Added auth to the /event/del endpoint

Check for unique logins

server/src/main/java/com/vpr/server/controller/EventController.java

@@ -8,11 +8,9 @@ import com.vpr.server.repository.UserEventRepository;
 import com.vpr.server.repository.UserRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 import org.springframework.web.server.ResponseStatusException;
 
 import java.sql.Time;
@@ -34,7 +32,7 @@ public class EventController {
 
     @PostMapping(path = "/add")
     public @ResponseBody
-    String addEvent(
+    ResponseEntity<String> addEvent(
             @RequestParam Integer userId,
             @RequestParam String date,
             @RequestParam String name,
@@ -53,7 +51,7 @@ public class EventController {
             event.setName(name);
         } else {
             System.out.println("NAME IST ZU KURZ");
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Format nicht korrekt");
+            return new ResponseEntity<>("Der Name ist zu kurz", HttpStatus.BAD_REQUEST);
         }
 
         try {
@@ -84,7 +82,7 @@ public class EventController {
             userEvent.setDate(new java.sql.Date(simpleDateFormat.parse(date).getTime()));
         } catch (Exception e) {
             System.out.println("DATE FORMAT NOT CORRECT");
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Format nicht korrekt");
+            return new ResponseEntity<>("Datumformat nicht korrekt", HttpStatus.BAD_REQUEST);
         }
 
         userEvent.setEvent(event);
@@ -97,15 +95,23 @@ public class EventController {
 
         eventRepository.save(event);
         userEventRepository.save(userEvent);
-        return "";
+        return new ResponseEntity<>("", HttpStatus.OK);
     }
 
     @PostMapping(path = "/del")
     public @ResponseBody
-    String addEvent(@RequestParam Integer eventId) {
+    ResponseEntity<String> delEvent(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam Integer eventId
+    ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
+
         eventRepository.deleteUserEventsById(Long.valueOf(eventId));
         eventRepository.deleteById(Long.valueOf(eventId));
-        return "Deleted";
+        return new ResponseEntity<>("", HttpStatus.OK);
     }
 
     @PostMapping(path = "/all")
@@ -114,4 +120,18 @@ public class EventController {
         return eventRepository.findAllVisibleByUserId(userId);
     }
 
+    @PostMapping(path = "/edit")
+    public @ResponseBody
+    String editEvent(
+            @RequestParam Integer userId,
+            @RequestParam String date,
+            @RequestParam String name,
+            @RequestParam String start,
+            @RequestParam String end,
+            @RequestParam Integer prority,
+            @RequestParam Boolean isFullDay,
+            @RequestParam Boolean isPrivate
+    ) {
+        return "";
+    }
 }

server/src/main/java/com/vpr/server/controller/MainController.java

@@ -33,4 +33,10 @@ public class MainController {
     public String statusTest(){
         throw new ResponseStatusException(HttpStatus.I_AM_A_TEAPOT, "TestTestTest");
     }
+
+    @PostMapping(path = "/header-test")
+    public ResponseEntity<String> headerTest(@RequestHeader("Authorization") String authorizationHeader){
+        System.out.println("authorizationHeader: " + authorizationHeader);
+        return new ResponseEntity<>(authorizationHeader, HttpStatus.OK);
+    }
 }

server/src/main/java/com/vpr/server/controller/UserController.java

@@ -6,6 +6,7 @@ import com.vpr.server.security.Hasher;
 import com.vpr.server.security.Token;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.server.ResponseStatusException;
@@ -26,47 +27,57 @@ public class UserController {
 
     @PostMapping(path = "/add")
     public @ResponseBody
-    String addNewUser(
+    ResponseEntity<String> addNewUser(
+            @RequestHeader("Authorization") String authorizationHeader,
             @RequestParam String name,
             @RequestParam String forename,
             @RequestParam String login,
             @RequestParam String password,
-            @RequestParam String isAdmin
+            @RequestParam Boolean isAdmin
     ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
+
+        if(userRepository.findByLogin(login) != null){
+            return new ResponseEntity<>( "Login exestiert bereits", HttpStatus.BAD_REQUEST);
+        }
+
         byte[] salt = Hasher.GenerateSalt();
         byte[] hash;
         try {
             hash = Hasher.HashPassword(password, salt);
         } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
             e.printStackTrace();
-            throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Fehler beim hashen");
+            return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
         }
 
         User user = new User();
 
-        // TODO set correct token and password
         user.setName(name);
         user.setForename(forename);
         user.setLogin(login);
         user.setPassword(hash);
         user.setSalt(salt);
-        user.setToken("test");
-        user.setAdmin(isAdmin.equals("1"));
+        user.setToken("");
+        user.setAdmin(isAdmin);
 
         userRepository.save(user);
-        return "" + user.getId();
+        return new ResponseEntity<>( "" + user.getId(), HttpStatus.OK);
     }
 
     @PostMapping(path = "/login")
     public @ResponseBody
-    String login(
+    ResponseEntity<String> login(
             @RequestParam String login,
             @RequestParam String password
     ) {
-        System.out.println("LOGIN");
+        System.out.println(login + " tries to login.");
         User user = userRepository.findByLogin(login);
         if (user == null) {
-            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Falscher login");
+            System.out.println("Login for " + login + " failed.");
+            return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
         }
 
         byte[] salt = user.getSalt();
@@ -75,26 +86,37 @@ public class UserController {
             hash = Hasher.HashPassword(password, salt);
         } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
             e.printStackTrace();
-            throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Fehler beim hashen");
+            return new ResponseEntity<>( "Fehler beim hashen", HttpStatus.INTERNAL_SERVER_ERROR);
         }
 
         if (Arrays.equals(user.getPassword(), hash)) {
+            String token = Token.Generate(user.getLogin());
+            user.setToken(token);
+            userRepository.save(user);
+
             System.out.println(user.getLogin() + " is now logged in.");
-            System.out.println(Token.Generate(user.getLogin()));
             System.out.println(Token.Verify(Token.Generate(user.getLogin()), user.getLogin()));
-            return "" + user.getId();
+
+            return new ResponseEntity<>( token + " " + user.getId(), HttpStatus.OK);
         }
         System.out.println(user.getLogin() + " failed to logged in.");
         System.out.println("entered : " + javax.xml.bind.DatatypeConverter.printHexBinary(hash));
         System.out.println("required: " + javax.xml.bind.DatatypeConverter.printHexBinary(user.getPassword()));
 
-        throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Falscher login");
+        return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
     }
 
     @PostMapping(path = "/del")
-    public @ResponseBody String deleteUser(@RequestParam Integer userId) {
+    public @ResponseBody ResponseEntity<String> deleteUser(
+            @RequestHeader("Authorization") String authorizationHeader,
+            @RequestParam Integer userId
+    ) {
+        User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
+        if(authUser == null || authUser.isAdmin()){
+            return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
+        }
         userRepository.deleteById(Long.valueOf(userId));
-        return "Deleted";
+        return new ResponseEntity<>( "", HttpStatus.OK);
     }
 
     /*****************

server/src/main/java/com/vpr/server/repository/UserRepository.java

@@ -20,4 +20,6 @@ public interface UserRepository extends CrudRepository<User, Integer> {
     User findByLoginAndPassword(String login, byte[] password);
 
     void deleteById(long id);
+
+    User findByToken(String token);
 }