From 2bf63fc8d2a4b84e051d28e670c7c74b039e2545 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Wed, 25 Apr 2018 13:54:25 +0300 Subject: www: no more xmpp --- .../src/main/java/com/juick/server/api/Post.java | 201 +++++++++++++++++++++ .../server/configuration/ApiSecurityConfig.java | 124 +++++++++++++ .../com/juick/server/configuration/PostConfig.java | 9 + 3 files changed, 334 insertions(+) create mode 100644 juick-api/src/main/java/com/juick/server/api/Post.java create mode 100644 juick-api/src/main/java/com/juick/server/configuration/ApiSecurityConfig.java create mode 100644 juick-api/src/main/java/com/juick/server/configuration/PostConfig.java (limited to 'juick-api/src/main') diff --git a/juick-api/src/main/java/com/juick/server/api/Post.java b/juick-api/src/main/java/com/juick/server/api/Post.java new file mode 100644 index 00000000..5757db09 --- /dev/null +++ b/juick-api/src/main/java/com/juick/server/api/Post.java @@ -0,0 +1,201 @@ +/* + * Copyright (C) 2008-2017, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package com.juick.server.api; + +import com.juick.Reaction; +import com.juick.Status; +import com.juick.User; +import com.juick.server.CommandsManager; +import com.juick.server.helpers.CommandResult; +import com.juick.server.util.*; +import com.juick.service.MessagesService; +import com.juick.service.SubscriptionService; +import com.juick.service.UserService; +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.*; +import org.springframework.web.multipart.MultipartFile; + +import javax.inject.Inject; +import javax.validation.constraints.NotNull; +import java.net.URI; +import java.net.URL; +import java.util.List; + +/** + * Created by vt on 24/11/2016. + */ +@RestController +public class Post { + private static Logger logger = LoggerFactory.getLogger(Post.class); + + @Inject + private UserService userService; + @Inject + private MessagesService messagesService; + @Inject + private SubscriptionService subscriptionService; + @Value("${upload_tmp_dir:#{systemEnvironment['TEMP'] ?: '/tmp'}}") + private String tmpDir; + @Value("${img_path:#{systemEnvironment['TEMP'] ?: '/tmp'}}") + private String imgDir; + @Inject + CommandsManager commandsManager; + + @RequestMapping(value = "/post", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE) + @ResponseStatus(value = HttpStatus.OK) + public CommandResult doPostMessage( + @RequestParam(required = false, defaultValue = StringUtils.EMPTY) String body, + @RequestParam(required = false) String img, + @RequestParam(required = false) MultipartFile attach) throws Exception { + User visitor = UserUtils.getCurrentUser(); + + if (visitor.isAnonymous()) + throw new HttpForbiddenException(); + + if (body.length() > 4096) { + throw new HttpBadRequestException(); + } + body = body.replace("\r", StringUtils.EMPTY); + + URI attachmentFName = HttpUtils.receiveMultiPartFile(attach, tmpDir); + + if (StringUtils.isBlank(attachmentFName.toString()) && img != null && img.length() > 10) { + URI juickUri = URI.create(img); + if (juickUri.getScheme().equals("juick")) { + attachmentFName = juickUri; + } else { + try { + URL imgUrl = new URL(img); + attachmentFName = HttpUtils.downloadImage(imgUrl, tmpDir); + } catch (Exception e) { + logger.error("DOWNLOAD ERROR", e); + throw new HttpBadRequestException(); + } + } + } + return commandsManager.processCommand(visitor, body, attachmentFName); + } + + @RequestMapping(value = "/comment", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE) + public com.juick.Message doPostComment( + @RequestParam(defaultValue = "0") int mid, + @RequestParam(defaultValue = "0") int rid, + @RequestParam(required = false, defaultValue = StringUtils.EMPTY) String body, + @RequestParam(required = false) String img, + @RequestParam(required = false) MultipartFile attach) + throws Exception { + User visitor = UserUtils.getCurrentUser(); + int vuid = visitor.getUid(); + if (vuid == 0) { + throw new HttpForbiddenException(); + } + if (mid == 0) { + throw new HttpBadRequestException(); + } + com.juick.Message msg = messagesService.getMessage(mid); + if (msg == null) { + throw new HttpNotFoundException(); + } + + com.juick.Message reply = null; + if (rid > 0) { + reply = messagesService.getReply(mid, rid); + if (reply == null) { + throw new HttpNotFoundException(); + } + } + + if (body.length() > 4096) { + throw new HttpBadRequestException(); + } + body = body.replace("\r", StringUtils.EMPTY); + + if ((msg.ReadOnly && msg.getUser().getUid() != vuid) || userService.isInBLAny(msg.getUser().getUid(), vuid) + || (reply != null && userService.isInBLAny(reply.getUser().getUid(), vuid))) { + throw new HttpForbiddenException(); + } + + URI attachmentFName = HttpUtils.receiveMultiPartFile(attach, tmpDir); + + if (StringUtils.isBlank(attachmentFName.toString()) && img != null && img.length() > 10) { + try { + attachmentFName = HttpUtils.downloadImage(new URL(img), tmpDir); + } catch (Exception e) { + logger.error("DOWNLOAD ERROR", e); + throw new HttpBadRequestException(); + } + } + + return commandsManager.processCommand(visitor, String.format("#%d/%d %s", mid, rid, body), attachmentFName).getNewMessage().get(); + } + + @PostMapping("/like") + @ResponseStatus(value = HttpStatus.OK) + public Status doPostRecomm(@RequestParam Integer mid) throws Exception { + com.juick.User visitor = UserUtils.getCurrentUser(); + if (visitor.getUid() == 0) { + throw new HttpForbiddenException(); + } + com.juick.Message msg = messagesService.getMessage(mid); + if (msg == null) { + throw new HttpNotFoundException(); + } + if (msg.getUser().getUid() == visitor.getUid()) { + throw new HttpForbiddenException(); + } + CommandResult status = commandsManager.processCommand(visitor, String.format("! #%d", mid), + URI.create(StringUtils.EMPTY)); + return Status.getStatus(status.getText()); + } + + @GetMapping("/reactions") + @ResponseStatus(value = HttpStatus.OK) + public List reactionsList() { + return messagesService.listReactions(); + } + + @PostMapping("/react") + @ResponseStatus(value = HttpStatus.OK) + public Status doPostReact(@RequestParam Integer mid,@RequestParam @NotNull int reactionId, + @RequestParam (required = false, defaultValue = "1") int count) { + + logger.info("got reaction with type: {}", reactionId); + com.juick.User visitor = UserUtils.getCurrentUser(); + if (visitor.getUid() == 0) { + throw new HttpForbiddenException(); + } + com.juick.Message msg = messagesService.getMessage(mid); + if (msg == null) { + throw new HttpNotFoundException(); + } + if (msg.getUser().getUid() == visitor.getUid()) { + throw new HttpForbiddenException(); + } + MessagesService.RecommendStatus recommendStatus = MessagesService.RecommendStatus.Error; + for (int i = 0; i < count; i++) + recommendStatus = messagesService.likeMessage(mid, visitor.getUid(), + reactionId); + + return recommendStatus == MessagesService.RecommendStatus.Error ? Status.ERROR :Status.OK; + } +} diff --git a/juick-api/src/main/java/com/juick/server/configuration/ApiSecurityConfig.java b/juick-api/src/main/java/com/juick/server/configuration/ApiSecurityConfig.java new file mode 100644 index 00000000..3809090e --- /dev/null +++ b/juick-api/src/main/java/com/juick/server/configuration/ApiSecurityConfig.java @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2008-2017, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package com.juick.server.configuration; + +import com.juick.service.UserService; +import com.juick.service.security.JuickUserDetailsService; +import com.juick.service.security.NotAuthorizedAuthenticationEntryPoint; +import com.juick.service.security.deprecated.RequestParamHashRememberMeServices; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.http.HttpMethod; +import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.web.authentication.RememberMeServices; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; + +import javax.inject.Inject; +import java.util.Arrays; +import java.util.Collections; +import java.util.concurrent.TimeUnit; + +/** + * Created by aalexeev on 11/21/16. + */ +@Configuration +@EnableWebSecurity +public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { + @Value("${auth_remember_me_key:secret}") + private String rememberMeKey; + @Inject + private UserService userService; + + ApiSecurityConfig() { + super(true); + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests() + .antMatchers(HttpMethod.OPTIONS).permitAll() + .antMatchers("/", "/messages", "/users", "/thread", "/tags", "/tlgmbtwbhk", "/fbwbhk", + "/skypebotendpoint").permitAll() + .anyRequest().hasRole("USER") + .and().httpBasic().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) + .and().anonymous() + .and().cors().configurationSource(corsConfigurationSource()) + .and().servletApi() + .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) + .and().exceptionHandling().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) + .and() + .rememberMe() + .alwaysRemember(true) + .tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(6 * 30)) + .rememberMeServices(rememberMeServices()) + .key(rememberMeKey) + .and().authenticationProvider(authenticationProvider()) + .headers().defaultsDisabled().cacheControl(); + } + + @Bean + public DaoAuthenticationProvider authenticationProvider() { + DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); + + authenticationProvider.setUserDetailsService(userDetailsService()); + + return authenticationProvider; + } + + @Bean + public JuickUserDetailsService userDetailsService() { + return new JuickUserDetailsService(userService); + } + + @Bean + public RememberMeServices rememberMeServices() { + return new RequestParamHashRememberMeServices(rememberMeKey, userService); + } + + @Bean + public NotAuthorizedAuthenticationEntryPoint getJuickAuthenticationEntryPoint() { + return new NotAuthorizedAuthenticationEntryPoint(); + } + + @Bean + public CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + + configuration.setAllowedOrigins(Collections.singletonList("*")); + configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE")); + configuration.setAllowedHeaders(Collections.singletonList("*")); + + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + + return source; + } + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", + "/configuration/**", "/swagger-ui.html", "/webjars/**", "/ws/**", "/rss/**"); + } +} diff --git a/juick-api/src/main/java/com/juick/server/configuration/PostConfig.java b/juick-api/src/main/java/com/juick/server/configuration/PostConfig.java new file mode 100644 index 00000000..598a7435 --- /dev/null +++ b/juick-api/src/main/java/com/juick/server/configuration/PostConfig.java @@ -0,0 +1,9 @@ +package com.juick.server.configuration; + +import org.springframework.boot.autoconfigure.EnableAutoConfiguration; +import org.springframework.context.annotation.ComponentScan; + +@EnableAutoConfiguration +@ComponentScan({"com.juick.server", "com.juick.service"}) +public class PostConfig { +} -- cgit v1.2.3