From c62de5d6ed9597a38af97f9fdd00b58ff67f2554 Mon Sep 17 00:00:00 2001
From: Takiguchi <florian.thierry72@gmail.com>
Date: Mon, 14 May 2018 22:12:48 +0200
Subject: [PATCH] Edition of security layer and its impacts.

---
 .../org/codiki/account/AccountController.java  |  9 ++++++++-
 .../codiki/core/entities/dto/CategoryDTO.java  |  2 ++
 .../core/entities/persistence/Category.java    |  2 ++
 .../core/security/AuthenticationFilter.java    | 14 ++++++++++----
 .../org/codiki/core/security/TokenService.java |  5 +++--
 .../java/org/codiki/posts/PostController.java  | 18 ++++++++++++++----
 .../java/org/codiki/posts/PostService.java     | 12 ++++++------
 7 files changed, 45 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/codiki/account/AccountController.java b/src/main/java/org/codiki/account/AccountController.java
index 9173b7e..efa79a6 100755
--- a/src/main/java/org/codiki/account/AccountController.java
+++ b/src/main/java/org/codiki/account/AccountController.java
@@ -1,12 +1,14 @@
 package org.codiki.account;
 
 import java.io.IOException;
+import java.util.Optional;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.codiki.core.entities.dto.PasswordWrapperDTO;
 import org.codiki.core.entities.dto.UserDTO;
+import org.codiki.core.entities.persistence.User;
 import org.codiki.core.security.TokenService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -73,6 +75,11 @@ public class AccountController {
 	public void changePassword(@RequestBody final PasswordWrapperDTO pPasswordWrapper,
 			final HttpServletRequest pRequest,
 			final HttpServletResponse pResponse) throws IOException {
-		accountService.changePassword(tokenService.getAuthenticatedUserByToken(pRequest), pPasswordWrapper, pResponse);
+		final Optional<User> connectedUser = tokenService.getAuthenticatedUserByToken(pRequest);
+		if(connectedUser.isPresent()) {
+			accountService.changePassword(connectedUser.get(), pPasswordWrapper, pResponse);
+		} else {
+			pResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+		}
 	}
 }
diff --git a/src/main/java/org/codiki/core/entities/dto/CategoryDTO.java b/src/main/java/org/codiki/core/entities/dto/CategoryDTO.java
index addcf10..4c1fdc0 100755
--- a/src/main/java/org/codiki/core/entities/dto/CategoryDTO.java
+++ b/src/main/java/org/codiki/core/entities/dto/CategoryDTO.java
@@ -1,5 +1,6 @@
 package org.codiki.core.entities.dto;
 
+import java.util.LinkedList;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -14,6 +15,7 @@ public class CategoryDTO {
 
 	public CategoryDTO() {
 		super();
+		listSubCategories = new LinkedList<>();
 	}
 	
 	public CategoryDTO(final Category pCategory) {
diff --git a/src/main/java/org/codiki/core/entities/persistence/Category.java b/src/main/java/org/codiki/core/entities/persistence/Category.java
index 17f4ea7..11fdb51 100755
--- a/src/main/java/org/codiki/core/entities/persistence/Category.java
+++ b/src/main/java/org/codiki/core/entities/persistence/Category.java
@@ -1,6 +1,7 @@
 package org.codiki.core.entities.persistence;
 
 import java.io.Serializable;
+import java.util.LinkedList;
 import java.util.List;
 
 import javax.persistence.Entity;
@@ -49,6 +50,7 @@ public class Category implements Serializable {
 	/* ******************* */
 	public Category() {
 		super();
+		listSubCategories = new LinkedList<>();
 	}
 	
 	public Category(final CategoryDTO pCategory) {
diff --git a/src/main/java/org/codiki/core/security/AuthenticationFilter.java b/src/main/java/org/codiki/core/security/AuthenticationFilter.java
index d2fb4ed..b22f5fe 100755
--- a/src/main/java/org/codiki/core/security/AuthenticationFilter.java
+++ b/src/main/java/org/codiki/core/security/AuthenticationFilter.java
@@ -13,27 +13,33 @@ import org.codiki.core.AbstractFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpMethod;
 import org.springframework.stereotype.Component;
 
 @Component
 @Order(Ordered.HIGHEST_PRECEDENCE)
 public class AuthenticationFilter extends AbstractFilter {
 
+	private static final String HTTP_OPTIONS = "OPTIONS";
+
+	private static final String HEADER_TOKEN = "token";
+	
 	@Autowired
 	private TokenService tokenService;
 	
 	@Override
 	protected List<Route> getRoutes() {
 		return Arrays.asList(
-				new Route("\\/api\\/posts\\/myPosts")
+				new Route("\\/api\\/posts\\/myPosts"),
+				new Route("\\/api\\/posts\\/preview"),
+				new Route("\\/api\\/posts\\/", HttpMethod.POST, HttpMethod.PUT, HttpMethod.DELETE),
+				new Route("\\/api\\/account/changePassword")
 		);
 	}
 
