Added auth to the /event/del endpoint

Check for unique logins

server/build.gradle

@@ -17,6 +17,17 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	runtimeOnly 'mysql:mysql-connector-java'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+
+	// Spring security
+	//implementation 'org.springframework.boot:spring-boot-starter-security'
+	//implementation 'org.springframework.security:spring-security-test'
+
+	// JSON web token
+	implementation 'io.jsonwebtoken:jjwt-api:0.11.2'
+	runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.2',
+			// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
+			//'org.bouncycastle:bcprov-jdk15on:1.60',
+			'io.jsonwebtoken:jjwt-jackson:0.11.2' // or 'io.jsonwebtoken:jjwt-gson:0.11.2' for gson
 }
 
 test {

server/src/main/java/com/vpr/server/MainController.java

@@ -1,134 +0,0 @@
-package com.vpr.server;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.*;
-
-import java.sql.Date;
-import java.sql.Time;
-import java.text.SimpleDateFormat;
-import java.util.Optional;
-
-@Controller // This means that this class is a Controller
-@RequestMapping(path="/vpr") // This means URL's start with /demo (after Application path)
-public class MainController {
-
-    // This means to get the bean called userRepository
-    // Which is auto-generated by Spring, we will use it to handle the data
-    @Autowired
-    private com.vpr.server.UserRepository userRepository;
-
-    @Autowired
-    private EventRepository eventRepository;
-
-    @Autowired
-    private UserEventRepository userEventRepository;
-
-    // POST-request at /add with request parameter
-    // @ResponseBody means the returned String is the response, not a view name
-    @PostMapping(path="/add-user")
-    public @ResponseBody String addNewUser (
-            @RequestParam String name,
-            @RequestParam String forename,
-            @RequestParam String password,
-            @RequestParam String isAdmin
-            ) {
-
-        com.vpr.server.User user = new com.vpr.server.User();
-
-        // TODO set correct token and password
-        user.setName(name);
-        user.setForename(forename);
-        user.setPassword(password);
-        user.setToken("test");
-        user.setAdmin(isAdmin.equals("1"));
-
-        userRepository.save(user);
-        return "Saved";
-    }
-
-    @PostMapping(path="/add-event")
-    public @ResponseBody String addEvent (
-            @RequestParam Integer userId,
-            @RequestParam String date,
-            @RequestParam String name,
-            @RequestParam String start,
-            @RequestParam String end,
-            @RequestParam Integer prority,
-            @RequestParam Boolean isFullDay,
-            @RequestParam Boolean isPrivate
-    ) {
-
-        com.vpr.server.Event event = new com.vpr.server.Event();
-
-        event.setName(name);
-
-        try {
-            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("hh:mm");
-            long ms = simpleDateFormat.parse(start).getTime();
-            event.setStart(new Time(ms));
-        }catch (Exception e){
-            event.setStart(null);
-        }
-
-        try {
-            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("hh:mm");
-            long ms = simpleDateFormat.parse(end).getTime();
-            event.setEnd(new Time(ms));
-        }catch (Exception e){
-            event.setEnd(null);
-        }
-
-        event.setPriority(prority);
-        event.setFullDay(isFullDay);
-        event.setPrivate(isPrivate);
-
-
-        eventRepository.save(event);
-
-
-        com.vpr.server.UserEvent userEvent = new com.vpr.server.UserEvent();
-
-        try {
-            System.out.println("date " + date);
-            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd");
-            userEvent.setDate(new java.sql.Date(simpleDateFormat.parse(date).getTime()));
-        }catch (Exception e){
-            System.out.println("DATE FORMAT NOT CORRECT");
-        }
-
-        userEvent.setEvent(event);
-
-        long uId = Long.valueOf(userId);
-        User user = userRepository.findById(uId);
-        userEvent.setUser(user);
-
-        System.out.println(userEvent);
-        System.out.println(user);
-
-        userEventRepository.save(userEvent);
-        return "Saved";
-    }
-
-    // GET-request at /all-users
-    // returns JSON-data
-    @GetMapping(path="/all-users")
-    public @ResponseBody Object[] getAllUsers() {
-        return userRepository.findAllUsernames();
-    }
-
-    // POST-request at /all-events
-    // returns JSON-data
-    @PostMapping(path="/all-events")
-    public @ResponseBody Object[] getAllEvents(@RequestParam long userId) {
-        return eventRepository.findAllVisibleByUserId(userId);
-    }
-
-
-    @GetMapping(path="/all-events-test")
-    public @ResponseBody Iterable<com.vpr.server.Event> getAllEventsTest() {
-        return eventRepository.findAll();
-    }
-
-
-}

