From e3408d1566f03f53ffdd7ae8071f9682f70cda7c Mon Sep 17 00:00:00 2001
From: Marc Beyer <marc.beyer@edu.bib.de>
Date: Sun, 23 Jan 2022 21:23:30 +0100
Subject: [PATCH] Fixed auth

---
 .../vpr/server/controller/AuthController.java | 18 ++++++++++
 .../vpr/server/controller/UserController.java | 35 +++++++++++++++----
 .../main/java/com/vpr/server/data/Event.java  |  2 +-
 3 files changed, 47 insertions(+), 8 deletions(-)
 create mode 100644 server/src/main/java/com/vpr/server/controller/AuthController.java

diff --git a/server/src/main/java/com/vpr/server/controller/AuthController.java b/server/src/main/java/com/vpr/server/controller/AuthController.java
new file mode 100644
index 0000000..31bbe08
--- /dev/null
+++ b/server/src/main/java/com/vpr/server/controller/AuthController.java
@@ -0,0 +1,18 @@
+package com.vpr.server.controller;
+
+import com.vpr.server.data.User;
+import com.vpr.server.repository.UserRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+public class AuthController {
+
+    public User getAuthUserFromHeader(String authorizationHeader, UserRepository userRepository){
+        String[] splitAuthHeader = authorizationHeader.split("\\s");
+        if(splitAuthHeader.length == 2){
+            return userRepository.findByToken(splitAuthHeader[1]);
+        }
+        return null;
+    }
+}
diff --git a/server/src/main/java/com/vpr/server/controller/UserController.java b/server/src/main/java/com/vpr/server/controller/UserController.java
index f48ed43..2698b35 100644
--- a/server/src/main/java/com/vpr/server/controller/UserController.java
+++ b/server/src/main/java/com/vpr/server/controller/UserController.java
@@ -21,6 +21,12 @@ public class UserController {
     @Autowired
     private UserRepository userRepository;
 
+    private AuthController authController;
+
+    public UserController() {
+        this.authController = new AuthController();
+    }
+
     /******************
      * POST-ENDPOINTS *
      ******************/
@@ -35,9 +41,9 @@ public class UserController {
             @RequestParam String password,
             @RequestParam Boolean isAdmin
     ) {
-        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
-        if(authUser == null || authUser.isAdmin()){
-            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
+        if(authUser == null || !authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um einen User an zu legen", HttpStatus.UNAUTHORIZED);
         }
 
         if(userRepository.findByLogin(login) != null){
@@ -106,16 +112,31 @@ public class UserController {
         return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
     }
 
+    @PostMapping(path = "/login-with-token")
+    public @ResponseBody ResponseEntity<String> loginWithToken(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam long userId
+    ){
+        User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
+        if(authUser == null || authUser.getId() != userId){
+            return new ResponseEntity<>( "Falscher auth-token", HttpStatus.UNAUTHORIZED);
+        }
+        return new ResponseEntity<>("", HttpStatus.OK);
+    }
+
     @PostMapping(path = "/del")
     public @ResponseBody ResponseEntity<String> deleteUser(
             @RequestHeader("Authorization") String authorizationHeader,
-            @RequestParam Integer userId
+            @RequestParam long userId
     ) {
-        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
-        if(authUser == null || authUser.isAdmin()){
+        User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
+        if(authUser == null || !authUser.isAdmin()){
             return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
         }
-        userRepository.deleteById(Long.valueOf(userId));
+        User user = userRepository.findById(userId);
+        if(user == null){
+            return new ResponseEntity<>( "User nicht in der Datenbank vorhanden", HttpStatus.BAD_REQUEST);
+        }
         return new ResponseEntity<>( "", HttpStatus.OK);
     }
 
diff --git a/server/src/main/java/com/vpr/server/data/Event.java b/server/src/main/java/com/vpr/server/data/Event.java
index 91b1e5e..b9eaea3 100644
--- a/server/src/main/java/com/vpr/server/data/Event.java
+++ b/server/src/main/java/com/vpr/server/data/Event.java
@@ -20,7 +20,7 @@ import java.util.List;
                     "INNER JOIN user_event ue " +
                     "ON e.id = ue.event_id " +
                     "WHERE (ue.user_id = :userId OR e.is_private = 0) " +
-                    "AND ue.date > :startDate " +
+                    "AND ue.date >= :startDate " +
                     "AND ue.date < :endDate " +
                     "ORDER BY ue.date, e.priority DESC, e.start",
             resultClass = Event.class