 	@Override
 	protected void filter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
-		System.out.println("Token : " + request.getHeader("token"));
-		
-		if("OPTIONS".equals(request.getMethod()) || tokenService.isUserConnected(request.getHeader("token"))) {
+		if(HTTP_OPTIONS.equals(request.getMethod()) || tokenService.isUserConnected(request.getHeader(HEADER_TOKEN))) {
 			chain.doFilter(request, response);
 		} else {
 			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
diff --git a/src/main/java/org/codiki/core/security/TokenService.java b/src/main/java/org/codiki/core/security/TokenService.java
index ba95b23..de45d5c 100755
--- a/src/main/java/org/codiki/core/security/TokenService.java
+++ b/src/main/java/org/codiki/core/security/TokenService.java
@@ -4,6 +4,7 @@ import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.TreeMap;
 
 import javax.servlet.http.HttpServletRequest;
@@ -125,7 +126,7 @@ public class TokenService {
 		}
 	}
 	
-	public User getAuthenticatedUserByToken(final HttpServletRequest pRequest) {
-		return connectedUsers.get(pRequest.getHeader(HEADER_TOKEN));
+	public Optional<User> getAuthenticatedUserByToken(final HttpServletRequest pRequest) {
+		return Optional.ofNullable(connectedUsers.get(pRequest.getHeader(HEADER_TOKEN)));
 	}
 }
diff --git a/src/main/java/org/codiki/posts/PostController.java b/src/main/java/org/codiki/posts/PostController.java
index 03ea680..7a9df26 100755
--- a/src/main/java/org/codiki/posts/PostController.java
+++ b/src/main/java/org/codiki/posts/PostController.java
@@ -1,6 +1,7 @@
 package org.codiki.posts;
 
 import java.io.IOException;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -11,6 +12,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.codiki.core.entities.dto.PostDTO;
 import org.codiki.core.entities.persistence.Post;
+import org.codiki.core.entities.persistence.User;
 import org.codiki.core.repositories.PostRepository;
 import org.codiki.core.security.TokenService;
 import org.codiki.core.services.ParserService;
@@ -82,10 +84,18 @@ public class PostController {
 	}
 	
 	@GetMapping("/myPosts")
-	public List<PostDTO> getMyPosts(final HttpServletRequest pRequest, final HttpServletResponse pResponse) {
-		return postRepository.getByCreator(tokenService
-				.getAuthenticatedUserByToken(pRequest).getId())
-				.parallelStream().map(PostDTO::new).collect(Collectors.toList());
+	public List<PostDTO> getMyPosts(final HttpServletRequest pRequest, final HttpServletResponse pResponse) throws IOException {
+		List<PostDTO> result = new LinkedList<>();
+		
+		final Optional<User> connectedUser = tokenService.getAuthenticatedUserByToken(pRequest);
+		if(connectedUser.isPresent()) {
+			result = postRepository.getByCreator(connectedUser.get().getId())
+					.stream().map(PostDTO::new).collect(Collectors.toList());
+		} else {
+			pResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+		}
+		
+		return result;
 	}
 	
 	@PostMapping("/preview")
diff --git a/src/main/java/org/codiki/posts/PostService.java b/src/main/java/org/codiki/posts/PostService.java
index 8c0710a..6f0adfa 100755
--- a/src/main/java/org/codiki/posts/PostService.java
+++ b/src/main/java/org/codiki/posts/PostService.java
@@ -33,15 +33,15 @@ public class PostService {
 			final HttpServletResponse pResponse) {
 		Optional<Post> result = Optional.empty();
 		
-		final String userToken = pRequest.getHeader("token");
+		final Optional<User> user = tokenService.getAuthenticatedUserByToken(pRequest);
 		
-		if(userToken.equals(pPost.getAuthor().getToken())) {
+		if(user.isPresent()) {
 			final Post postToSave = new Post(pPost);
-			postToSave.setAuthor(tokenService.getAuthenticatedUserByToken(pRequest));
+			postToSave.setAuthor(user.get());
 			postRepository.save(postToSave);
 			result = Optional.of(postToSave);
 		} else {
-			pResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
+			pResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 		}
 		
 		return result;
@@ -49,9 +49,9 @@ public class PostService {
 	
 	public void update(final PostDTO pPost, final HttpServletRequest pRequest,
 			final HttpServletResponse pResponse) throws IOException {
-		final User connectedUser = tokenService.getAuthenticatedUserByToken(pRequest);
+		final Optional<User> connectedUser = tokenService.getAuthenticatedUserByToken(pRequest);
 		
-		if(connectedUser != null && connectedUser.getKey().equals(pPost.getAuthor().getKey())) {
+		if(connectedUser.isPresent() && connectedUser.get().getKey().equals(pPost.getAuthor().getKey())) {
 			final Optional<Post> postOpt = postRepository.getByKey(pPost.getKey());
 			
 			if(postOpt.isPresent()) {