disables CSRF

2021-02-04 03:15:06 +01:00
parent b9a4a220a5
commit 540bece552
5 changed files with 52 additions and 8 deletions
--- a/src/main/kotlin/eu/fosil/okupamicoche/dto/TravelDto.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/dto/TravelDto.kt
@@ -16,7 +16,7 @@ class TravelDto(
    val origin: String = "",
    val destination: String = "",
    val places: Int = 0,
-    val description: String? = null,
+    var description: String? = null,
    val matrixRoomId: String = ""
 ) {
    constructor(travel: Travel) : this(
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/conf/WebSecurityConfig.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/conf/WebSecurityConfig.kt
@@ -3,6 +3,9 @@ package eu.fosil.okupamicoche.spring.conf
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.web.servlet.config.annotation.CorsRegistry
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
+

@Configuration
 class JWTSecurityConfig : WebSecurityConfigurerAdapter() {
@@ -10,6 +13,7 @@ class JWTSecurityConfig : WebSecurityConfigurerAdapter() {
    override fun configure(http: HttpSecurity) {//@formatter:off
        http.cors()
            .and()
+                .csrf().disable()
                .authorizeRequests()
                    .antMatchers("/api/public/**").permitAll()
                    .antMatchers("/api/user/**").authenticated()
@@ -19,4 +23,11 @@ class JWTSecurityConfig : WebSecurityConfigurerAdapter() {
                .oauth2ResourceServer()
                    .jwt()
    }//@formatter:on
-}
+}
+
+@Configuration
+class CorsConfigurer : WebMvcConfigurer {
+    override fun addCorsMappings(registry: CorsRegistry) {
+        registry.addMapping("/**").allowedOrigins("http://localhost:4200")
+    }
+}
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/ApiRestController.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/ApiRestController.kt
@@ -28,4 +28,16 @@ interface ApiRestController {
        }
        throw UserIdNotFoundException()
    }
+
+    /**
+     * Devuelve el id del usuario actual.
+     */
+    fun getCurrentUserClaims(): Map<String, Any> {
+        val authentication = SecurityContextHolder.getContext().authentication
+        if (authentication.principal is Jwt) {
+            val jwt = authentication.principal as Jwt
+            return jwt.claims
+        }
+        throw UserIdNotFoundException()
+    }
 }
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateTravelRestController.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateTravelRestController.kt
@@ -16,16 +16,16 @@ import org.springframework.web.bind.annotation.*

@RestController
@RequestMapping("/api/travel")
-@CrossOrigin(origins = ["http://localhost:4200"])
 class PrivateTravelRestController(
    private val userRepository: UserRepository,
    private val travelRepository: TravelRepository
 ) : ApiRestController {

    @RequestMapping("/create")
-    fun createTravel(@ModelAttribute @Validated travel: TravelDto): ApiResponse<Unit> {
+    fun createTravel(@RequestBody @Validated travel: TravelDto): ApiResponse<Unit> {
        return response {
            val driver = userRepository.findByIdOrNull(getCurrentUserId()) ?: throw UserIdNotFoundException()
+            println("travel des=${travel.description}")
            travel.driverInfo = UserInfoDto(driver)
            CreateTravel(travelRepository).createTravel(travel.toTravel(userRepository))
        }
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateUserRestController.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateUserRestController.kt
@@ -1,11 +1,13 @@
 package eu.fosil.okupamicoche.spring.controller

-import eu.fosil.okupamicoche.entities.ApiResponse
-import eu.fosil.okupamicoche.entities.UserId
-import eu.fosil.okupamicoche.repositories.UserRepository
 import eu.fosil.okupamicoche.dto.CreateUserDto
 import eu.fosil.okupamicoche.dto.UserDto
+import eu.fosil.okupamicoche.entities.ApiResponse
+import eu.fosil.okupamicoche.entities.User
+import eu.fosil.okupamicoche.entities.UserId
+import eu.fosil.okupamicoche.repositories.UserRepository
 import eu.fosil.okupamicoche.usecases.user.*
+import org.springframework.data.repository.findByIdOrNull
 import org.springframework.validation.annotation.Validated
 import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.RequestBody
@@ -14,9 +16,28 @@ import org.springframework.web.bind.annotation.RestController

@RestController
@RequestMapping("/api/user")
-@CrossOrigin(origins = ["http://localhost:4200"])
 class PrivateUserRestController(private val userRepository: UserRepository) : ApiRestController {

+    @RequestMapping("/user")
+    fun getCurrentUserCreateIfNeeded(): ApiResponse<UserDto> {
+        return response {
+            var user = userRepository.findByIdOrNull(getCurrentUserId())
+            
+            if (user == null) {
+                val claims = getCurrentUserClaims()
+                user = User(
+                    claims["sub"].toString(),
+                    "@${claims["preferred_username"].toString()}:fosil.eu",
+                    claims["given_name"].toString(),
+                    claims["email"].toString()
+                )
+                CreateUser(userRepository).createUser(user)
+            }
+
+            UserDto(user)
+        }
+    }
+
    @RequestMapping("/create")
    fun createUser(@RequestBody @Validated createUserDto: CreateUserDto): ApiResponse<Unit> {
        return response {