#486 - add extra URL for retrieving the users' description on mobile …

…apps
alfio-event · Aug 5, 2018 · 56ea7de · 56ea7de
1 parent 5b429dd
commit 56ea7de
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 13 deletions.
diff --git a/src/main/java/alfio/config/WebSecurityConfig.java b/src/main/java/alfio/config/WebSecurityConfig.java
@@ -61,8 +61,6 @@
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
 import java.util.Locale;
 import java.util.function.Predicate;
 import java.util.regex.Pattern;
@@ -75,17 +73,17 @@
 @EnableWebSecurity
 public class WebSecurityConfig {
 
-    static final String ADMIN_API = "/admin/api";
-    static final String ADMIN_PUBLIC_API = "/api/v1/admin";
-    static final String CSRF_SESSION_ATTRIBUTE = "CSRF_SESSION_ATTRIBUTE";
+    private static final String ADMIN_API = "/admin/api";
+    private static final String ADMIN_PUBLIC_API = "/api/v1/admin";
+    private static final String CSRF_SESSION_ATTRIBUTE = "CSRF_SESSION_ATTRIBUTE";
     public static final String CSRF_PARAM_NAME = "_csrf";
     public static final String OPERATOR = "OPERATOR";
     private static final String SUPERVISOR = "SUPERVISOR";
     public static final String SPONSOR = "SPONSOR";
     private static final String ADMIN = "ADMIN";
     private static final String OWNER = "OWNER";
     private static final String API_CLIENT = "API_CLIENT";
-    static final String X_REQUESTED_WITH = "X-Requested-With";
+    private static final String X_REQUESTED_WITH = "X-Requested-With";
 
 
     private static class BaseWebSecurity extends  WebSecurityConfigurerAdapter {
@@ -108,7 +106,7 @@ private static class APIKeyAuthFilter extends AbstractPreAuthenticatedProcessing
 
         @Override
         protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
-            return isTokenAuthentication(request) ? request.getHeader("Authorization").substring("apikey ".length()) : null;
+            return isTokenAuthentication(request) ? StringUtils.trim(request.getHeader("Authorization").substring("apikey ".length())) : null;
         }
 
         @Override
@@ -179,11 +177,10 @@ protected void configure(HttpSecurity http) throws Exception {
                     throw new DisabledException("Api key " + apiKey + " is expired");
                 }
 
-                APITokenAuthentication auth = new APITokenAuthentication(
+                return new APITokenAuthentication(
                     authentication.getPrincipal(),
                     authentication.getCredentials(),
                     authorityRepository.findRoles(apiKey).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
-                return auth;
             });
 
 
@@ -194,7 +191,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .antMatchers(ADMIN_PUBLIC_API + "/**").hasRole(API_CLIENT)
                 .antMatchers(ADMIN_API + "/check-in/**").hasAnyRole(OPERATOR, SUPERVISOR)
                 .antMatchers(HttpMethod.GET, ADMIN_API + "/events").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
-                .antMatchers(ADMIN_API + "/user-type").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
+                .antMatchers(HttpMethod.GET, ADMIN_API + "/user-type", ADMIN_API + "/user/details").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
                 .antMatchers(ADMIN_API + "/**").denyAll()
                 .antMatchers(HttpMethod.POST, "/api/attendees/sponsor-scan").hasRole(SPONSOR)
                 .antMatchers(HttpMethod.GET, "/api/attendees/*/ticket/*").hasAnyRole(OPERATOR, SUPERVISOR)
@@ -238,12 +235,13 @@ public static class BasicAuthWebSecurity extends BaseWebSecurity {
 
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.requestMatcher((request) -> request.getHeader("Authorization") != null).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+            http.requestMatcher((request) -> request.getHeader("Authorization") != null)
+            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             .and().csrf().disable()
             .authorizeRequests()
             .antMatchers(ADMIN_API + "/check-in/**").hasAnyRole(OPERATOR, SUPERVISOR)
             .antMatchers(HttpMethod.GET, ADMIN_API + "/events").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
-            .antMatchers(ADMIN_API + "/user-type").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
+            .antMatchers(HttpMethod.GET, ADMIN_API + "/user-type", ADMIN_API + "/user/details").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
             .antMatchers(ADMIN_API + "/**").denyAll()
             .antMatchers(HttpMethod.POST, "/api/attendees/sponsor-scan").hasRole(SPONSOR)
             .antMatchers(HttpMethod.GET, "/api/attendees/*/ticket/*").hasAnyRole(OPERATOR, SUPERVISOR)

diff --git a/src/main/java/alfio/controller/api/admin/UsersApiController.java b/src/main/java/alfio/controller/api/admin/UsersApiController.java
@@ -71,7 +71,7 @@ public class UsersApiController {
     @ResponseBody
     public String unhandledException(Exception e) {
         log.error("unhandled exception", e);
-        return e.getMessage();
+        return e != null ? e.getMessage() : "Unexpected error";
     }
 
     @RequestMapping(value = "/roles", method = GET)
@@ -96,6 +96,21 @@ public String getLoggedUserType() {
             .orElse(WebSecurityConfig.OPERATOR);
     }
 
+    @GetMapping("/user/details")
+    public Map<String, String> retrieveDetails(Principal principal) {
+        User user = userManager.findUserByUsername(principal.getName());
+        Map<String, String> result = new HashMap<>();
+        boolean isApiKey = user.getType() == User.Type.API_KEY;
+        result.put(isApiKey ? "apiKey" : "username", user.getUsername());
+        if(!isApiKey) {
+            result.put("firstName", user.getFirstName());
+            result.put("lastName", user.getLastName());
+        }
+        result.put("description", user.getDescription());
+        result.put("userType", getLoggedUserType());
+        return result;
+    }
+
     @RequestMapping(value = "/organizations", method = GET)
     @ResponseStatus(HttpStatus.OK)
     public List<Organization> getAllOrganizations(Principal principal) {

diff --git a/src/main/resources/log4j2-stdout.xml b/src/main/resources/log4j2-stdout.xml
@@ -7,6 +7,9 @@
     </Appenders>
 
     <Loggers>
+        <Logger name="alfio.config.WebSecurityConfig" level="warn" additivity="false">
+            <appender-ref ref="Console"/>
+        </Logger>
         <Logger name="alfio" level="debug" additivity="false">
             <appender-ref ref="Console"/>
         </Logger>

diff --git a/src/main/resources/log4j2.xml b/src/main/resources/log4j2.xml
@@ -23,6 +23,10 @@
     </Appenders>
 
     <Loggers>
+        <Logger name="alfio.config.WebSecurityConfig" level="warn" additivity="false">
+            <appender-ref ref="Console" />
+            <appender-ref ref="Async" />
+        </Logger>
         <Logger name="alfio" level="debug" additivity="false">
             <appender-ref ref="Console" level="info"/>
             <appender-ref ref="Async" />