Merge pull request #1 from Makumbacz/wip-security

Added JWT authentication and plant object

pom.xml

@@ -54,6 +54,21 @@
             <artifactId>spring-security-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-jwt</artifactId>
+            <version>1.1.1.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>3.19.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/com/example/plantsforyou/PlantsForYouApplication.java

@@ -1,7 +1,12 @@
 package com.example.plantsforyou;
 
+import com.example.plantsforyou.appuser.AppUser;
+import com.example.plantsforyou.appuser.AppUserRole;
+import com.example.plantsforyou.appuser.AppUserService;
+import org.springframework.boot.CommandLineRunner;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
 
 @SpringBootApplication
 public class PlantsForYouApplication {
@@ -9,5 +14,18 @@ public class PlantsForYouApplication {
     public static void main(String[] args) {
         SpringApplication.run(PlantsForYouApplication.class, args);
     }
-
+    @Bean
+    CommandLineRunner run(AppUserService userService){
+        return args -> {
+            AppUser user = new AppUser("Jan", "Kowalski", "jan.kowalski@gmail.com", "1234", AppUserRole.USER);
+            userService.signUpUser(user);
+            userService.enableAppUser("jan.kowalski@gmail.com");
+            user = new AppUser("Michal", "Nowak", "michal.nowak@gmail.com", "1234", AppUserRole.USER);
+            userService.signUpUser(user);
+            userService.enableAppUser("michal.nowak@gmail.com");
+            user = new AppUser("Anna", "Byczek", "anna.byczek@gmail.com", "1234", AppUserRole.USER);
+            userService.signUpUser(user);
+            userService.enableAppUser("anna.byczek@gmail.com");
+        };
+    }
 }

src/main/java/com/example/plantsforyou/appuser/AppUserController.java

@@ -0,0 +1,72 @@
+package com.example.plantsforyou.appuser;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.*;
+
+import static org.springframework.http.HttpHeaders.AUTHORIZATION;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+@RestController
+@RequestMapping("/api/v1/users")
+@RequiredArgsConstructor
+public class AppUserController {
+    private final AppUserService appUserService;
+
+    @GetMapping()
+    public ResponseEntity<List<AppUser>>getUsers(){ return ResponseEntity.ok().body(appUserService.getAppUsers()); }
+
+    @GetMapping("/token/refresh")
+    public void refreshToken(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        String authorizationHeader = request.getHeader(AUTHORIZATION);
+        if(authorizationHeader != null && authorizationHeader.startsWith("Bearer ")){
+            try{
+                String refresh_token = authorizationHeader.substring("Bearer ".length());
+                Algorithm algorithm = Algorithm.HMAC256("secret".getBytes());
+                JWTVerifier verifier = JWT.require(algorithm).build();
+                DecodedJWT decodedJWT = verifier.verify(refresh_token);
+                String username = decodedJWT.getSubject();
+                Optional<AppUser> opt = appUserService.getAppUser(username);
+                AppUser user;
+                if(opt.isPresent()){
+                    user = opt.get();
+                    String access_token = JWT.create()
+                            .withSubject(user.getEmail())
+                            .withExpiresAt(new Date(System.currentTimeMillis() + 10 * 60 * 1000)) //10 mins
+                            .withIssuer(request.getRequestURL().toString())
+                            .sign(algorithm);
+                    Map<String, String> tokens = new HashMap<>();
+                    tokens.put("access_token", access_token);
+                    tokens.put("refresh_token", refresh_token);
+                    response.setContentType(APPLICATION_JSON_VALUE);
+                    new ObjectMapper().writeValue(response.getOutputStream(), tokens);
+                }
+            }catch (Exception exception){
+                response.setHeader("error", exception.getMessage());
+                response.setStatus(FORBIDDEN.value());
+//                    response.sendError(FORBIDDEN.value());
+                Map<String, String> error = new HashMap<>();
+                error.put("error_message", exception.getMessage());
+                response.setContentType(APPLICATION_JSON_VALUE);
+                new ObjectMapper().writeValue(response.getOutputStream(), error);
+            }
+        }
+        else{
+            throw new RuntimeException("Refresh token is missing");
+
+        }
+    }
+}

src/main/java/com/example/plantsforyou/appuser/AppUserService.java

@@ -10,6 +10,8 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
 @Service
@@ -54,6 +56,8 @@ public class AppUserService implements UserDetailsService {
         //TODO: SEND EMAIL
         return token;
     }
+    public List<AppUser> getAppUsers(){ return appUserRepository.findAll(); }
+    public Optional<AppUser> getAppUser(String email){ return appUserRepository.findByEmail(email); }
 