server/src/main/java/com/vpr/server/controller/EventController.java

@@ -0,0 +1,137 @@
+package com.vpr.server.controller;
+
+import com.vpr.server.data.Event;
+import com.vpr.server.data.User;
+import com.vpr.server.data.UserEvent;
+import com.vpr.server.repository.EventRepository;
+import com.vpr.server.repository.UserEventRepository;
+import com.vpr.server.repository.UserRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.sql.Time;
+import java.text.SimpleDateFormat;
+
+@Controller
+@RequestMapping(path = "/event")
+public class EventController {
+    @Autowired
+    private UserRepository userRepository;
+    @Autowired
+    private EventRepository eventRepository;
+    @Autowired
+    private UserEventRepository userEventRepository;
+
+    /******************
+     * POST-ENDPOINTS *
+     ******************/
+
+    @PostMapping(path = "/add")
+    public @ResponseBody
+    ResponseEntity<String> addEvent(
+            @RequestParam Integer userId,
+            @RequestParam String date,
+            @RequestParam String name,
+            @RequestParam String start,
+            @RequestParam String end,
+            @RequestParam Integer prority,
+            @RequestParam Boolean isFullDay,
+            @RequestParam Boolean isPrivate
+    ) {
+        String errorString = "";
+
+        Event event = new Event();
+
+        System.out.println(name.length() + ". name " + name);
+        if (name.length() > 3) {
+            event.setName(name);
+        } else {
+            System.out.println("NAME IST ZU KURZ");
+            return new ResponseEntity<>("Der Name ist zu kurz", HttpStatus.BAD_REQUEST);
+        }
+
+        try {
+            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("hh:mm");
+            long ms = simpleDateFormat.parse(start).getTime();
+            event.setStart(new Time(ms));
+        } catch (Exception e) {
+            event.setStart(null);
+        }
+
+        try {
+            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("hh:mm");
+            long ms = simpleDateFormat.parse(end).getTime();
+            event.setEnd(new Time(ms));
+        } catch (Exception e) {
+            event.setEnd(null);
+        }
+
+        event.setPriority(prority);
+        event.setFullDay(isFullDay);
+        event.setPrivate(isPrivate);
+
+        UserEvent userEvent = new UserEvent();
+
+        try {
+            System.out.println("date " + date);
+            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd");
+            userEvent.setDate(new java.sql.Date(simpleDateFormat.parse(date).getTime()));
+        } catch (Exception e) {
+            System.out.println("DATE FORMAT NOT CORRECT");
+            return new ResponseEntity<>("Datumformat nicht korrekt", HttpStatus.BAD_REQUEST);
+        }
+
+        userEvent.setEvent(event);
+        long uId = Long.valueOf(userId);
+        User user = userRepository.findById(uId);
+        userEvent.setUser(user);
+
+        System.out.println(userEvent);
+        System.out.println(user);
+
+        eventRepository.save(event);
+        userEventRepository.save(userEvent);
+        return new ResponseEntity<>("", HttpStatus.OK);
+    }
+
+    @PostMapping(path = "/del")
+    public @ResponseBody
+    ResponseEntity<String> delEvent(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam Integer eventId
+    ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
+
+        eventRepository.deleteUserEventsById(Long.valueOf(eventId));
+        eventRepository.deleteById(Long.valueOf(eventId));
+        return new ResponseEntity<>("", HttpStatus.OK);
+    }
+
+    @PostMapping(path = "/all")
+    public @ResponseBody
+    Object[] getAllEvents(@RequestParam long userId) {
+        return eventRepository.findAllVisibleByUserId(userId);
+    }
+
+    @PostMapping(path = "/edit")
+    public @ResponseBody
+    String editEvent(
+            @RequestParam Integer userId,
+            @RequestParam String date,
+            @RequestParam String name,
+            @RequestParam String start,
+            @RequestParam String end,
+            @RequestParam Integer prority,
+            @RequestParam Boolean isFullDay,
+            @RequestParam Boolean isPrivate
+    ) {
+        return "";
+    }
+}

