aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--juick-common/src/main/java/com/juick/service/CrosspostService.java4
-rw-r--r--juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java19
-rw-r--r--juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java19
3 files changed, 27 insertions, 15 deletions
diff --git a/juick-common/src/main/java/com/juick/service/CrosspostService.java b/juick-common/src/main/java/com/juick/service/CrosspostService.java
index b82621e5..8db8c935 100644
--- a/juick-common/src/main/java/com/juick/service/CrosspostService.java
+++ b/juick-common/src/main/java/com/juick/service/CrosspostService.java
@@ -33,6 +33,10 @@ public interface CrosspostService {
boolean deleteTwitterToken(Integer uid);
+ void addFacebookState(String state);
+
+ boolean verifyFacebookState(String state);
+
Optional<Pair<String, String>> getFacebookTokens(int uid);
ApplicationStatus getFbCrossPostStatus(int uid);
diff --git a/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java b/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java
index 9f9d699f..0bd5fe66 100644
--- a/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java
+++ b/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java
@@ -54,6 +54,21 @@ public class CrosspostServiceImpl extends BaseJdbcService implements CrosspostSe
&& getJdbcTemplate().update("DELETE FROM subscr_users WHERE user_id=? AND suser_id=1741", uid) > 0;
}
+ @Override
+ public void addFacebookState(String state) {
+ jdbcTemplate.update("INSERT INTO facebook(loginhash) VALUES(?)", state);
+ }
+
+ @Override
+ public boolean verifyFacebookState(String state) {
+ try {
+ return jdbcTemplate.queryForObject("SELECT COUNT(loginhash) FROM facebook WHERE loginhash=?",
+ Integer.class, state) == 1;
+ } catch (EmptyResultDataAccessException e) {
+ return false;
+ }
+ }
+
@Transactional(readOnly = true)
@Override
public Optional<Pair<String, String>> getFacebookTokens(final int uid) {
@@ -157,8 +172,8 @@ public class CrosspostServiceImpl extends BaseJdbcService implements CrosspostSe
@Transactional
@Override
public boolean createFacebookUser(long fbID, String loginhash, String token, String fbName, String fbLink) {
- return getJdbcTemplate().update("INSERT INTO facebook(fb_id,loginhash,access_token,fb_name,fb_link) VALUES (?,?,?,?,?)",
- fbID, loginhash, token, fbName, fbLink) > 0;
+ return getJdbcTemplate().update("UPDATE facebook SET fb_id=?, access_token=?, fb_name=?, fb_link=? WHERE loginhash=?",
+ fbID, token, fbName, fbLink, loginhash) > 0;
}
@Transactional
diff --git a/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java b/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java
index fdc2f6f2..522e9ab7 100644
--- a/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java
+++ b/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java
@@ -108,13 +108,10 @@ public class SocialLogin {
protected String doFacebookLogin(HttpServletRequest request,
@RequestParam(required = false) String code,
@RequestParam(required = false) String state,
- @CookieValue(required = false) String fbstate,
HttpServletResponse response) throws IOException, ExecutionException, InterruptedException {
if (StringUtils.isBlank(code)) {
- fbstate = UUID.randomUUID().toString();
-
- Cookie c = new Cookie("fbstate", fbstate);
- response.addCookie(c);
+ String fbstate = UUID.randomUUID().toString();
+ crosspostService.addFacebookState(fbstate);
OAuth20Service facebookAuthService = facebookBuilder
.apiSecret(FACEBOOK_SECRET)
.callback(FACEBOOK_REDIRECT)
@@ -124,12 +121,9 @@ public class SocialLogin {
return "redirect:" + facebookAuthService.getAuthorizationUrl();
}
- if (StringUtils.isBlank(fbstate) || !fbstate.equals(state)) {
+ if (!crosspostService.verifyFacebookState(state)) {
+ logger.error("state is missing");
throw new HttpBadRequestException();
- } else {
- Cookie c = new Cookie("fbstate", "-");
- c.setMaxAge(0);
- response.addCookie(c);
}
OAuth20Service facebookService = facebookBuilder
.apiKey(FACEBOOK_APPID)
@@ -163,8 +157,7 @@ public class SocialLogin {
response.addCookie(c);
return Utils.getPreviousPageByRequest(request).orElse("redirect:/");
} else if (fb.getVerified()) {
- String loginhash = UUID.randomUUID().toString();
- if (!crosspostService.createFacebookUser(fbID, loginhash, token.getAccessToken(), fb.getName(), fb.getLink())) {
+ if (!crosspostService.createFacebookUser(fbID, state, token.getAccessToken(), fb.getName(), fb.getLink())) {
if (StringUtils.isNotEmpty(fb.getEmail())) {
logger.info("found {} for facebook user {}", fb.getEmail(), fb.getLink());
Integer userId = crosspostService.getUIDbyFBID(fbID);
@@ -175,7 +168,7 @@ public class SocialLogin {
logger.info("email not found for facebook user {}", fb.getLink());
throw new HttpBadRequestException();
}
- return "redirect:/signup?type=fb&hash=" + loginhash;
+ return "redirect:/signup?type=fb&hash=" + state;
} else {
logger.error("Facebook account is not verified, id: {}", fbID);
throw new HttpBadRequestException();