aboutsummaryrefslogtreecommitdiff
path: root/juick-www/src/main
diff options
context:
space:
mode:
authorGravatar Vitaly Takmazov2017-01-17 15:27:18 +0300
committerGravatar Vitaly Takmazov2017-01-17 15:27:18 +0300
commite39440a08a194eeb1a3e9513037d6bd3f4b8a3e1 (patch)
tree734ccfff5ef440af425e673a33f0d385d99232c4 /juick-www/src/main
parent3890570bf190a63f8f34c47a7fd21e780a61b6b0 (diff)
juick-www: using state in vk login
Diffstat (limited to 'juick-www/src/main')
-rw-r--r--juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java15
1 files changed, 15 insertions, 0 deletions
diff --git a/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java b/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java
index 6ecdfd4a..e0a39220 100644
--- a/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java
+++ b/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java
@@ -36,6 +36,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
@@ -81,17 +82,31 @@ public class VKontakteLogin {
@RequestMapping(value = "/_vklogin", method = RequestMethod.GET)
protected String doGet(HttpServletRequest request,
@RequestParam(required = false) String code,
+ @RequestParam(required = false) String state,
+ @CookieValue(required = false) String vkstate,
HttpServletResponse response) throws IOException, ExecutionException, InterruptedException {
if (StringUtils.isBlank(code)) {
+ vkstate = UUID.randomUUID().toString();
+ Cookie c = new Cookie("vkstate", vkstate);
+ response.addCookie(c);
OAuth20Service vkAuthService = serviceBuilder
.apiKey(VK_APPID)
.apiSecret(VK_SECRET)
.scope("friends,wall,offline")
+ .state(vkstate)
.callback(VK_REDIRECT)
.build(VkontakteApi.instance());
return "redirect:" + vkAuthService.getAuthorizationUrl();
}
+ if (StringUtils.isBlank(vkstate) || !vkstate.equals(state)) {
+ throw new HttpBadRequestException();
+ } else {
+ Cookie c = new Cookie("vkstate", "-");
+ c.setMaxAge(0);
+ response.addCookie(c);
+ }
+
OAuth20Service vkService = serviceBuilder
.apiKey(VK_APPID)
.apiSecret(VK_SECRET)