ASWI - Pokročilé softwarové inženýrství » ASWI 2022 » Zpracování geografických údajů v novoasyrských textech (KBS FF) - Code of Duty

package cz.zcu.kiv.backendapi.user;

import com.auth0.jwt.JWT;

import com.auth0.jwt.JWTVerifier;

import com.auth0.jwt.algorithms.Algorithm;

import com.auth0.jwt.interfaces.DecodedJWT;

import com.google.common.base.Strings;

import cz.zcu.kiv.backendapi.exception.ApiRequestException;

import cz.zcu.kiv.backendapi.security.jwt.JwtUtils;

import cz.zcu.kiv.backendapi.user.password.PasswordDto;

import cz.zcu.kiv.backendapi.user.permission.PermissionDto;

import io.swagger.v3.oas.annotations.Operation;

import lombok.RequiredArgsConstructor;

import lombok.extern.slf4j.Slf4j;

import org.springframework.http.HttpHeaders;

import org.springframework.http.HttpStatus;

import org.springframework.http.ResponseEntity;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.web.bind.annotation.*;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.validation.Valid;

import javax.validation.constraints.NotNull;

import java.io.IOException;

import java.time.LocalDateTime;

import java.time.ZoneId;

import java.util.Date;

import java.util.List;

import java.util.stream.Collectors;

/**

 * Controller for users

 */

@RestController

@RequiredArgsConstructor

@RequestMapping("/users")

@Slf4j

public class UserController {

    /**

     * User service

     */

    private final IUserService userService;

    /**

     * JWT utils

     */

    private final JwtUtils jwtUtils;

    /**

     * Registers new user

     *

     * @param userDto user DTO

     */

    @PostMapping("")

    @Operation(summary = "registers new user")

    public void registerNewUser(@RequestBody @Valid UserDto userDto) {

        userService.registerNewUser(userDto);

    }

    /**

     * Changes password to logged-in user

     *

     * @param oldPassword old password

     * @param passwordDto password DTO

     */

    @PatchMapping("/password")

    @Operation(summary = "changes password to logged-in user")

    public void changePassword(@Valid @NotNull(message = "Old password must not be null") @RequestParam String oldPassword, @RequestBody @Valid PasswordDto passwordDto) {

        userService.changePassword(oldPassword, passwordDto.getPassword());

    }

    /**

     * Returns list of all users

     *

     * @return list of all users

     */

    @GetMapping("")

    @Operation(summary = "returns all users")

    public ResponseEntity<List<UserDto>> getAllUsers() {

        return new ResponseEntity<>(userService.getAllUsers(), HttpStatus.OK);

    }

    /**

     * Updates permissions to given user

     *

     * @param username      username

     * @param permissionDto permissions

     */

    @PatchMapping("/{username}/permissions")

    @Operation(summary = "changes permissions to given user")

    public void updatePermissions(@PathVariable String username, @RequestBody PermissionDto permissionDto) {

        userService.updatePermissions(username, permissionDto);

    }

    /**

     * Resets password to given user

     *

     * @param username    username

     * @param passwordDto password

     */

    @PatchMapping(value = "/{username}/password")

    @Operation(summary = "changes password to given user")

    public void resetPassword(@PathVariable String username, @RequestBody @Valid PasswordDto passwordDto) {

        userService.resetPassword(username, passwordDto.getPassword());

    }

    //TODO check if needed, comment otherwise

    @DeleteMapping("/{username}")

    @Operation(summary = "deletes user with given username")

    public void deleteUser(@PathVariable String username) {

        userService.deleteUser(username);

    }

    /**

     * Refreshes access token if refresh token is valid

     *

     * @param request  request

     * @param response response

     * @throws IOException I/O Exception

     */

    @GetMapping("/token")

    @Operation(summary = "returns a new access token and a refresh token to user")

    public void refreshToken(HttpServletRequest request, HttpServletResponse response) throws IOException {

        String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);

        if (Strings.isNullOrEmpty(authorizationHeader) || !authorizationHeader.startsWith(jwtUtils.getTokenPrefix())) {

            throw new ApiRequestException("Refresh token is missing", HttpStatus.FORBIDDEN);

        }

        try {

            String refresh_token = authorizationHeader.substring(jwtUtils.getTokenPrefix().length());

            Algorithm algorithm = jwtUtils.getAlgorithm(); //TODO secure

            JWTVerifier verifier = JWT.require(algorithm).build();

            DecodedJWT decodedJWT = verifier.verify(refresh_token);

            String username = decodedJWT.getSubject();

            UserEntity user = userService.getUserByName(username);

            String access_token = JWT.create()

                    .withSubject(user.getUsername())

                    .withExpiresAt(Date.from((LocalDateTime.now().plusMinutes(jwtUtils.getTokenExpirationAfterMinutes())).atZone(ZoneId.systemDefault()).toInstant()))

                    .withIssuer(request.getRequestURL().toString())

                    .withClaim(jwtUtils.getClaimAuthoritiesName(), user.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()))

                    .sign(algorithm);

            jwtUtils.writeTokensToResponse(response, access_token, refresh_token);

        } catch (Exception e) {

            log.error("Error refreshing token in: " + e.getMessage());

            jwtUtils.writeErrorToResponse(response, e);

        }

    }

}