private long startLimitIP(long now) {
-        return now - IP_TIMEOUT*IP_TRIES;
-    }
-
-    @Override
-    protected synchronized long nextTryIP(String ip, long now) {
-        // Allow at most 1 try in each period (TIMEOUT), but kick in only
-        // after 3 tries. Thus while the user can do only 1 try per period
-        // over longer periods, the initial budget is 3 periods.
-        long limit = 0; // First try - last try was "long in the past".
-        if (ipLimits.containsKey(ip)) {
-            // Ah, there was a request before.
-            limit = ipLimits.get(ip);
-        }
-
-        long startLimit = startLimitIP(now);
-        if (limit < startLimit) {
-            // First visit or previous visit was long ago.
-            // Act like the last try was 3 periods ago.
-            limit = startLimit;
-        }
-
-        // Add a period to the current limit.
-        limit += IP_TIMEOUT;
-        return limit;
-    }
-
-    @Override
-    protected synchronized void countIP(String ip, long now) {
-        long nextTry = nextTryIP(ip, now);
-        if (nextTry > now) {
-            throw new IllegalStateException("counting rate limit while over the limit");
-        }
-        ipLimits.put(ip, nextTry);
-    }
-
     // Is the user over the rate limit per e-mail address?
     @Override
     protected synchronized long nextTryEmail(String email, long now) {
         // Rate limiter durations (sort-of logarithmic):
-        // 1   10 second
-        // 2   5 minute
-        // 3   1 hour
-        // 4   24 hour
-        // 5+  1 per day
-        // Keep log 5 days for proper limiting.
-
+        // 1 10 seconds
+        // 2 1 minute
+        // 3 5 minutes
+        // 4 1 hour
+        // 5 12 hours
+        // 6+ 2 per day
+        // Keep log 2 days for proper limiting.
         Limit limit = emailLimits.get(email);
         if (limit == null) {
             limit = new Limit(now);
@@ -103,14 +62,17 @@ protected synchronized long nextTryEmail(String email, long now) {
             case 1: // try 2: allowed after 10 seconds
                 nextTry = limit.timestamp + 10 * SECOND;
                 break;
-            case 2: // try 3: allowed after 5 minutes
+            case 2: // try 3: allowed after 1 minute
+                nextTry = limit.timestamp + MINUTE;
+                break;
+            case 3: // try 4: allowed after 5 minutes
                 nextTry = limit.timestamp + 5 * MINUTE;
                 break;
-            case 3: // try 4: allowed after 3 hours
-                nextTry = limit.timestamp + 3 * HOUR;
+            case 4: // try 5: allowed after 1 hour
+                nextTry = limit.timestamp + HOUR;
                 break;
-            case 4: // try 5: allowed after 24 hours
-                nextTry = limit.timestamp + 24 * HOUR;
+            case 5: // try 6: allowed after 12 hours
+                nextTry = limit.timestamp + 12 * HOUR;
                 break;
             default:
                 throw new IllegalStateException("invalid tries count");
@@ -127,8 +89,8 @@ protected synchronized void countEmail(String email, long now) {
         if (nextTry > now) {
             throw new IllegalStateException("counting rate limit while over the limit");
         }
-        limit.tries = Math.min(limit.tries+1, 5); // add 1, max at 5
-        // If the last usage was e.g. ≥2 days ago, we should allow them 2 tries
+        limit.tries = Math.min(limit.tries+1, 6); // add 1, max at 6
+        // If the last usage was e.g. ≥2 days ago, we should allow them 2
         // extra tries this day.
         long lastTryDaysAgo = (now-limit.timestamp)/DAY;
         long bonusTries = limit.tries - lastTryDaysAgo;
@@ -141,13 +103,8 @@ protected synchronized void countEmail(String email, long now) {
     public void periodicCleanup() {
         long now = System.currentTimeMillis();
         // Use enhanced for loop, because an iterator makes sure concurrency issues cannot occur.
-        for (Map.Entry<String, Long> entry : ipLimits.entrySet()) {
-            if (entry.getValue() < startLimitIP(now)) {
-                ipLimits.remove(entry.getKey());
-            }
-        }
         for (Map.Entry<String, Limit> entry : emailLimits.entrySet()) {
-            if (entry.getValue().timestamp < now - 5*DAY) {
+            if (entry.getValue().timestamp < now - 2*DAY) {
                 emailLimits.remove(entry.getKey());
             }
         }
diff --git a/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java b/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java
index 6703b9d..9e31dfa 100644
--- a/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java
+++ b/src/main/java/foundation/privacybydesign/email/ratelimit/RateLimit.java
@@ -3,9 +3,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
 /**
  * Base class for rate limiting. Subclasses provide storage methods (memory
  * for easier debugging and database for production).
@@ -13,64 +10,25 @@
 public abstract class RateLimit {
     private static Logger logger = LoggerFactory.getLogger(RateLimit.class);
 
