diff --git a/README.md b/README.md index 38a3079..a681b5b 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,18 @@ ____ 10. [Проверить валидность токена](#проверить-валидность-токена) ____ +### Получить токен для защиты от CSRF атак +https://istransit.kz/api/authorization/v02/get_request_token + +GET запрос без данных. + +Пример ответа: +```json +{ + "ttl":600, + "token":"VTf8zvHKqK7QFJ0ZEyheOYAUrI7cRIbejxMzRKlMzYM" +} +``` ### Получить список разрешений для пользователя по Access token https://istransit.kz/api/authorization/v02/access/ diff --git a/src/main/java/org/ccalm/jwt/MainController.java b/src/main/java/org/ccalm/jwt/MainController.java index 691f8aa..88abb6f 100644 --- a/src/main/java/org/ccalm/jwt/MainController.java +++ b/src/main/java/org/ccalm/jwt/MainController.java @@ -21,6 +21,7 @@ import net.logicsquad.nanocaptcha.image.ImageCaptcha; import net.logicsquad.nanocaptcha.image.backgrounds.GradiatedBackgroundProducer; import net.logicsquad.nanocaptcha.image.noise.CurvedLineNoiseProducer; import net.logicsquad.nanocaptcha.image.renderer.DefaultWordRenderer; +import org.apache.commons.codec.digest.DigestUtils; import org.json.JSONArray; import org.json.JSONException; import org.springframework.beans.factory.annotation.Autowired; @@ -505,26 +506,17 @@ public class MainController implements ServletContextAware { @RequestMapping(value = "/access", method = {RequestMethod.POST}, produces = "application/json;charset=utf-8") @ResponseBody public ResponseEntity access( - Model model, - @CookieValue(value = "jwt_a", defaultValue = "") String jwt_a, + Authentication authentication, @Nullable @RequestBody ActionNameModel action_name, @CookieValue(value = "lng", defaultValue = "1") String language_id ) { Translation trt = new Translation(language_id, jdbcTemplate); try { - if (jwt_a.isEmpty() || countOccurrences(jwt_a, '.') != 2) { - return new ResponseEntity<>(new ErrorResponseModel(10000, trt.trt(false, "Please_log_in"), null, null), HttpStatus.INTERNAL_SERVER_ERROR); - } - - Jws claims; - try { - claims = Jwts.parserBuilder() - .setSigningKey(getPublicKey()) - .build() - .parseClaimsJws(jwt_a); - } catch (Exception e) { - return new ResponseEntity<>(new ErrorResponseModel(10000, Arrays.asList(trt.trt(false, "Please_log_in"), trt.trt(false, "JWT_token_verification_error")), null, null), HttpStatus.INTERNAL_SERVER_ERROR); + if (authentication == null || !authentication.isAuthenticated()) { + String uuid = UUID.randomUUID().toString(); + return new ResponseEntity<>(new ErrorResponseModel(10401, trt.trt(false, "Please_log_in"), null, uuid), HttpStatus.UNAUTHORIZED); } + UserDetails userDetails = (UserDetails) authentication.getPrincipal(); String sql = """ select @@ -538,7 +530,7 @@ public class MainController implements ServletContextAware { """; MapSqlParameterSource parameters = new MapSqlParameterSource(); - parameters.addValue("user_id", claims.getBody().get("user_id")); + parameters.addValue("user_id", userDetails.getUserId()); if (action_name == null) { parameters.addValue("action_name", null); } else { @@ -891,9 +883,9 @@ public class MainController implements ServletContextAware { if (!json.has("result") || json.getBoolean("result")) { if(json.getInt("count")==0) { - throw new CustomException(10000, trt.trt(false, "The_user_account_is_blocked"),null); + throw new CustomException(10000, trt.trt(false, "The_user_account_is_blocked"),null,false); }else{ - throw new CustomException(10000, trt.trt(false, "The_limit_of_authorization_attempts_has_been_exceeded_please_wait_s_minutes"), String.valueOf(json.getInt("limit_duration")),(String)null); + throw new CustomException(10000, trt.trt(false, "The_limit_of_authorization_attempts_has_been_exceeded_please_wait_s_minutes"), String.valueOf(json.getInt("limit_duration")),(String)null,false); } } if(json.has("count") && json.has("limit_count") && json.has("limit_duration")) { @@ -905,7 +897,7 @@ public class MainController implements ServletContextAware { }catch (DataAccessException ex){ String uuid = UUID.randomUUID().toString(); logger.error("Функция main.user_is_blocked не вернула результата!", uuid, ex); - throw new CustomException(10000, trt.trt(false, "Error_executing_SQL_query"),uuid); + throw new CustomException(10000, trt.trt(false, "Error_executing_SQL_query"),uuid,false); }*/ @@ -1209,9 +1201,9 @@ public class MainController implements ServletContextAware { if (!json.has("result") || json.getBoolean("result")) { if(json.getInt("count")==0) { - throw new CustomException(10000, trt.trt(false, "The_user_account_is_blocked"),null); + throw new CustomException(10000, trt.trt(false, "The_user_account_is_blocked"),null,false); }else{ - throw new CustomException(10000, trt.trt(false, "The_limit_of_authorization_attempts_has_been_exceeded_please_wait_s_minutes"), String.valueOf(json.getInt("limit_duration")),(String)null); + throw new CustomException(10000, trt.trt(false, "The_limit_of_authorization_attempts_has_been_exceeded_please_wait_s_minutes"), String.valueOf(json.getInt("limit_duration")),(String)null,false); } } if(json.has("count") && json.has("limit_count") && json.has("limit_duration")) { @@ -1223,7 +1215,7 @@ public class MainController implements ServletContextAware { }catch (DataAccessException ex){ String uuid = UUID.randomUUID().toString(); logger.error("Error executing SQL query", uuid, ex); - throw new CustomException(10000, trt.trt(false, "Error_executing_SQL_query"),uuid); + throw new CustomException(10000, trt.trt(false, "Error_executing_SQL_query"),uuid,false); }*/ String sql = ""; @@ -1380,7 +1372,7 @@ public class MainController implements ServletContextAware { //TODO проверить не заблокирован ли пользователь //if(json.has("block")) { // if(json.getBoolean("block")) - // throw new CustomException(10006,trt.trt(false, "The_user_account_is_blocked"),null); + // throw new CustomException(10006,trt.trt(false, "The_user_account_is_blocked"), null, false); // json.remove("block"); //} @@ -1635,12 +1627,12 @@ public class MainController implements ServletContextAware { for (int i = 0; i < ret.size(); i++) { rows = new JSONObject(ret.get(i)); if(rows.getBoolean("result")) { - throw new CustomException(10000, String.format(trt.trt(false,"The_limit_of_authorization_attempts_has_been_exceeded_please_wait_s_minutes"), 5),null); + throw new CustomException(10000, String.format(trt.trt(false,"The_limit_of_authorization_attempts_has_been_exceeded_please_wait_s_minutes"), 5),null, false); } } if(rows==null) { logger.error("Функция main.user_is_blocked не вернула результата!"); - throw new CustomException(10000, trt.trt(false,"Error_executing_SQL_query"),null); + throw new CustomException(10000, trt.trt(false,"Error_executing_SQL_query"),null, false); }*/ //Получаю id пользователя TODO should work through the authorization function