Fixed auth

This commit is contained in:
Marc Beyer 2022-01-23 21:23:30 +01:00
parent eea38d578b
commit e3408d1566
3 changed files with 47 additions and 8 deletions

View File

@ -0,0 +1,18 @@
package com.vpr.server.controller;
import com.vpr.server.data.User;
import com.vpr.server.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
public class AuthController {
public User getAuthUserFromHeader(String authorizationHeader, UserRepository userRepository){
String[] splitAuthHeader = authorizationHeader.split("\\s");
if(splitAuthHeader.length == 2){
return userRepository.findByToken(splitAuthHeader[1]);
}
return null;
}
}

View File

@ -21,6 +21,12 @@ public class UserController {
@Autowired @Autowired
private UserRepository userRepository; private UserRepository userRepository;
private AuthController authController;
public UserController() {
this.authController = new AuthController();
}
/****************** /******************
* POST-ENDPOINTS * * POST-ENDPOINTS *
******************/ ******************/
@ -35,9 +41,9 @@ public class UserController {
@RequestParam String password, @RequestParam String password,
@RequestParam Boolean isAdmin @RequestParam Boolean isAdmin
) { ) {
User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]); User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
if(authUser == null || authUser.isAdmin()){ if(authUser == null || !authUser.isAdmin()){
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED); return new ResponseEntity<>( "Du hast keine Rechte um einen User an zu legen", HttpStatus.UNAUTHORIZED);
} }
if(userRepository.findByLogin(login) != null){ if(userRepository.findByLogin(login) != null){
@ -106,16 +112,31 @@ public class UserController {
return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED); return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
} }
@PostMapping(path = "/login-with-token")
public @ResponseBody ResponseEntity<String> loginWithToken(
@RequestHeader("Authorization") String authorizationHeader,
@RequestParam long userId
){
User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
if(authUser == null || authUser.getId() != userId){
return new ResponseEntity<>( "Falscher auth-token", HttpStatus.UNAUTHORIZED);
}
return new ResponseEntity<>("", HttpStatus.OK);
}
@PostMapping(path = "/del") @PostMapping(path = "/del")
public @ResponseBody ResponseEntity<String> deleteUser( public @ResponseBody ResponseEntity<String> deleteUser(
@RequestHeader("Authorization") String authorizationHeader, @RequestHeader("Authorization") String authorizationHeader,
@RequestParam Integer userId @RequestParam long userId
) { ) {
User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]); User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
if(authUser == null || authUser.isAdmin()){ if(authUser == null || !authUser.isAdmin()){
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED); return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
} }
userRepository.deleteById(Long.valueOf(userId)); User user = userRepository.findById(userId);
if(user == null){
return new ResponseEntity<>( "User nicht in der Datenbank vorhanden", HttpStatus.BAD_REQUEST);
}
return new ResponseEntity<>( "", HttpStatus.OK); return new ResponseEntity<>( "", HttpStatus.OK);
} }

View File

@ -20,7 +20,7 @@ import java.util.List;
"INNER JOIN user_event ue " + "INNER JOIN user_event ue " +
"ON e.id = ue.event_id " + "ON e.id = ue.event_id " +
"WHERE (ue.user_id = :userId OR e.is_private = 0) " + "WHERE (ue.user_id = :userId OR e.is_private = 0) " +
"AND ue.date > :startDate " + "AND ue.date >= :startDate " +
"AND ue.date < :endDate " + "AND ue.date < :endDate " +
"ORDER BY ue.date, e.priority DESC, e.start", "ORDER BY ue.date, e.priority DESC, e.start",
resultClass = Event.class resultClass = Event.class