juick-www: using state in vk login

1 files changed, 15 insertions, 0 deletions

diff --git a/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java b/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java
index 6ecdfd4a..e0a39220 100644
--- a/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java
+++ b/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java
@@ -36,6 +36,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -81,17 +82,31 @@ public class VKontakteLogin {
     @RequestMapping(value = "/_vklogin", method = RequestMethod.GET)
     protected String doGet(HttpServletRequest request,
                            @RequestParam(required = false) String code,
+                           @RequestParam(required = false) String state,
+                           @CookieValue(required = false) String vkstate,
                            HttpServletResponse response) throws IOException, ExecutionException, InterruptedException {
         if (StringUtils.isBlank(code)) {
+            vkstate = UUID.randomUUID().toString();
+            Cookie c = new Cookie("vkstate", vkstate);
+            response.addCookie(c);
             OAuth20Service vkAuthService = serviceBuilder
                     .apiKey(VK_APPID)
                     .apiSecret(VK_SECRET)
                     .scope("friends,wall,offline")
+                    .state(vkstate)
                     .callback(VK_REDIRECT)
                     .build(VkontakteApi.instance());
             return "redirect:" + vkAuthService.getAuthorizationUrl();
         }
 
+        if (StringUtils.isBlank(vkstate) || !vkstate.equals(state)) {
+            throw new HttpBadRequestException();
+        } else {
+            Cookie c = new Cookie("vkstate", "-");
+            c.setMaxAge(0);
+            response.addCookie(c);
+        }
+
         OAuth20Service vkService = serviceBuilder
                 .apiKey(VK_APPID)
                 .apiSecret(VK_SECRET)