From 493d3cd0797ddd93a16127182bacb3085ec883aa Mon Sep 17 00:00:00 2001
From: Rohan Sircar <rohansircar@tuta.io>
Date: Sat, 23 Nov 2019 10:25:06 +0530
Subject: [PATCH] change json api demo endpoint to only allow access to super
 user. Token is now obtained from chat endpoint

---
 .../ros/chatto/WebSecurityConfiguration.java  |  4 ++
 .../controller/ChatMessageController.java     | 44 ++++++++++---------
 .../chatto/controller/DemoRestController.java |  2 +-
 chatto/src/main/resources/static/js/login.js  |  3 +-
 4 files changed, 29 insertions(+), 24 deletions(-)

diff --git a/chatto/src/main/java/org/ros/chatto/WebSecurityConfiguration.java b/chatto/src/main/java/org/ros/chatto/WebSecurityConfiguration.java
index 67300fc..3455340 100644
--- a/chatto/src/main/java/org/ros/chatto/WebSecurityConfiguration.java
+++ b/chatto/src/main/java/org/ros/chatto/WebSecurityConfiguration.java
@@ -69,8 +69,12 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
 					.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
 //					.cors().and()
+					
 					.antMatcher("/api/**").authorizeRequests()
+					.antMatchers("/api/chat/**").hasAnyRole("USER", "ADMIN", "SUPER_USER")
+					.antMatchers("/api/demo/**").hasRole("SUPER_USER")
 //					.antMatchers("/perform-login").permitAll()
+					
 					.anyRequest()
 //					.hasAnyRole("USER", "ADMIN", "SUPER_USER")
 					.authenticated().and().httpBasic().authenticationEntryPoint(authenticationEntryPoint)
diff --git a/chatto/src/main/java/org/ros/chatto/controller/ChatMessageController.java b/chatto/src/main/java/org/ros/chatto/controller/ChatMessageController.java
index ae80fc1..d384c60 100644
--- a/chatto/src/main/java/org/ros/chatto/controller/ChatMessageController.java
+++ b/chatto/src/main/java/org/ros/chatto/controller/ChatMessageController.java
@@ -44,10 +44,10 @@ public class ChatMessageController {
 
 	@PostMapping(value = "/post/message", consumes = { "application/json" })
 	@ResponseBody
-	public ResponseEntity<?> newMessage(@RequestBody @Valid ChatMessageDTO chatMessageDTO,
-			BindingResult bindingResult, Principal principal) {
+	public ResponseEntity<?> newMessage(@RequestBody @Valid ChatMessageDTO chatMessageDTO, BindingResult bindingResult,
+			Principal principal) {
 		if (bindingResult.hasErrors()) {
-			
+
 //			return new ResponseEntity<List<FieldError>>(bindingResult.getFieldErrors(),HttpStatus.BAD_REQUEST);
 			return new ResponseEntity<ErrorResponse>(handleException(bindingResult), HttpStatus.BAD_REQUEST);
 		}
@@ -58,38 +58,35 @@ public class ChatMessageController {
 		chatMessageDTO = chatService.saveNewMessage(fromUser, toUser, messageCipher);
 		return new ResponseEntity<ChatMessageDTO>(chatMessageDTO, HttpStatus.CREATED);
 	}
-	
+
 	/**
-	 * Method that check against {@code @Valid} Objects passed to controller endpoints
+	 * Method that check against {@code @Valid} Objects passed to controller
+	 * endpoints
 	 *
 	 * @param exception
 	 * @return a {@code ErrorResponse}
 	 * @see com.aroussi.util.validation.ErrorResponse
 	 */
-	@ExceptionHandler(value=MethodArgumentNotValidException.class)
+	@ExceptionHandler(value = MethodArgumentNotValidException.class)
 	@ResponseStatus(HttpStatus.BAD_REQUEST)
 	public ErrorResponse handleException(MethodArgumentNotValidException exception) {
 