server/src/main/java/com/vpr/server/controller/MainController.java

@@ -0,0 +1,42 @@
+package com.vpr.server.controller;
+
+import com.vpr.server.data.Event;
+import com.vpr.server.data.User;
+import com.vpr.server.data.UserEvent;
+import com.vpr.server.repository.EventRepository;
+import com.vpr.server.repository.UserEventRepository;
+import com.vpr.server.repository.UserRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.sql.Time;
+import java.text.SimpleDateFormat;
+
+@Controller // This means that this class is a Controller
+@RequestMapping(path = "/vpr") // This means URL's start with /demo (after Application path)
+public class MainController {
+
+    // This means to get the bean called userRepository
+    // Which is auto-generated by Spring, we will use it to handle the data
+    @Autowired
+    private UserRepository userRepository;
+    @Autowired
+    private EventRepository eventRepository;
+    @Autowired
+    private UserEventRepository userEventRepository;
+
+    @GetMapping(path = "/status-test")
+    public String statusTest(){
+        throw new ResponseStatusException(HttpStatus.I_AM_A_TEAPOT, "TestTestTest");
+    }
+
+    @PostMapping(path = "/header-test")
+    public ResponseEntity<String> headerTest(@RequestHeader("Authorization") String authorizationHeader){
+        System.out.println("authorizationHeader: " + authorizationHeader);
+        return new ResponseEntity<>(authorizationHeader, HttpStatus.OK);
+    }
+}

server/src/main/java/com/vpr/server/controller/UserController.java

@@ -0,0 +1,131 @@
+package com.vpr.server.controller;
+
+import com.vpr.server.data.User;
+import com.vpr.server.repository.UserRepository;
+import com.vpr.server.security.Hasher;
+import com.vpr.server.security.Token;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Arrays;
+
+@Controller
+@RequestMapping(path = "/user")
+public class UserController {
+    @Autowired
+    private UserRepository userRepository;
+
+    /******************
+     * POST-ENDPOINTS *
+     ******************/
+
+    @PostMapping(path = "/add")
+    public @ResponseBody
+    ResponseEntity<String> addNewUser(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam String name,
+            @RequestParam String forename,
+            @RequestParam String login,
+            @RequestParam String password,
+            @RequestParam Boolean isAdmin
+    ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
+
+        if(userRepository.findByLogin(login) != null){
+            return new ResponseEntity<>( "Login exestiert bereits", HttpStatus.BAD_REQUEST);
+        }
+
+        byte[] salt = Hasher.GenerateSalt();
+        byte[] hash;
+        try {
+            hash = Hasher.HashPassword(password, salt);
+        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+            e.printStackTrace();
+            return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
+        }
+
+        User user = new User();
+
+        user.setName(name);
+        user.setForename(forename);
+        user.setLogin(login);
+        user.setPassword(hash);
+        user.setSalt(salt);
+        user.setToken("");
+        user.setAdmin(isAdmin);
+
+        userRepository.save(user);
+        return new ResponseEntity<>( "" + user.getId(), HttpStatus.OK);
+    }
+
+    @PostMapping(path = "/login")
+    public @ResponseBody
+    ResponseEntity<String> login(
+            @RequestParam String login,
+            @RequestParam String password
+    ) {
+        System.out.println(login + " tries to login.");
+        User user = userRepository.findByLogin(login);
+        if (user == null) {
+            System.out.println("Login for " + login + " failed.");
+            return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
+        }
+
+        byte[] salt = user.getSalt();
+        byte[] hash;
+        try {
+            hash = Hasher.HashPassword(password, salt);
+        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+            e.printStackTrace();
+            return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
+        }
+
+        if (Arrays.equals(user.getPassword(), hash)) {
+            String token = Token.Generate(user.getLogin());
+            user.setToken(token);
+            userRepository.save(user);
+
+            System.out.println(user.getLogin() + " is now logged in.");
+            System.out.println(Token.Verify(Token.Generate(user.getLogin()), user.getLogin()));
+
+            return new ResponseEntity<>( token + " " + user.getId(), HttpStatus.OK);
+        }
+        System.out.println(user.getLogin() + " failed to logged in.");
+        System.out.println("entered : " + javax.xml.bind.DatatypeConverter.printHexBinary(hash));
+        System.out.println("required: " + javax.xml.bind.DatatypeConverter.printHexBinary(user.getPassword()));
+
+        return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
+    }
+
+    @PostMapping(path = "/del")
+    public @ResponseBody ResponseEntity<String> deleteUser(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam Integer userId
+    ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
+        userRepository.deleteById(Long.valueOf(userId));
+        return new ResponseEntity<>( "", HttpStatus.OK);
+    }
+
+    /*****************
+     * GET-ENDPOINTS *
+     *****************/
+
+    @GetMapping(path = "/all")
+    public @ResponseBody
+    Object[] getAllUsers() {
+        return userRepository.findAllUsernames();
+    }
+}

