feature: Add extra feedback once someone solves JWT refresh lesson differently

One can solve this lesson by using `alg:none` instead of using the refresh token flow. Instead of adding a check to force using the refresh token we opt for giving the user extra feedback.

src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java

@@ -22,7 +22,12 @@
 
 package org.owasp.webgoat.lessons.jwt;
 
-import io.jsonwebtoken.*;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 import io.jsonwebtoken.impl.TextCodec;
 import java.sql.ResultSet;
 import java.sql.SQLException;
@@ -31,34 +36,12 @@ import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
-/**
- *
- *
- * <pre>
- *  {
- *      "typ": "JWT",
- *      "kid": "webgoat_key",
- *      "alg": "HS256"
- *  }
- *  {
- *       "iss": "WebGoat Token Builder",
- *       "iat": 1524210904,
- *       "exp": 1618905304,
- *       "aud": "webgoat.org",
- *       "sub": "jerry@webgoat.com",
- *       "username": "Jerry",
- *       "Email": "jerry@webgoat.com",
- *       "Role": [
- *       "Cat"
- *       ]
- *  }
- * </pre>
- *
- * @author nbaars
- * @since 4/23/17.
- */
 @RestController
 @AssignmentHints({
   "jwt-final-hint1",

src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java

@@ -49,10 +49,6 @@ import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * @author nbaars
- * @since 4/23/17.
- */
 @RestController
 @AssignmentHints({
   "jwt-refresh-hint1",
@@ -85,9 +81,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
   }
 
   private Map<String, Object> createNewTokens(String user) {
-    Map<String, Object> claims = new HashMap<>();
-    claims.put("admin", "false");
-    claims.put("user", user);
+    Map<String, Object> claims = Map.of("admin", "false", "user", user);
     String token =
         Jwts.builder()
             .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
@@ -114,6 +108,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
       Claims claims = (Claims) jwt.getBody();
       String user = (String) claims.get("user");
       if ("Tom".equals(user)) {
+        if ("none".equals(jwt.getHeader().get("alg"))) {
+          return ok(success(this).feedback("jwt-refresh-alg-none").build());
+        }
         return ok(success(this).build());
       }
       return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());

src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java

@@ -42,10 +42,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * @author nbaars
- * @since 4/23/17.
- */
 @RestController
 @AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
 public class JWTSecretKeyEndpoint extends AssignmentEndpoint {

src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java

@@ -58,10 +58,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * @author nbaars
- * @since 4/23/17.
- */
 @RestController
 @AssignmentHints({
   "jwt-change-token-hint1",