juick-api: all controllers are using spring-security and @RequestParam

1 files changed, 16 insertions, 30 deletions

diff --git a/juick-api/src/main/java/com/juick/api/controllers/PM.java b/juick-api/src/main/java/com/juick/api/controllers/PM.java
index 3d9893b1..c928a11e 100644
--- a/juick-api/src/main/java/com/juick/api/controllers/PM.java
+++ b/juick-api/src/main/java/com/juick/api/controllers/PM.java
@@ -1,5 +1,6 @@
 package com.juick.api.controllers;
 
+import com.juick.User;
 import com.juick.api.ApiServer;
 import com.juick.api.util.HttpBadRequestException;
 import com.juick.api.util.HttpForbiddenException;
@@ -10,12 +11,13 @@ import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import rocks.xmpp.addr.Jid;
 import rocks.xmpp.core.stanza.model.Message;
 
 import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
 import java.util.List;
 
 /**
@@ -34,23 +36,15 @@ public class PM {
     ApiServer apiServer;
 
     @RequestMapping(value = "/pm", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
-    public List<com.juick.Message> doGetPM(HttpServletRequest request) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            throw new HttpForbiddenException();
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid  = userService.getUIDbyHash(hash);
-            }
-        }
+    public List<com.juick.Message> doGetPM(
+            Principal principal,
+            @RequestParam(required = false) String uname) {
+        String name = UserUtils.getUsername(principal, null);
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         if (vuid == 0) {
             throw new HttpForbiddenException();
         }
-        String uname = request.getParameter("uname");
         int uid = 0;
         if (uname != null && uname.matches("^[a-zA-Z0-9\\-]{2,16}$")) {
             uid = userService.getUIDbyName(uname);
@@ -64,29 +58,21 @@ public class PM {
     }
 
     @RequestMapping(value = "/pm", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
-    public com.juick.Message doPostPM(HttpServletRequest request) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            throw new HttpForbiddenException();
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid  = userService.getUIDbyHash(hash);
-            }
-        }
+    public com.juick.Message doPostPM(
+            Principal principal,
+            @RequestParam String uname,
+            @RequestParam String body) {
+        String name = UserUtils.getUsername(principal, null);
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         if (vuid == 0) {
             throw new HttpForbiddenException();
         }
-        String uname = request.getParameter("uname");
         int uid = 0;
         if (UserUtils.checkUserNameValid(uname)) {
             uid = userService.getUIDbyName(uname);
         }
 
-        String body = request.getParameter("body");
         if (uid == 0 || body == null || body.length() < 1 || body.length() > 10240) {
             throw new HttpBadRequestException();
         }