Added auth to a lot of the endpoints

server/src/main/java/com/vpr/server/controller/EventController.java

@@ -8,6 +8,7 @@ import com.vpr.server.repository.UserEventRepository;
 import com.vpr.server.repository.UserRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -34,7 +35,7 @@ public class EventController {
 
     @PostMapping(path = "/add")
     public @ResponseBody
-    String addEvent(
+    ResponseEntity<String> addEvent(
             @RequestParam Integer userId,
             @RequestParam String date,
             @RequestParam String name,
@@ -53,7 +54,7 @@ public class EventController {
             event.setName(name);
         } else {
             System.out.println("NAME IST ZU KURZ");
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Format nicht korrekt");
+            return new ResponseEntity<>("Der Name ist zu kurz", HttpStatus.BAD_REQUEST);
         }
 
         try {
@@ -84,7 +85,7 @@ public class EventController {
             userEvent.setDate(new java.sql.Date(simpleDateFormat.parse(date).getTime()));
         } catch (Exception e) {
             System.out.println("DATE FORMAT NOT CORRECT");
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Format nicht korrekt");
+            return new ResponseEntity<>("Datumformat nicht korrekt", HttpStatus.BAD_REQUEST);
         }
 
         userEvent.setEvent(event);
@@ -97,15 +98,15 @@ public class EventController {
 
         eventRepository.save(event);
         userEventRepository.save(userEvent);
-        return "";
+        return new ResponseEntity<>("", HttpStatus.OK);
     }
 
     @PostMapping(path = "/del")
     public @ResponseBody
-    String delEvent(@RequestParam Integer eventId) {
+    ResponseEntity<String> delEvent(@RequestParam Integer eventId) {
         eventRepository.deleteUserEventsById(Long.valueOf(eventId));
         eventRepository.deleteById(Long.valueOf(eventId));
-        return "Deleted";
+        return new ResponseEntity<>("", HttpStatus.OK);
     }
 
     @PostMapping(path = "/all")

server/src/main/java/com/vpr/server/controller/MainController.java

@@ -33,4 +33,10 @@ public class MainController {
     public String statusTest(){
         throw new ResponseStatusException(HttpStatus.I_AM_A_TEAPOT, "TestTestTest");
     }
+
+    @PostMapping(path = "/header-test")
+    public ResponseEntity<String> headerTest(@RequestHeader("Authorization") String authorizationHeader){
+        System.out.println("authorizationHeader: " + authorizationHeader);
+        return new ResponseEntity<>(authorizationHeader, HttpStatus.OK);
+    }
 }

server/src/main/java/com/vpr/server/controller/UserController.java

@@ -6,6 +6,7 @@ import com.vpr.server.security.Hasher;
 import com.vpr.server.security.Token;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.server.ResponseStatusException;
@@ -26,15 +27,21 @@ public class UserController {
 
     @PostMapping(path = "/add")
     public @ResponseBody
-    String addNewUser(
+    ResponseEntity<String> addNewUser(
+            @RequestHeader("Authorization") String authorizationHeader,
             @RequestParam String name,
             @RequestParam String forename,
             @RequestParam String login,
             @RequestParam String password,
             @RequestParam Boolean isAdmin
     ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
+
         if(userRepository.findByLogin(login) != null){
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Login exestiert bereits!");
+            return new ResponseEntity<>( "Login exestiert bereits", HttpStatus.BAD_REQUEST);
         }
 
         byte[] salt = Hasher.GenerateSalt();
@@ -43,7 +50,7 @@ public class UserController {
             hash = Hasher.HashPassword(password, salt);
         } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
             e.printStackTrace();
-            throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Fehler beim hashen");
+            return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
         }
 
         User user = new User();
@@ -57,12 +64,12 @@ public class UserController {
         user.setAdmin(isAdmin);
 
         userRepository.save(user);
-        return "" + user.getId();
+        return new ResponseEntity<>( "" + user.getId(), HttpStatus.OK);
     }
 
     @PostMapping(path = "/login")
     public @ResponseBody
-    String login(
+    ResponseEntity<String> login(
             @RequestParam String login,
             @RequestParam String password
     ) {
@@ -70,7 +77,7 @@ public class UserController {
         User user = userRepository.findByLogin(login);
         if (user == null) {
             System.out.println("Login for " + login + " failed.");
-            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Falscher login");
+            return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
         }
 
         byte[] salt = user.getSalt();
@@ -79,7 +86,7 @@ public class UserController {
             hash = Hasher.HashPassword(password, salt);
         } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
             e.printStackTrace();
-            throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Fehler beim hashen");
+            return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
         }
 
         if (Arrays.equals(user.getPassword(), hash)) {
@@ -90,19 +97,26 @@ public class UserController {
             System.out.println(user.getLogin() + " is now logged in.");
             System.out.println(Token.Verify(Token.Generate(user.getLogin()), user.getLogin()));
 
-            return token + " " + user.getId();
+            return new ResponseEntity<>( token + " " + user.getId(), HttpStatus.OK);
         }
         System.out.println(user.getLogin() + " failed to logged in.");
         System.out.println("entered : " + javax.xml.bind.DatatypeConverter.printHexBinary(hash));
         System.out.println("required: " + javax.xml.bind.DatatypeConverter.printHexBinary(user.getPassword()));
 
-        throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Falscher login");
+        return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
     }
 
     @PostMapping(path = "/del")
-    public @ResponseBody String deleteUser(@RequestParam Integer userId) {
+    public @ResponseBody ResponseEntity<String> deleteUser(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam Integer userId
+    ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
         userRepository.deleteById(Long.valueOf(userId));
-        return "Deleted";
+        return new ResponseEntity<>( "", HttpStatus.OK);
     }
 
     /*****************

server/src/main/java/com/vpr/server/repository/UserRepository.java

@@ -20,4 +20,6 @@ public interface UserRepository extends CrudRepository<User, Integer> {
     User findByLoginAndPassword(String login, byte[] password);
 
     void deleteById(long id);
+
+    User findByToken(String token);
 }