From e39440a08a194eeb1a3e9513037d6bd3f4b8a3e1 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Tue, 17 Jan 2017 15:27:18 +0300 Subject: juick-www: using state in vk login --- .../java/com/juick/www/controllers/VKontakteLogin.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java b/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java index 6ecdfd4a..e0a39220 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java +++ b/juick-www/src/main/java/com/juick/www/controllers/VKontakteLogin.java @@ -36,6 +36,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.core.env.Environment; import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.CookieValue; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; @@ -81,17 +82,31 @@ public class VKontakteLogin { @RequestMapping(value = "/_vklogin", method = RequestMethod.GET) protected String doGet(HttpServletRequest request, @RequestParam(required = false) String code, + @RequestParam(required = false) String state, + @CookieValue(required = false) String vkstate, HttpServletResponse response) throws IOException, ExecutionException, InterruptedException { if (StringUtils.isBlank(code)) { + vkstate = UUID.randomUUID().toString(); + Cookie c = new Cookie("vkstate", vkstate); + response.addCookie(c); OAuth20Service vkAuthService = serviceBuilder .apiKey(VK_APPID) .apiSecret(VK_SECRET) .scope("friends,wall,offline") + .state(vkstate) .callback(VK_REDIRECT) .build(VkontakteApi.instance()); return "redirect:" + vkAuthService.getAuthorizationUrl(); } + if (StringUtils.isBlank(vkstate) || !vkstate.equals(state)) { + throw new HttpBadRequestException(); + } else { + Cookie c = new Cookie("vkstate", "-"); + c.setMaxAge(0); + response.addCookie(c); + } + OAuth20Service vkService = serviceBuilder .apiKey(VK_APPID) .apiSecret(VK_SECRET) -- cgit v1.2.3