From 3bfe5d94da692fd4d388c29903f7d50117904950 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Wed, 29 Mar 2017 14:36:47 +0300
Subject: juick-www: fix hash-based auth

---
 .../juick/www/configuration/WebSecurityConfig.java | 33 +++++++++++++++++-----
 .../java/com/juick/components/s2s/JuickBot.java    |  2 +-
 readme.txt                                         |  2 +-
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
index 9d603da8..2b8dc292 100644
--- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
+++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
@@ -3,12 +3,15 @@ package com.juick.www.configuration;
 import com.juick.server.security.entities.JuickUser;
 import com.juick.service.UserService;
 import com.juick.service.security.JuickUserDetailsService;
+import com.juick.service.security.deprecated.RequestParamHashRememberMeServices;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
-import org.springframework.core.env.Environment;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.RememberMeServices;
 
 import javax.annotation.Resource;
 
@@ -17,8 +20,10 @@ import javax.annotation.Resource;
  */
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
-    @Resource
-    private Environment env;
+    @Value("${auth_remember_me_key}")
+    private String rememberMeKey;
+    @Value("${web_domain:juick.com}")
+    private String webDomain;
     @Resource
     private UserService userService;
 
@@ -54,10 +59,24 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .tokenValiditySeconds(6 * 30 * 24 * 3600)
                 .alwaysRemember(true)
                 //.useSecureCookie(true) // TODO Enable if https is supports
-                .rememberMeCookieDomain(env.getProperty("web_domain", "juick.com"))
+                .rememberMeCookieDomain(webDomain)
                 .userDetailsService(userDetailsServiceBean())
-                .key(env.getProperty("auth_remember_me_key"))
-                .and()
-                .csrf().disable();
+                .rememberMeServices(rememberMeServices())
+                .key(rememberMeKey)
+                .and().authenticationProvider(authenticationProvider())
+                .headers().defaultsDisabled().cacheControl();
+    }
+    @Bean
+    public DaoAuthenticationProvider authenticationProvider() {
+        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
+
+        authenticationProvider.setUserDetailsService(userDetailsService());
+
+        return authenticationProvider;
+    }
+
+    @Bean
+    public RememberMeServices rememberMeServices() throws Exception {
+        return new RequestParamHashRememberMeServices(rememberMeKey, userService);
     }
 }
diff --git a/juick-xmpp/src/main/java/com/juick/components/s2s/JuickBot.java b/juick-xmpp/src/main/java/com/juick/components/s2s/JuickBot.java
index 3242803a..c6e9b1c7 100644
--- a/juick-xmpp/src/main/java/com/juick/components/s2s/JuickBot.java
+++ b/juick-xmpp/src/main/java/com/juick/components/s2s/JuickBot.java
@@ -321,7 +321,7 @@ public class JuickBot implements StanzaListener, AutoCloseable {
     }
 
     private void commandLogin(Message m, User user_from) {
-        sendReply(m.getFrom(), "http://juick.com/login?" + xmpp.userService.getHashByUID(user_from.getUid()));
+        sendReply(m.getFrom(), "http://juick.com/login?hash=" + xmpp.userService.getHashByUID(user_from.getUid()));
     }
 
     private void commandPM(Message m, User user_from, String user_to, String body) {
diff --git a/readme.txt b/readme.txt
index 39489503..512de38f 100644
--- a/readme.txt
+++ b/readme.txt
@@ -27,7 +27,7 @@ mysql -u user -p
 
 ./gradlew :juick-www:appRun
 
-http://localhost:8080/login?fuckthisverymuch
+http://localhost:8080/login?hash=fuckthisverymuch
 
 
 чтобы работал юникод, в ~/.my.cnf добавить:
-- 
cgit v1.2.3