From f84c1e7eac95ee3187885ddea80a4ff2085c0689 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Thu, 14 Dec 2017 16:09:27 +0300
Subject: spring-security: remember-me token was not generated properly in hash
 filter

---
 .../service/security/HashParamAuthenticationFilter.java    |  3 ++-
 juick-www/src/test/java/com/juick/www/WebAppTests.java     | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java b/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
index ed24fc00..e8ea0492 100644
--- a/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
+++ b/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
@@ -69,8 +69,9 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
             User user = userService.getUserByHash(hash);
 
             if (!user.isAnonymous()) {
+                User userWithPassword = userService.getFullyUserByName(user.getName());
                 Authentication authentication = new RememberMeAuthenticationToken(
-                        ((AbstractRememberMeServices)rememberMeServices).getKey(), new JuickUser(user), JuickUser.USER_AUTHORITY);
+                        ((AbstractRememberMeServices)rememberMeServices).getKey(), new JuickUser(userWithPassword), JuickUser.USER_AUTHORITY);
 
                 SecurityContextHolder.getContext().setAuthentication(authentication);
 
diff --git a/juick-www/src/test/java/com/juick/www/WebAppTests.java b/juick-www/src/test/java/com/juick/www/WebAppTests.java
index aacfe8ce..32bad137 100644
--- a/juick-www/src/test/java/com/juick/www/WebAppTests.java
+++ b/juick-www/src/test/java/com/juick/www/WebAppTests.java
@@ -61,6 +61,7 @@ import org.springframework.util.FileSystemUtils;
 import org.springframework.web.context.WebApplicationContext;
 
 import javax.inject.Inject;
+import javax.servlet.http.Cookie;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.StringWriter;
@@ -75,6 +76,7 @@ import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.startsWith;
 import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.multipart;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
@@ -277,4 +279,16 @@ public class WebAppTests {
                 .param("mid", String.valueOf(mid))
                 .param("body", "yo")).andExpect(redirectedUrl(String.format("/%s/%d#%d", ugnichName, mid, 3)));
     }
+    @Test
+    public void hashLoginShouldNotUseSession() throws Exception {
+        String hash = userService.getHashByUID(ugnich.getUid());
+        MvcResult hashLoginResult = mockMvc.perform(get("/?show=my&hash=" + hash)).andExpect(status().isOk()).andReturn();
+        Cookie rememberMeFromHash = hashLoginResult.getResponse().getCookie("juick-remember-me");
+        MvcResult formLoginResult = mockMvc.perform(post("/login")
+                .param("username", ugnichName)
+                .param("password", ugnichPassword)).andReturn();
+        Cookie rememberMeFromForm = formLoginResult.getResponse().getCookie("juick-remember-me");
+        mockMvc.perform(get("/?show=my").cookie(rememberMeFromForm)).andExpect(status().isOk());
+        mockMvc.perform(get("/?show=my").cookie(rememberMeFromHash)).andExpect(status().isOk());
+    }
 }
-- 
cgit v1.2.3