     public int enableAppUser(String email) {
         return appUserRepository.enableAppUser(email);

src/main/java/com/example/plantsforyou/filter/CustomAuthenticationFilter.java

@@ -0,0 +1,66 @@
+package com.example.plantsforyou.filter;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.example.plantsforyou.appuser.AppUser;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+@Slf4j
+public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
+    private final AuthenticationManager authenticationManager;
+
+    public CustomAuthenticationFilter(AuthenticationManager authenticationManager){
+        this.authenticationManager = authenticationManager;
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
+        String email = request.getParameter("username");
+        String password = request.getParameter("password");
+        log.info("Email is: {}", email);
+        log.info("Password is: {}", password);
+        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(email, password);
+        return authenticationManager.authenticate(authenticationToken);
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException{
+        AppUser user = (AppUser) authentication.getPrincipal();
+        Algorithm algorithm = Algorithm.HMAC256("secret".getBytes());
+        String access_token = JWT.create()
+                .withSubject(user.getEmail())
+                .withExpiresAt(new Date(System.currentTimeMillis() + 10 * 60 * 1000)) //10 min
+                .withIssuer(request.getRequestURL().toString())
+                .withClaim("roles", user.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()))
+                .sign(algorithm);
+        String refresh_token = JWT.create()
+                .withSubject(user.getEmail())
+                .withExpiresAt(new Date(System.currentTimeMillis() + 7 * 1440 * 60 * 1000)) //7 days
+                .withIssuer(request.getRequestURL().toString())
+                .sign(algorithm);
+        Map<String, String> tokens = new HashMap<>();
+        tokens.put("access_token", access_token);
+        tokens.put("refresh_token", refresh_token);
+        response.setContentType(APPLICATION_JSON_VALUE);
+        new ObjectMapper().writeValue(response.getOutputStream(), tokens);
+    }
+}

src/main/java/com/example/plantsforyou/filter/CustomAuthorizationFilter.java

@@ -0,0 +1,68 @@
+package com.example.plantsforyou.filter;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import static java.util.Arrays.stream;
+import static org.springframework.http.HttpHeaders.AUTHORIZATION;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+@Slf4j
+public class CustomAuthorizationFilter extends OncePerRequestFilter {
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        if(request.getServletPath().equals("/login") || request.getServletPath().equals("/api/v1/register") || request.getServletPath().equals("/api/v*/users/token/refresh/**")){
+            filterChain.doFilter(request,response);
+        }
+        else{
+            String authorizationHeader = request.getHeader(AUTHORIZATION);
+            if(authorizationHeader != null && authorizationHeader.startsWith("Bearer ")){
+                try{
+                    String token = authorizationHeader.substring("Bearer ".length());
+                    Algorithm algorithm = Algorithm.HMAC256("secret".getBytes());
+                    JWTVerifier verifier = JWT.require(algorithm).build();
+                    DecodedJWT decodedJWT = verifier.verify(token);
+                    String username = decodedJWT.getSubject();
+                    String[] roles = decodedJWT.getClaim("roles").asArray(String.class);
+                    Collection<SimpleGrantedAuthority> authorities = new ArrayList<>();
+                    stream(roles).forEach(role -> authorities.add(new SimpleGrantedAuthority(role)));
+                    UsernamePasswordAuthenticationToken authenticationToken =
+                            new UsernamePasswordAuthenticationToken(username, null, authorities);
+                    SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+                    filterChain.doFilter(request, response);
+                }catch (Exception exception){
+                    log.error("Error logging in: {}", exception.getMessage());
+                    response.setHeader("Error", exception.getMessage());
+                    response.setStatus(FORBIDDEN.value());
+//                    response.sendError(FORBIDDEN.value());
+                    Map<String, String> error = new HashMap<>();
+                    error.put("error_message", exception.getMessage());
+                    response.setContentType(APPLICATION_JSON_VALUE);
+                    new ObjectMapper().writeValue(response.getOutputStream(), error);
+                }
+            }
+            else{
+                filterChain.doFilter(request,response);
+            }
+        }
+    }
+}

