diff options
3 files changed, 27 insertions, 15 deletions
diff --git a/juick-common/src/main/java/com/juick/service/CrosspostService.java b/juick-common/src/main/java/com/juick/service/CrosspostService.java index b82621e5..8db8c935 100644 --- a/juick-common/src/main/java/com/juick/service/CrosspostService.java +++ b/juick-common/src/main/java/com/juick/service/CrosspostService.java @@ -33,6 +33,10 @@ public interface CrosspostService { boolean deleteTwitterToken(Integer uid); + void addFacebookState(String state); + + boolean verifyFacebookState(String state); + Optional<Pair<String, String>> getFacebookTokens(int uid); ApplicationStatus getFbCrossPostStatus(int uid); diff --git a/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java b/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java index 9f9d699f..0bd5fe66 100644 --- a/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java +++ b/juick-server-jdbc/src/main/java/com/juick/service/CrosspostServiceImpl.java @@ -54,6 +54,21 @@ public class CrosspostServiceImpl extends BaseJdbcService implements CrosspostSe && getJdbcTemplate().update("DELETE FROM subscr_users WHERE user_id=? AND suser_id=1741", uid) > 0; } + @Override + public void addFacebookState(String state) { + jdbcTemplate.update("INSERT INTO facebook(loginhash) VALUES(?)", state); + } + + @Override + public boolean verifyFacebookState(String state) { + try { + return jdbcTemplate.queryForObject("SELECT COUNT(loginhash) FROM facebook WHERE loginhash=?", + Integer.class, state) == 1; + } catch (EmptyResultDataAccessException e) { + return false; + } + } + @Transactional(readOnly = true) @Override public Optional<Pair<String, String>> getFacebookTokens(final int uid) { @@ -157,8 +172,8 @@ public class CrosspostServiceImpl extends BaseJdbcService implements CrosspostSe @Transactional @Override public boolean createFacebookUser(long fbID, String loginhash, String token, String fbName, String fbLink) { - return getJdbcTemplate().update("INSERT INTO facebook(fb_id,loginhash,access_token,fb_name,fb_link) VALUES (?,?,?,?,?)", - fbID, loginhash, token, fbName, fbLink) > 0; + return getJdbcTemplate().update("UPDATE facebook SET fb_id=?, access_token=?, fb_name=?, fb_link=? WHERE loginhash=?", + fbID, token, fbName, fbLink, loginhash) > 0; } @Transactional diff --git a/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java b/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java index fdc2f6f2..522e9ab7 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java +++ b/juick-www/src/main/java/com/juick/www/controllers/SocialLogin.java @@ -108,13 +108,10 @@ public class SocialLogin { protected String doFacebookLogin(HttpServletRequest request, @RequestParam(required = false) String code, @RequestParam(required = false) String state, - @CookieValue(required = false) String fbstate, HttpServletResponse response) throws IOException, ExecutionException, InterruptedException { if (StringUtils.isBlank(code)) { - fbstate = UUID.randomUUID().toString(); - - Cookie c = new Cookie("fbstate", fbstate); - response.addCookie(c); + String fbstate = UUID.randomUUID().toString(); + crosspostService.addFacebookState(fbstate); OAuth20Service facebookAuthService = facebookBuilder .apiSecret(FACEBOOK_SECRET) .callback(FACEBOOK_REDIRECT) @@ -124,12 +121,9 @@ public class SocialLogin { return "redirect:" + facebookAuthService.getAuthorizationUrl(); } - if (StringUtils.isBlank(fbstate) || !fbstate.equals(state)) { + if (!crosspostService.verifyFacebookState(state)) { + logger.error("state is missing"); throw new HttpBadRequestException(); - } else { - Cookie c = new Cookie("fbstate", "-"); - c.setMaxAge(0); - response.addCookie(c); } OAuth20Service facebookService = facebookBuilder .apiKey(FACEBOOK_APPID) @@ -163,8 +157,7 @@ public class SocialLogin { response.addCookie(c); return Utils.getPreviousPageByRequest(request).orElse("redirect:/"); } else if (fb.getVerified()) { - String loginhash = UUID.randomUUID().toString(); - if (!crosspostService.createFacebookUser(fbID, loginhash, token.getAccessToken(), fb.getName(), fb.getLink())) { + if (!crosspostService.createFacebookUser(fbID, state, token.getAccessToken(), fb.getName(), fb.getLink())) { if (StringUtils.isNotEmpty(fb.getEmail())) { logger.info("found {} for facebook user {}", fb.getEmail(), fb.getLink()); Integer userId = crosspostService.getUIDbyFBID(fbID); @@ -175,7 +168,7 @@ public class SocialLogin { logger.info("email not found for facebook user {}", fb.getLink()); throw new HttpBadRequestException(); } - return "redirect:/signup?type=fb&hash=" + loginhash; + return "redirect:/signup?type=fb&hash=" + state; } else { logger.error("Facebook account is not verified, id: {}", fbID); throw new HttpBadRequestException(); |