-    /** Take an IP address and an e-mail address and rate limit them.
-     * @param remoteAddr IP address (IPv4 or IPv6 in any format)
+    /** Take an e-mail address and rate limit it.
      * @param email e-mail address
      * @return the number of milliseconds that the client should wait - 0 if
      *         it shouldn't wait.
      */
-    public long rateLimited(String remoteAddr, String email) {
-        String addr = getAddressPrefix(remoteAddr);
+    public long rateLimited(String email) {
         long now = System.currentTimeMillis();
-        long ipRetryAfter = nextTryIP(addr, now);
-        long phoneRetryAfter = nextTryEmail(email, now);
-        long retryAfter = Math.max(ipRetryAfter, phoneRetryAfter);
+        long retryAfter = nextTryEmail(email, now);
+
         if (retryAfter > now) {
-            logger.warn("Denying request from {}: rate limit (ip and/or email) exceeded", addr);
+            logger.warn("Denying request: email rate limit email exceeded");
             // Don't count this request if it has been denied.
             return retryAfter - now;
         }
-        countIP(addr, now);
+
         countEmail(email, now);
         return 0;
     }
 
-    /** Insert an IP address (IPv4 or IPv6) and get a canonicalized version.
-     *  For IPv6, also truncate to /56 (recommended residential block).
-     *
-     *  This is a public method to ease testing.
-     */
-    public static String getAddressPrefix(String remoteAddr) {
-        byte[] rawAddr;
-        try {
-            InetAddress addr = InetAddress.getByName(remoteAddr);
-            rawAddr = addr.getAddress();
-        } catch (UnknownHostException e) {
-            // Shouldn't be possible - we're using IP addresses here, not
-            // host names.
-            throw new RuntimeException("host name lookup on IP address?");
-        }
-        if (rawAddr.length == 4) { // IPv4
-            // take the whole IP address
-        } else if (rawAddr.length == 16) { // IPv6
-            // Use only the first /56 bytes, set the rest to 0.
-            for (int i=7; i<16; i++) {
-                rawAddr[i] = 0;
-            }
-        } else {
-            // I hope this will never happen.
-            throw new RuntimeException("no IPv4 or IPv6?");
-        }
-        try {
-            return InetAddress.getByAddress(rawAddr).getHostAddress();
-        } catch (UnknownHostException e) {
-            // Should Not Happen™
-            throw new RuntimeException("host name lookup on IP address?");
-        }
-    }
-
-    protected abstract long nextTryIP(String ip, long now);
     protected abstract long nextTryEmail(String email, long now);
-    protected abstract void countIP(String ip, long now);
     protected abstract void countEmail(String email, long now);
 }
diff --git a/src/test/java/foundation/privacybydesign/email/RateLimitTest.java b/src/test/java/foundation/privacybydesign/email/RateLimitTest.java
index 95380b5..c8aceb8 100644
--- a/src/test/java/foundation/privacybydesign/email/RateLimitTest.java
+++ b/src/test/java/foundation/privacybydesign/email/RateLimitTest.java
@@ -2,45 +2,24 @@
 
 import org.junit.Test;
 
-import foundation.privacybydesign.email.ratelimit.RateLimit;
+import foundation.privacybydesign.email.ratelimit.MemoryRateLimit;
 
-import static junit.framework.TestCase.assertFalse;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertNotEquals;
 
 /**
- * Test whether the canonicalization algorithm for IP addresses works well.
+ * Test whether the rate limiter works as expected.
  */
 public class RateLimitTest {
-    @Test
-    public void testIPv4Address() {
-        assertEquals("1.2.3.4",
-                RateLimit.getAddressPrefix("1.2.3.4"));
-    }
 
     @Test
-    public void testIPv6AddressLocal() {
-        assertEquals("0:0:0:0:0:0:0:0",
-                RateLimit.getAddressPrefix("0:0:0:0:0:0:0:1"));
-    }
+    public void testRateLimit() {
 
-    @Test
-    public void testIPv6AddressRegular() {
-        assertEquals("2a00:123:4567:8900:0:0:0:0",
-                RateLimit.getAddressPrefix("2a00:0123:4567:89ab:cdef:fedc:ba98:7654"));
-    }
+        var rateLimit = MemoryRateLimit.getInstance();
+        var email = "test@test.nl";
 