src/main/java/com/example/plantsforyou/plant/Plant.java

@@ -0,0 +1,55 @@
+package com.example.plantsforyou.plant;
+
+import com.example.plantsforyou.plant.enums.PlantCareDifficulty;
+import com.example.plantsforyou.plant.enums.PlantSize;
+import com.example.plantsforyou.plant.enums.PlantTypeOfLight;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import javax.persistence.*;
+
+@Getter
+@Setter
+@NoArgsConstructor
+@Entity
+public class Plant {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    private String name;
+    private double price;
+    @Column(columnDefinition="TEXT")
+    private String description;
+    @Enumerated(EnumType.STRING)
+    private PlantTypeOfLight typeOfLight;
+    @Enumerated(EnumType.STRING)
+    private PlantCareDifficulty difficulty;
+    @Enumerated(EnumType.STRING)
+    private PlantSize size;
+    boolean inStock;
+
+    public Plant(String name,
+                 double price,
+                 String description,
+                 PlantTypeOfLight typeOfLight,
+                 PlantCareDifficulty difficulty,
+                 PlantSize size, boolean inStock) {
+        this.name = name;
+        this.price = price;
+        this.description = description;
+        this.typeOfLight = typeOfLight;
+        this.difficulty = difficulty;
+        this.size = size;
+        this.inStock = inStock;
+    }
+
+    public void setPrice(double price) {
+        this.price = price;
+    }
+
+    public void setInStock(boolean inStock) {
+        this.inStock = inStock;
+    }
+}

src/main/java/com/example/plantsforyou/plant/PlantConfig.java

@@ -0,0 +1,40 @@
+package com.example.plantsforyou.plant;
+
+
+import com.example.plantsforyou.plant.enums.PlantCareDifficulty;
+import com.example.plantsforyou.plant.enums.PlantSize;
+import com.example.plantsforyou.plant.enums.PlantTypeOfLight;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class PlantConfig {
+    @Bean
+    CommandLineRunner commandLineRunner(PlantRepository repository){
+        return args -> {
+            Plant plant = new Plant(
+                    "Monstera deliciosa",
+                    25.12,
+                    "Najbardziej pożądana roślina we wnętrzach ostatnich lat, czule nazwana przez nas Grzegorzem, zawdzięcza swoją popularność nie tylko wyjątkowej urodzie, ale też swojej bezproblemowości. Monstera jest jedną z tych roślin, z którymi będziesz żyć długo i szczęśliwie.",
+                    PlantTypeOfLight.diffused,
+                    PlantCareDifficulty.EASY,
+                    PlantSize.MEDIUM,
+                    true
+            );
+            repository.save(plant);
+            plant = new Plant(
+                    "Scindapsus pictus 'Argyraeus'",
+                    59.0,
+                    "Nie ma wielkich wymagań i zdecydowanie nadaje się dla początkujących opiekunów. Z Agatką łatwo stworzysz wrażenie gęstej dżungli. Wystarczy, że spuścisz jej pnącza kurtyną z wysokiej półki, albo belki pod sufitem.",
+                    PlantTypeOfLight.direct,
+                    PlantCareDifficulty.MEDIUM,
+                    PlantSize.MEDIUM,
+                    false
+            );
+            repository.save(plant);
+        };
+    }
+}
+//Adding one plant to db for testing purposes
+//TODO: POST mapping GET mapping

src/main/java/com/example/plantsforyou/plant/PlantController.java

@@ -0,0 +1,25 @@
+package com.example.plantsforyou.plant;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.List;
+
+@RestController
+@RequestMapping(path = "api/v1/plants")
+public class PlantController {
+    private final PlantService plantService;
+
+    @Autowired
+    public PlantController(PlantService plantService) {
+        this.plantService = plantService;
+    }
+
+    @GetMapping
+    public List<Plant> getPlants(){
+        return plantService.getAllPlants();
+    }
+
+}

src/main/java/com/example/plantsforyou/plant/PlantManagementController.java

@@ -0,0 +1,50 @@
+package com.example.plantsforyou.plant;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+
+@RestController
+@RequestMapping(path = "management/api/v1/plants")
+public class PlantManagementController {
+    private final PlantService plantService;
+
+    @Autowired
+    public PlantManagementController(PlantService plantService) {
+        this.plantService = plantService;
+    }
+
+    @GetMapping
+    public List<Plant> getAllPlants(){
+        return plantService.getAllPlants();
+    }
+
+    @PostMapping
+    public ResponseEntity addNewPlant(@RequestBody Plant plant){
+        if(plantService.getAllPlants().contains(plant))
+            return new ResponseEntity(HttpStatus.NOT_ACCEPTABLE);
+        plantService.addPlant(plant);
+        return new ResponseEntity(HttpStatus.OK);
+    }
+
+    @DeleteMapping(path = "{plantID}")
+    public ResponseEntity deletePlant(@PathVariable("plantID") Long plantID){
+        if(plantService.findPlantById(plantID).isEmpty())
+            return new ResponseEntity(HttpStatus.NOT_ACCEPTABLE);
+        plantService.delete(plantID);
+        return new ResponseEntity(HttpStatus.OK);
+    }
+
+    @PutMapping(path = "{plantID}/inStock")
+    public void updatePlantInStock(@PathVariable("plantID") Long plantID, @RequestParam() boolean inStock){
+        plantService.updateInStock(plantID, inStock);
+    }
+
+    @PutMapping(path = "{plantID}/price")
+    public void updatePlantPrice(@PathVariable("plantID") Long plantID, @RequestParam() Double price){
+        plantService.updatePrice(plantID, price);
+    }
+}

