ls1intum · krusche · Jun 5, 2025 · May 28, 2025 · May 28, 2025 · May 28, 2025
@@ -5,6 +5,8 @@
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
 
+import de.tum.cit.aet.artemis.core.domain.Language;
+
 public enum AuthenticationMethod {
 
     PASSKEY("passkey"), PASSWORD("password"), SAML2("saml2");
@@ -49,4 +51,18 @@ public static AuthenticationMethod fromMethod(String method) {
         }
         throw new IllegalArgumentException("Unknown authentication method: " + method);
     }
+
+    /**
+     * Returns the email displayName of the authentication method based on the provided language.
+     *
+     * @param language the {@link Language} code
+     * @return the localized display name
+     */
+    public String getEmailDisplayName(Language language) {
+        return switch (this) {
+            case PASSKEY -> language == Language.GERMAN ? "Passkey" : "passkey";
+            case PASSWORD -> language == Language.GERMAN ? "Passwort" : "password";
+            case SAML2 -> "SAML2";
+        };
+    }
 }
@@ -205,7 +205,7 @@ public static JwtWithSource extractValidJwt(HttpServletRequest httpServletReques
                      "request_uri": "{}",
                      "headers": {}
                     }
-                    """, source, httpServletRequest.getRemoteAddr(), httpServletRequest.getHeader("User-Agent"), httpServletRequest.getRequestURI(),
+                    """, source, httpServletRequest.getRemoteAddr(), httpServletRequest.getHeader(HttpHeaders.USER_AGENT), httpServletRequest.getRequestURI(),
                     collectHeaders(httpServletRequest));
             return null;
         }

@@ -6,22 +6,23 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
-import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseCookie;
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpResponse;
-import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.util.Assert;
 
+import de.tum.cit.aet.artemis.core.security.jwt.AuthenticationMethod;
 import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService;
+import de.tum.cit.aet.artemis.core.service.ArtemisSuccessfulLoginService;
+import de.tum.cit.aet.artemis.core.util.HttpRequestUtils;
 
 /**
  * An {@link AuthenticationSuccessHandler}, that sets a JWT token in the response and writes a JSON response with the redirect
@@ -37,13 +38,13 @@ public final class ArtemisHttpMessageConverterAuthenticationSuccessHandler imple
 
     private final JWTCookieService jwtCookieService;
 
-    private final ApplicationEventPublisher eventPublisher;
+    private final ArtemisSuccessfulLoginService artemisSuccessfulLoginService;
 
     public ArtemisHttpMessageConverterAuthenticationSuccessHandler(HttpMessageConverter<Object> converter, JWTCookieService jwtCookieService,
-            ApplicationEventPublisher eventPublisher) {
+            ArtemisSuccessfulLoginService artemisSuccessfulLoginService) {
         this.jwtCookieService = jwtCookieService;
         this.converter = converter;
-        this.eventPublisher = eventPublisher;
+        this.artemisSuccessfulLoginService = artemisSuccessfulLoginService;
     }
 
     /**
@@ -76,7 +77,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
         ResponseCookie responseCookie = jwtCookieService.buildLoginCookie(rememberMe);
         response.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString());
 
-        eventPublisher.publishEvent(new AuthenticationSuccessEvent(authentication));
+        artemisSuccessfulLoginService.sendLoginEmail(authentication.getName(), AuthenticationMethod.PASSKEY, HttpRequestUtils.getClientEnvironment(request));
 
         this.converter.write(new AuthenticationSuccess(redirectUrl), MediaType.APPLICATION_JSON, new ServletServerHttpResponse(response));
     }

@@ -13,7 +13,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Profile;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
@@ -30,6 +29,7 @@
 import de.tum.cit.aet.artemis.core.repository.UserRepository;
 import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService;
 import de.tum.cit.aet.artemis.core.service.AndroidFingerprintService;
+import de.tum.cit.aet.artemis.core.service.ArtemisSuccessfulLoginService;
 import de.tum.cit.aet.artemis.core.util.AndroidApkKeyHashUtil;
 