server/src/main/java/com/vpr/server/data/DateEvent.java

@@ -1,4 +1,4 @@
-package com.vpr.server;
+package com.vpr.server.data;
 
 import java.sql.Date;
 import java.sql.Time;

server/src/main/java/com/vpr/server/data/Event.java

@@ -1,4 +1,4 @@
-package com.vpr.server;
+package com.vpr.server.data;
 
 import javax.persistence.*;
 import java.sql.Time;

server/src/main/java/com/vpr/server/data/User.java

@@ -1,4 +1,4 @@
-package com.vpr.server;
+package com.vpr.server.data;
 
 import javax.persistence.*;
 import java.util.List;
@@ -17,8 +17,14 @@ public class User {
     @Column(name="forename", nullable=false)
     private String forename;
 
+    @Column(name="login", nullable=false)
+    private String login;
+
     @Column(name="password", nullable=false)
-    private String password;
+    private byte[] password;
+
+    @Column(name="salt", nullable=false)
+    private byte[] salt;
 
     @Column(name="token")
     private String token;
@@ -57,14 +63,30 @@ public class User {
         this.forename = forename;
     }
 
-    public String getPassword() {
+    public String getLogin() {
+        return login;
+    }
+
+    public void setLogin(String login) {
+        this.login = login;
+    }
+
+    public byte[] getPassword() {
         return password;
     }
 
-    public void setPassword(String password) {
+    public void setPassword(byte[] password) {
         this.password = password;
     }
 
+    public byte[] getSalt() {
+        return salt;
+    }
+
+    public void setSalt(byte[] salt) {
+        this.salt = salt;
+    }
+
     public String getToken() {
         return token;
     }

server/src/main/java/com/vpr/server/data/UserEvent.java

@@ -1,8 +1,7 @@
-package com.vpr.server;
+package com.vpr.server.data;
 
 import javax.persistence.*;
 import java.sql.Date;
-import java.util.List;
 
 // @Entity creates a table out of this class with Hibernate
 // @Table defines the table-name

server/src/main/java/com/vpr/server/data/UserEventId.java

@@ -1,4 +1,4 @@
-package com.vpr.server;
+package com.vpr.server.data;
 
 import java.io.Serializable;
 import java.sql.Date;

server/src/main/java/com/vpr/server/repository/EventRepository.java

@@ -1,9 +1,11 @@
-package com.vpr.server;
+package com.vpr.server.repository;
 