src/main/java/com/example/plantsforyou/plant/PlantRepository.java

@@ -0,0 +1,17 @@
+package com.example.plantsforyou.plant;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.stereotype.Repository;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.util.List;
+
+@Repository
+public interface PlantRepository extends JpaRepository<Plant, Long> {
+
+    List<Plant> findByName(String name);
+    Plant findById(long id);
+
+}

src/main/java/com/example/plantsforyou/plant/PlantService.java

@@ -0,0 +1,46 @@
+package com.example.plantsforyou.plant;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import java.util.List;
+import java.util.Optional;
+
+@Service
+public class PlantService {
+    private final PlantRepository plantRepository;
+
+    @Autowired
+    public PlantService(PlantRepository plantRepository) {
+        this.plantRepository = plantRepository;
+    }
+
+    public List<Plant> getAllPlants(){
+        return plantRepository.findAll();
+    }
+    public Optional<Plant> findPlantById(Long plantID){ return plantRepository.findById(plantID); }
+    public void addPlant(Plant plant){
+        plantRepository.save(plant);
+    }
+
+    public void delete(Long plantID) {
+        plantRepository.deleteById(plantID);
+    }
+    public void updatePrice(Long plantID, Double price){
+        Optional<Plant> plant = plantRepository.findById(plantID);
+        if(plant.isPresent()){
+            Plant toUpdate = plant.get();
+            toUpdate.setPrice(price);
+            plantRepository.save(toUpdate);
+        }
+    }
+    public void updateInStock(Long plantID, boolean inStock){
+        Optional<Plant> plant = plantRepository.findById(plantID);
+        if(plant.isPresent()){
+            Plant toUpdate = plant.get();
+            toUpdate.setInStock(inStock);
+            plantRepository.save(toUpdate);
+        }
+    }
+
+}

src/main/java/com/example/plantsforyou/plant/enums/PlantCareDifficulty.java

@@ -0,0 +1,9 @@
+package com.example.plantsforyou.plant.enums;
+
+public enum PlantCareDifficulty {
+    VERY_EASY,
+    EASY,
+    MEDIUM,
+    HARD,
+    VERY_HARD
+}

src/main/java/com/example/plantsforyou/plant/enums/PlantSize.java

@@ -0,0 +1,7 @@
+package com.example.plantsforyou.plant.enums;
+
+public enum PlantSize {
+    SMALL,
+    MEDIUM,
+    BIG
+}

src/main/java/com/example/plantsforyou/plant/enums/PlantTypeOfLight.java

@@ -0,0 +1,7 @@
+package com.example.plantsforyou.plant.enums;
+
+public enum PlantTypeOfLight {
+    direct,
+    diffused,
+    shadow
+}

src/main/java/com/example/plantsforyou/security/config/WebSecurityConfig.java

@@ -2,15 +2,21 @@ package com.example.plantsforyou.security.config;
 
 
 import com.example.plantsforyou.appuser.AppUserService;
+import com.example.plantsforyou.filter.CustomAuthenticationFilter;
+import com.example.plantsforyou.filter.CustomAuthorizationFilter;
 import lombok.AllArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
 
 @Configuration
 @AllArgsConstructor
@@ -22,8 +28,18 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.csrf().disable().authorizeRequests().antMatchers("/api/v*/registration/**").permitAll().anyRequest().authenticated().and().formLogin(); //na chwile
+        http.csrf().disable();
+        http.sessionManagement().sessionCreationPolicy(STATELESS);
+        http.authorizeRequests().antMatchers("/api/v*/registration/**", "/api/v*/users/token/refresh/**").permitAll();
+        http.authorizeRequests().antMatchers("/api/v*/**").hasAnyAuthority("USER");
+        http.addFilter(new CustomAuthenticationFilter(authenticationManagerBean()));
+        http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
+    }
 
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
     }
 
     @Override