 /**
@@ -59,7 +59,7 @@ public class ArtemisPasskeyWebAuthnConfigurer {
 
     private final MailSendingService mailSendingService;
 
-    private final ApplicationEventPublisher eventPublisher;
+    private final ArtemisSuccessfulLoginService artemisSuccessfulLoginService;
 
     @Value("${" + Constants.PASSKEY_ENABLED_PROPERTY_NAME + ":false}")
     private boolean passkeyEnabled;
@@ -83,7 +83,7 @@ public ArtemisPasskeyWebAuthnConfigurer(MappingJackson2HttpMessageConverter conv
             PublicKeyCredentialUserEntityRepository publicKeyCredentialUserEntityRepository, UserCredentialRepository userCredentialRepository,
             PublicKeyCredentialCreationOptionsRepository publicKeyCredentialCreationOptionsRepository,
             PublicKeyCredentialRequestOptionsRepository publicKeyCredentialRequestOptionsRepository, AndroidFingerprintService androidFingerprintService,
-            MailSendingService mailSendingService, ApplicationEventPublisher eventPublisher) {
+            MailSendingService mailSendingService, ArtemisSuccessfulLoginService artemisSuccessfulLoginService) {
         this.converter = converter;
         this.jwtCookieService = jwtCookieService;
         this.userRepository = userRepository;
@@ -93,7 +93,7 @@ public ArtemisPasskeyWebAuthnConfigurer(MappingJackson2HttpMessageConverter conv
         this.publicKeyCredentialRequestOptionsRepository = publicKeyCredentialRequestOptionsRepository;
         this.androidFingerprintService = androidFingerprintService;
         this.mailSendingService = mailSendingService;
-        this.eventPublisher = eventPublisher;
+        this.artemisSuccessfulLoginService = artemisSuccessfulLoginService;
     }
 
     /**
@@ -157,7 +157,8 @@ public boolean configure(HttpSecurity http) throws Exception {
         }
 
         WebAuthnConfigurer<HttpSecurity> webAuthnConfigurer = new ArtemisWebAuthnConfigurer<>(converter, jwtCookieService, userRepository, publicKeyCredentialUserEntityRepository,
-                userCredentialRepository, publicKeyCredentialCreationOptionsRepository, publicKeyCredentialRequestOptionsRepository, mailSendingService, eventPublisher);
+                userCredentialRepository, publicKeyCredentialCreationOptionsRepository, publicKeyCredentialRequestOptionsRepository, mailSendingService,
+                artemisSuccessfulLoginService);
 
         http.with(webAuthnConfigurer, configurer -> {
             configurer.allowedOrigins(allowedOrigins).rpId(relyingPartyId).rpName(relyingPartyName);

@@ -1,6 +1,5 @@
 package de.tum.cit.aet.artemis.core.security.passkey;
 
-import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
@@ -10,6 +9,7 @@
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
 
 import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService;
+import de.tum.cit.aet.artemis.core.service.ArtemisSuccessfulLoginService;
 
 /**
  * We want to set the custom {@link ArtemisHttpMessageConverterAuthenticationSuccessHandler} here to make sure the JWT token is set in the response
@@ -19,12 +19,12 @@
 public class ArtemisWebAuthnAuthenticationFilter extends WebAuthnAuthenticationFilter {
 
     public ArtemisWebAuthnAuthenticationFilter(HttpMessageConverter<Object> converter, JWTCookieService jwtCookieService,
-            PublicKeyCredentialRequestOptionsRepository publicKeyCredentialRequestOptionsRepository, ApplicationEventPublisher eventPublisher) {
+            PublicKeyCredentialRequestOptionsRepository publicKeyCredentialRequestOptionsRepository, ArtemisSuccessfulLoginService artemisSuccessfulLoginService) {
         super();
         setSecurityContextRepository(new HttpSessionSecurityContextRepository());
         setRequestOptionsRepository(publicKeyCredentialRequestOptionsRepository);
         setAuthenticationFailureHandler(new AuthenticationEntryPointFailureHandler(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)));
-        setAuthenticationSuccessHandler(new ArtemisHttpMessageConverterAuthenticationSuccessHandler(converter, jwtCookieService, eventPublisher));
+        setAuthenticationSuccessHandler(new ArtemisHttpMessageConverterAuthenticationSuccessHandler(converter, jwtCookieService, artemisSuccessfulLoginService));
     }
 