+import com.vpr.server.data.Event;
+import org.springframework.data.jpa.repository.Modifying;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.CrudRepository;
 
-import java.util.List;
+import javax.transaction.Transactional;
 
 // This will be AUTO IMPLEMENTED by Spring into a Bean called eventRepository
 // CRUD refers Create, Read, Update, Delete
@@ -29,4 +31,17 @@ public interface EventRepository extends CrudRepository<Event, Integer> {
             "WHERE ue.user_id = ?1",
             nativeQuery = true)
     Object[] findAllByUserId(long id);
+
+    @Modifying
+    @Transactional
+    @Query(value = "DELETE ue FROM user_event ue WHERE ue.event_id = ?1",
+    nativeQuery = true)
+    void deleteUserEventsById(long id);
+
+
+    @Modifying
+    @Transactional
+    @Query(value = "DELETE e FROM event e WHERE e.id = ?1",
+            nativeQuery = true)
+    void deleteById(long id);
 }

server/src/main/java/com/vpr/server/repository/UserEventRepository.java

@@ -1,11 +1,8 @@
-package com.vpr.server;
+package com.vpr.server.repository;
 
-import org.springframework.data.jpa.repository.Query;
+import com.vpr.server.data.UserEvent;
 import org.springframework.data.repository.CrudRepository;
 
-import java.sql.Date;
-import java.util.List;
-
 // This will be AUTO IMPLEMENTED by Spring into a Bean called eventListRepository
 // CRUD refers Create, Read, Update, Delete
 

server/src/main/java/com/vpr/server/repository/UserRepository.java

@@ -1,13 +1,11 @@
-package com.vpr.server;
+package com.vpr.server.repository;
 
+import com.vpr.server.data.User;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.CrudRepository;
 
-import java.util.List;
-
 // This will be AUTO IMPLEMENTED by Spring into a Bean called userRepository
 // CRUD refers Create, Read, Update, Delete
-
 public interface UserRepository extends CrudRepository<User, Integer> {
 
     @Query(value = "SELECT u.id, u.name, u.forename " +
@@ -15,5 +13,13 @@ public interface UserRepository extends CrudRepository<User, Integer> {
             nativeQuery = true)
     Object[] findAllUsernames();
 
-    com.vpr.server.User findById(long id);
+    User findById(long id);
+
+    User findByLogin(String login);
+
+    User findByLoginAndPassword(String login, byte[] password);
+
+    void deleteById(long id);
+
+    User findByToken(String token);
 }

server/src/main/java/com/vpr/server/security/Hasher.java

@@ -0,0 +1,28 @@
+package com.vpr.server.security;
+
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+
+public class Hasher {
+
+    public static byte[] HashPassword(String password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
+        // Credit: https://www.baeldung.com/java-password-hashing
+        // Generate hash with PBKDF2
+        KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 65536, 128);
+        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
+        return factory.generateSecret(spec).getEncoded();
+    }
+
+    public static byte[] GenerateSalt(){
+        // Credit: https://www.baeldung.com/java-password-hashing
+        // Create a salt
+        SecureRandom random = new SecureRandom();
+        byte[] salt = new byte[16];
+        random.nextBytes(salt);
+        return salt;
+    }
+}

server/src/main/java/com/vpr/server/security/Token.java

@@ -0,0 +1,26 @@
+package com.vpr.server.security;
+
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
+import java.security.Key;
+
+public class Token {
+
+    private static Key KEY = Keys.secretKeyFor(SignatureAlgorithm.HS256);
+
+    public static String Generate(String subject){
+        return Jwts.builder().setSubject(subject).signWith(KEY).compact();
+    }
+
+    public static boolean Verify(String jws, String subject){
+        try {
+            assert Jwts.parserBuilder().setSigningKey(KEY).build().parseClaimsJws(jws)
+                    .getBody().getSubject().equals(subject);
+            return true;
+        } catch (JwtException e) {
+            return false;
+        }
+    }
+}