Added auth to a lot of the endpoints

This commit is contained in:
Marc Beyer 2022-01-14 17:53:42 +01:00
parent 0531f868d0
commit d5b6d6357e
4 changed files with 40 additions and 17 deletions

View File

@ -8,6 +8,7 @@ import com.vpr.server.repository.UserEventRepository;
import com.vpr.server.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@ -34,7 +35,7 @@ public class EventController {
@PostMapping(path = "/add")
public @ResponseBody
String addEvent(
ResponseEntity<String> addEvent(
@RequestParam Integer userId,
@RequestParam String date,
@RequestParam String name,
@ -53,7 +54,7 @@ public class EventController {
event.setName(name);
} else {
System.out.println("NAME IST ZU KURZ");
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Format nicht korrekt");
return new ResponseEntity<>("Der Name ist zu kurz", HttpStatus.BAD_REQUEST);
}
try {
@ -84,7 +85,7 @@ public class EventController {
userEvent.setDate(new java.sql.Date(simpleDateFormat.parse(date).getTime()));
} catch (Exception e) {
System.out.println("DATE FORMAT NOT CORRECT");
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Format nicht korrekt");
return new ResponseEntity<>("Datumformat nicht korrekt", HttpStatus.BAD_REQUEST);
}
userEvent.setEvent(event);
@ -97,15 +98,15 @@ public class EventController {
eventRepository.save(event);
userEventRepository.save(userEvent);
return "";
return new ResponseEntity<>("", HttpStatus.OK);
}
@PostMapping(path = "/del")
public @ResponseBody
String delEvent(@RequestParam Integer eventId) {
ResponseEntity<String> delEvent(@RequestParam Integer eventId) {
eventRepository.deleteUserEventsById(Long.valueOf(eventId));
eventRepository.deleteById(Long.valueOf(eventId));
return "Deleted";
return new ResponseEntity<>("", HttpStatus.OK);
}
@PostMapping(path = "/all")

View File

@ -33,4 +33,10 @@ public class MainController {
public String statusTest(){
throw new ResponseStatusException(HttpStatus.I_AM_A_TEAPOT, "TestTestTest");
}
@PostMapping(path = "/header-test")
public ResponseEntity<String> headerTest(@RequestHeader("Authorization") String authorizationHeader){
System.out.println("authorizationHeader: " + authorizationHeader);
return new ResponseEntity<>(authorizationHeader, HttpStatus.OK);
}
}

View File

@ -6,6 +6,7 @@ import com.vpr.server.security.Hasher;
import com.vpr.server.security.Token;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.server.ResponseStatusException;
@ -26,15 +27,21 @@ public class UserController {
@PostMapping(path = "/add")
public @ResponseBody
String addNewUser(
ResponseEntity<String> addNewUser(
@RequestHeader("Authorization") String authorizationHeader,
@RequestParam String name,
@RequestParam String forename,
@RequestParam String login,
@RequestParam String password,
@RequestParam Boolean isAdmin
) {
User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
if(authUser == null || authUser.isAdmin()){
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
}
if(userRepository.findByLogin(login) != null){
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Login exestiert bereits!");
return new ResponseEntity<>( "Login exestiert bereits", HttpStatus.BAD_REQUEST);
}
byte[] salt = Hasher.GenerateSalt();
@ -43,7 +50,7 @@ public class UserController {
hash = Hasher.HashPassword(password, salt);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
e.printStackTrace();
throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Fehler beim hashen");
return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
}
User user = new User();
@ -57,12 +64,12 @@ public class UserController {
user.setAdmin(isAdmin);
userRepository.save(user);
return "" + user.getId();
return new ResponseEntity<>( "" + user.getId(), HttpStatus.OK);
}
@PostMapping(path = "/login")
public @ResponseBody
String login(
ResponseEntity<String> login(
@RequestParam String login,
@RequestParam String password
) {
@ -70,7 +77,7 @@ public class UserController {
User user = userRepository.findByLogin(login);
if (user == null) {
System.out.println("Login for " + login + " failed.");
throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Falscher login");
return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
}
byte[] salt = user.getSalt();
@ -79,7 +86,7 @@ public class UserController {
hash = Hasher.HashPassword(password, salt);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
e.printStackTrace();
throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Fehler beim hashen");
return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
}
if (Arrays.equals(user.getPassword(), hash)) {
@ -90,19 +97,26 @@ public class UserController {
System.out.println(user.getLogin() + " is now logged in.");
System.out.println(Token.Verify(Token.Generate(user.getLogin()), user.getLogin()));
return token + " " + user.getId();
return new ResponseEntity<>( token + " " + user.getId(), HttpStatus.OK);
}
System.out.println(user.getLogin() + " failed to logged in.");
System.out.println("entered : " + javax.xml.bind.DatatypeConverter.printHexBinary(hash));
System.out.println("required: " + javax.xml.bind.DatatypeConverter.printHexBinary(user.getPassword()));
throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Falscher login");
return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
}
@PostMapping(path = "/del")
public @ResponseBody String deleteUser(@RequestParam Integer userId) {
public @ResponseBody ResponseEntity<String> deleteUser(
@RequestHeader("Authorization") String authorizationHeader,
@RequestParam Integer userId
) {
User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
if(authUser == null || authUser.isAdmin()){
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
}
userRepository.deleteById(Long.valueOf(userId));
return "Deleted";
return new ResponseEntity<>( "", HttpStatus.OK);
}
/*****************

View File

@ -20,4 +20,6 @@ public interface UserRepository extends CrudRepository<User, Integer> {
User findByLoginAndPassword(String login, byte[] password);
void deleteById(long id);
User findByToken(String token);
}