 }
@@ -8,7 +8,6 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@@ -28,6 +27,7 @@
 import de.tum.cit.aet.artemis.communication.service.notifications.MailSendingService;
 import de.tum.cit.aet.artemis.core.repository.UserRepository;
 import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService;
+import de.tum.cit.aet.artemis.core.service.ArtemisSuccessfulLoginService;
 
 /**
  * <p>
@@ -81,13 +81,13 @@ public class ArtemisWebAuthnConfigurer<H extends HttpSecurityBuilder<H>> extends
 
     private final MailSendingService mailSendingService;
 
-    private final ApplicationEventPublisher eventPublisher;
+    private final ArtemisSuccessfulLoginService artemisSuccessfulLoginService;
 
     public ArtemisWebAuthnConfigurer(HttpMessageConverter<Object> converter, JWTCookieService jwtCookieService, UserRepository userRepository,
             PublicKeyCredentialUserEntityRepository publicKeyCredentialUserEntityRepository, UserCredentialRepository userCredentialRepository,
             PublicKeyCredentialCreationOptionsRepository publicKeyCredentialCreationOptionsRepository,
             PublicKeyCredentialRequestOptionsRepository publicKeyCredentialRequestOptionsRepository, MailSendingService mailSendingService,
-            ApplicationEventPublisher eventPublisher) {
+            ArtemisSuccessfulLoginService artemisSuccessfulLoginService) {
         this.converter = converter;
         this.jwtCookieService = jwtCookieService;
         this.publicKeyCredentialUserEntityRepository = publicKeyCredentialUserEntityRepository;
@@ -96,7 +96,7 @@ public ArtemisWebAuthnConfigurer(HttpMessageConverter<Object> converter, JWTCook
         this.publicKeyCredentialCreationOptionsRepository = publicKeyCredentialCreationOptionsRepository;
         this.publicKeyCredentialRequestOptionsRepository = publicKeyCredentialRequestOptionsRepository;
         this.mailSendingService = mailSendingService;
-        this.eventPublisher = eventPublisher;
+        this.artemisSuccessfulLoginService = artemisSuccessfulLoginService;
     }
 
     /**
@@ -150,7 +150,7 @@ public ArtemisWebAuthnConfigurer<H> allowedOrigins(Set<String> allowedOrigins) {
     public void configure(H http) throws Exception {
         WebAuthnRelyingPartyOperations rpOperations = webAuthnRelyingPartyOperations(publicKeyCredentialUserEntityRepository, userCredentialRepository);
         WebAuthnAuthenticationFilter webAuthnAuthnFilter = new ArtemisWebAuthnAuthenticationFilter(converter, jwtCookieService, publicKeyCredentialRequestOptionsRepository,
-                eventPublisher);
+                artemisSuccessfulLoginService);
 
         // we need to use custom repositories to ensure that multinode systems share challenges created in option requests
         // the default implementation only works on single-node systems (at least on Spring Security version 6.4.4)

@@ -7,16 +7,22 @@
 import java.time.format.DateTimeFormatter;
 import java.util.HashMap;
 
+import jakarta.annotation.Nullable;
+import jakarta.annotation.PostConstruct;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Service;
 
 import de.tum.cit.aet.artemis.communication.service.notifications.MailSendingService;
+import de.tum.cit.aet.artemis.core.domain.Language;
 import de.tum.cit.aet.artemis.core.domain.User;
 import de.tum.cit.aet.artemis.core.exception.EntityNotFoundException;
 import de.tum.cit.aet.artemis.core.repository.UserRepository;
+import de.tum.cit.aet.artemis.core.security.jwt.AuthenticationMethod;
+import de.tum.cit.aet.artemis.core.util.ClientEnvironment;
 
 /**
  * Listener for successful authentication events in the Artemis system.
@@ -27,21 +33,35 @@
 @Service
 public class ArtemisSuccessfulLoginService {
 
