From 55b09a6a3bc4a21201189d855e140308f05016fb Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Fri, 25 Nov 2016 13:20:15 +0300
Subject: juick-api: security WIP

---
 .../java/com/juick/api/controllers/Messages.java   | 22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)

(limited to 'juick-api/src/main/java/com/juick/api/controllers/Messages.java')

diff --git a/juick-api/src/main/java/com/juick/api/controllers/Messages.java b/juick-api/src/main/java/com/juick/api/controllers/Messages.java
index f4cde321..36882140 100644
--- a/juick-api/src/main/java/com/juick/api/controllers/Messages.java
+++ b/juick-api/src/main/java/com/juick/api/controllers/Messages.java
@@ -16,7 +16,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -25,6 +24,7 @@ import rocks.xmpp.core.stanza.model.Message;
 
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
 import java.util.List;
 
 /**
@@ -47,22 +47,10 @@ public class Messages {
     // TODO: serialize image urls
 
     @RequestMapping(value = "/home", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
-    public List<com.juick.Message> doGetHome(HttpServletRequest request) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            throw new HttpForbiddenException();
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid  = userService.getUIDbyHash(hash);
-            }
-        }
-        if (vuid == 0) {
-            throw new HttpForbiddenException();
-        }
+    public List<com.juick.Message> doGetHome(HttpServletRequest request, Principal principal) {
+        String name = principal.getName();
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         int before_mid = NumberUtils.toInt(request.getParameter("before_mid"), 0);
         List<Integer> mids = messagesService.getMyFeed(vuid, before_mid);
         return messagesService.getMessages(mids);
-- 
cgit v1.2.3