-	    List<ErrorModel> errorMessages = exception.getBindingResult().getFieldErrors().stream()
-	            .map(err -> new ErrorModel(err.getField(), err.getRejectedValue(), err.getDefaultMessage()))
-	            .distinct()
-	            .collect(Collectors.toList());
-	    return ErrorResponse.builder().errorMessage(errorMessages).build();
+		List<ErrorModel> errorMessages = exception.getBindingResult().getFieldErrors().stream()
+				.map(err -> new ErrorModel(err.getField(), err.getRejectedValue(), err.getDefaultMessage())).distinct()
+				.collect(Collectors.toList());
+		return ErrorResponse.builder().errorMessage(errorMessages).build();
 	}
-	
-	@ExceptionHandler(value=MethodArgumentNotValidException.class)
+
+	@ExceptionHandler(value = MethodArgumentNotValidException.class)
 	@ResponseStatus(HttpStatus.BAD_REQUEST)
 	public ErrorResponse handleException(BindingResult bindingResult) {
 
-	    List<ErrorModel> errorMessages = bindingResult.getFieldErrors().stream()
-	            .map(err -> new ErrorModel(err.getField(), err.getRejectedValue(), err.getDefaultMessage()))
-	            .distinct()
-	            .collect(Collectors.toList());
-	    return ErrorResponse.builder().errorMessage(errorMessages).build();
+		List<ErrorModel> errorMessages = bindingResult.getFieldErrors().stream()
+				.map(err -> new ErrorModel(err.getField(), err.getRejectedValue(), err.getDefaultMessage())).distinct()
+				.collect(Collectors.toList());
+		return ErrorResponse.builder().errorMessage(errorMessages).build();
 	}
 
-
-
 	@GetMapping(value = "/get/messages/{userName}")
 	@ResponseBody
 	public List<ChatMessageDTO> sendAllMessages(@PathVariable String userName, Principal principal) {
@@ -131,11 +128,16 @@ public class ChatMessageController {
 	public List<String> getAllOtherUsers(Principal principal) {
 		return userService.findAllOtherUsers(principal.getName());
 	}
-	
+
 	@GetMapping("/get/active-users")
 	public List<ActiveUserDTO> getAllOtherActiveUsers(Principal principal) {
 		return userService.getOtherActiveUsers(principal.getName());
 	}
+
+	@GetMapping("/get/token")
+	public ResponseEntity<?> getToken() {
+		return new ResponseEntity<String>(HttpStatus.OK);
+	}
 }
 
 //public ResponseEntity<List<ChatMessage>> getMessages(@PathVariable String userName, Principal principal) {
diff --git a/chatto/src/main/java/org/ros/chatto/controller/DemoRestController.java b/chatto/src/main/java/org/ros/chatto/controller/DemoRestController.java
index b34b752..8881b8f 100644
--- a/chatto/src/main/java/org/ros/chatto/controller/DemoRestController.java
+++ b/chatto/src/main/java/org/ros/chatto/controller/DemoRestController.java
@@ -33,7 +33,7 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
 @RestController
-@RequestMapping("/api")
+@RequestMapping("/api/demo")
 //@CrossOrigin(origins = "*", allowCredentials = "true", allowedHeaders = "*")
 public class DemoRestController {
 
diff --git a/chatto/src/main/resources/static/js/login.js b/chatto/src/main/resources/static/js/login.js
index 867ec08..7c5a2a8 100644
--- a/chatto/src/main/resources/static/js/login.js
+++ b/chatto/src/main/resources/static/js/login.js
@@ -10,8 +10,7 @@ function storeCredentials() {
 
     var jqxhr = $.ajax({
         type: 'GET',
-        url: `http://${hostAddress}/api/user`,
-        dataType: 'json',
+        url: `http://${hostAddress}/api/chat/get/token`,
         headers: {
             "Authorization": "Basic " + btoa(usernameInput.value + ":" + passwordInput.value)
         },