-    @Value("${artemis.user-management.password-reset.links.en:https://artemis.tum.de/account/reset/request}")
+    private static final Logger log = LoggerFactory.getLogger(ArtemisSuccessfulLoginService.class);
+
+    @Value("${artemis.user-management.password-reset.links.en}")
     private String passwordResetLinkEnUrl;
 
-    @Value("${artemis.user-management.password-reset.links.de:https://artemis.tum.de/account/reset/request}")
+    @Value("${artemis.user-management.password-reset.links.de}")
     private String passwordResetLinkDeUrl;
 
     @Value("${server.url}")
     private URL artemisServerUrl;
 
-    private static final Logger log = LoggerFactory.getLogger(ArtemisSuccessfulLoginService.class);
-
     private final UserRepository userRepository;
 
     private final MailSendingService mailSendingService;
 
+    @PostConstruct
+    public void ensurePasswordResetLinksAreInitializedProperly() {
+        String defaultPasswordResetLink = artemisServerUrl + "/account/reset/request";
+        String configurationPlaceholder = "<link>";
+        if (passwordResetLinkEnUrl == null || passwordResetLinkEnUrl.isEmpty() || passwordResetLinkEnUrl.equals(configurationPlaceholder)) {
+            log.info("No password reset link configured for English, using default link {}", defaultPasswordResetLink);
+            passwordResetLinkEnUrl = defaultPasswordResetLink;
+        }
+        if (passwordResetLinkDeUrl == null || passwordResetLinkDeUrl.isEmpty() || passwordResetLinkDeUrl.equals(configurationPlaceholder)) {
+            log.info("No password reset link configured for German, using default link {}", defaultPasswordResetLink);
+            passwordResetLinkDeUrl = defaultPasswordResetLink;
+        }
+    }
+
     public ArtemisSuccessfulLoginService(UserRepository userRepository, MailSendingService mailSendingService) {
         this.userRepository = userRepository;
         this.mailSendingService = mailSendingService;
@@ -53,24 +73,31 @@ public ArtemisSuccessfulLoginService(UserRepository userRepository, MailSendingS
      *
      * @param username the username of the user who has successfully logged in
      */
-    public void sendLoginEmail(String username) {
+    public void sendLoginEmail(String username, AuthenticationMethod authenticationMethod, @Nullable ClientEnvironment clientEnvironment) {
         try {
             User recipient = userRepository.getUserByLoginElseThrow(username);
-            var contextVariables = new HashMap<String, Object>();
-            ZonedDateTime now = ZonedDateTime.now();
-            contextVariables.put("loginDate", now.format(DateTimeFormatter.ofPattern("dd.MM.yyyy")));
-            contextVariables.put("loginTime", now.format(DateTimeFormatter.ofPattern("HH:mm:ss")));
 
             String localeKey = recipient.getLangKey();
             if (localeKey == null) {
+                log.warn("User {} has no language set, using default language 'en'", username);
                 localeKey = "en";
             }
+            Language language = Language.fromLanguageShortName(localeKey);
+
+            var contextVariables = new HashMap<String, Object>();
+            contextVariables.put("authenticationMethod", authenticationMethod.getEmailDisplayName(language));
+            ZonedDateTime now = ZonedDateTime.now();
+            contextVariables.put("loginDate", now.format(DateTimeFormatter.ofPattern("dd.MM.yyyy")));
+            contextVariables.put("loginTime", now.format(DateTimeFormatter.ofPattern("HH:mm:ss '('VV')'")));
+
+            String environmentInfo = clientEnvironment != null ? clientEnvironment.getEnvironmentInfo(language) : ClientEnvironment.getUnknownEnvironmentDisplayName(language);
+            contextVariables.put("requestOrigin", environmentInfo);
 
             if (recipient.isInternal()) {
                 contextVariables.put("resetLink", artemisServerUrl.toString() + "/account/password");
             }
             else {
-                if (localeKey.equals("de")) {
+                if (language == Language.GERMAN) {
                     contextVariables.put("resetLink", passwordResetLinkDeUrl);
                 }
                 else {