-    @Test
-    public void testIPv6Equals() {
-        String addr1 = RateLimit.getAddressPrefix("2a00:0123:4567:89ab:cdef:fedc:ba98:7654");
-        String addr2 = RateLimit.getAddressPrefix("2a00:0123:4567:89ac:cdef:fedc:ba98:7654");
-        assertTrue("IPv6 addresses should match", addr1.equals(addr2));
-    }
-
-    @Test
-    public void testIPv6Unequals() {
-        String addr1 = RateLimit.getAddressPrefix("2a00:0123:4567:89ab:cdef:fedc:ba98:7654");
-        String addr2 = RateLimit.getAddressPrefix("2a00:0123:4567:88ab:cdef:fedc:ba98:7654");
-        assertFalse("IPv6 addresses should not match", addr1.equals(addr2));
+        assertEquals("not rate limited", 0, rateLimit.rateLimited(email)); 
+        
+        assertNotEquals("rate limited", 0, rateLimit.rateLimited(email));
     }
 }

From 9b30f65de985850e8706137a749a15813d22d799 Mon Sep 17 00:00:00 2001
From: Bob Hageman <bob@schluss.org>
Date: Wed, 6 Sep 2023 09:38:21 +0200
Subject: [PATCH 19/22] chore: remove unused parameter

---
 .../foundation/privacybydesign/email/EmailRestApi.java    | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
index c065f97..3bacbe8 100644
--- a/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
+++ b/src/main/java/foundation/privacybydesign/email/EmailRestApi.java
@@ -11,9 +11,7 @@
 import foundation.privacybydesign.email.ratelimit.MemoryRateLimit;
 import foundation.privacybydesign.email.ratelimit.RateLimit;
 import jakarta.mail.internet.AddressException;
-import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.*;
-import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import java.io.UnsupportedEncodingException;
@@ -48,8 +46,7 @@ public EmailRestApi() {
     @POST
     @Path("/send-email")
     @Produces(MediaType.TEXT_PLAIN)
-    public Response sendEmail(@Context HttpServletRequest req,
-                              @FormParam("email") String email,
+    public Response sendEmail(@FormParam("email") String email,
                               @FormParam("language") String lang,
                               @HeaderParam("Authorization") String auth) {
         EmailConfiguration conf = EmailConfiguration.getInstance();
@@ -112,8 +109,7 @@ public Response sendEmail(@Context HttpServletRequest req,
     @POST
     @Path("/send-email-token")
     @Produces(MediaType.TEXT_PLAIN)
-    public Response sendEmailToken(@Context HttpServletRequest req,
-                                   @FormParam("email") String emailAddress,
+    public Response sendEmailToken(@FormParam("email") String emailAddress,
                                    @FormParam("language") String language) {
         EmailConfiguration conf = EmailConfiguration.getInstance();
 

From f5933b068ed68f97966c143065e95cad79776c0e Mon Sep 17 00:00:00 2001
From: sander <64062672+sanderhollaar@users.noreply.github.com>
Date: Wed, 6 Sep 2023 12:36:17 +0200
Subject: [PATCH 20/22] update to 7.6.2 released june 2023

---
 gradle/wrapper/gradle-wrapper.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 5083229..4e86b92 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.2-bin.zip
 networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

From 65c38d17a237ef7163e5e59070b74fea0f1734db Mon Sep 17 00:00:00 2001
From: sander <64062672+sanderhollaar@users.noreply.github.com>
Date: Wed, 6 Sep 2023 12:39:53 +0200
Subject: [PATCH 21/22] s/email/e-mail/

---
 src/main/resources/config.sample.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/config.sample.json b/src/main/resources/config.sample.json
index 9597489..a0a61ff 100644
--- a/src/main/resources/config.sample.json
+++ b/src/main/resources/config.sample.json
@@ -1,6 +1,6 @@
 {
   "verify_email_subject": {
-    "en": "Add email address to your Yivi app",
+    "en": "Add e-mail address to your Yivi app",
     "nl": "Voeg e-mailadres toe aan je Yivi-app"
   },
   "server_url": {
@@ -33,7 +33,7 @@
         "en": "customclient-en.html"
       },
       "email_subject": {
-        "en": "Add email address to your Yivi app",
+        "en": "Add e-mail address to your Yivi app",
         "nl": "Voeg e-mailadres toe aan je Yivi-app"
       }
   }}

From 1a0ca47af55214ad98203121cac88f34c583ff3f Mon Sep 17 00:00:00 2001
From: sander <64062672+sanderhollaar@users.noreply.github.com>
Date: Wed, 6 Sep 2023 12:42:39 +0200
Subject: [PATCH 22/22] s/email/e-mail/

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b09ebf3..1ecaddd 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 
 # irma_email_issuer
 
-Add an email address for use in your [Yivi app](https://github.com/privacybydesign/irmamobile).
+Add an e-mail address for use in your [Yivi app](https://github.com/privacybydesign/irmamobile).
 
 ## Running (development)
 The easiest way to run the irma_email_issuer for development purposes is via Docker.