From 5e66cae7ebd75902e7ea36778d8e7fc5b4a21525 Mon Sep 17 00:00:00 2001
From: Piotr Gawron <piotr.gawron@uni.lu>
Date: Thu, 8 Jun 2017 12:26:52 +0200
Subject: [PATCH] login adds cookie on the server side

---
 frontend-js/src/main/js/ServerConnector.js    | 13 ++------
 .../src/test/js/ServerConnector-test.js       |  7 -----
 rest-api/pom.xml                              |  7 +++++
 .../mapviewer/api/users/UserController.java   | 31 ++++++++++++++++---
 4 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/frontend-js/src/main/js/ServerConnector.js b/frontend-js/src/main/js/ServerConnector.js
index b949b1d678..e2ea92b9ae 100644
--- a/frontend-js/src/main/js/ServerConnector.js
+++ b/frontend-js/src/main/js/ServerConnector.js
@@ -860,16 +860,9 @@ ServerConnector.login = function(login, password) {
   } else {
     params.login = "anonymous";
   }
-  return self.sendPostRequest(self.loginUrl(), params).then(function(content) {
-    var obj = JSON.parse(content);
-    var token = obj.id;
-    if (token === undefined) {
-      return Promise.reject(obj.error);
-    } else {
-      self.getSessionData().setToken(token);
-      self.getSessionData().setLogin(params.login);
-      return Promise.resolve(token);
-    }
+  return self.sendPostRequest(self.loginUrl(), params).then(function() {
+    self.getSessionData().setLogin(params.login);
+    return Promise.resolve(self.getSessionData().getToken());
   });
 };
 
diff --git a/frontend-js/src/test/js/ServerConnector-test.js b/frontend-js/src/test/js/ServerConnector-test.js
index d0732db80a..0ee2386c66 100644
--- a/frontend-js/src/test/js/ServerConnector-test.js
+++ b/frontend-js/src/test/js/ServerConnector-test.js
@@ -117,13 +117,6 @@ describe('ServerConnector', function() {
     });
   });
 
-  it('getToken without login', function() {
-    ServerConnector.getSessionData().setToken(undefined);
-    return ServerConnector.getToken().then(function(token) {
-      assert.ok(token);
-    });
-  });
-
   it('logout', function() {
     return ServerConnector.logout().then(function() {
       assert.equal(ServerConnector.getSessionData().getToken(), undefined);
diff --git a/rest-api/pom.xml b/rest-api/pom.xml
index 6898343897..43e369a82a 100644
--- a/rest-api/pom.xml
+++ b/rest-api/pom.xml
@@ -61,6 +61,13 @@
     	<version>${jackson.version}</version>
 		</dependency>		
 
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>servlet-api</artifactId>
+			<version>${servlet-api.version}</version>
+			<scope>provided</scope>
+		</dependency>
+
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-all</artifactId>
diff --git a/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java b/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java
index 1788c95f32..8e28369560 100644
--- a/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java
+++ b/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java
@@ -1,8 +1,13 @@
 package lcsb.mapviewer.api.users;
 
+import java.io.IOException;
+import java.util.Calendar;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
@@ -32,16 +37,32 @@ public class UserController extends BaseController {
 	@RequestMapping(value = "/doLogin", method = { RequestMethod.GET, RequestMethod.POST }, produces = { MediaType.APPLICATION_JSON_VALUE })
 	public Map<String, Object> login(//
 			@RequestParam(value = "login", defaultValue = Configuration.ANONYMOUS_LOGIN) String login, //
-			@RequestParam(value = "password", required = false) String password//
-	) throws SecurityException {
+			@RequestParam(value = "password", required = false) String password, //
+			HttpServletResponse response //
+	) throws SecurityException, IOException {
 		AuthenticationToken token = userService.login(login, password);
-		Map<String, Object> result = new HashMap<>();
 		if (token == null) {
 			throw new SecurityException("Invalid credentials");
 		} else {
-			result.put("id", token.getId());
+			Map<String, Object> result = new HashMap<>();
+			final Boolean useSecureCookie = false;
+			final int expiryTime = (int) (token.getExpires().getTimeInMillis() - Calendar.getInstance().getTimeInMillis()) / 1000; // 24h
+																																																														 // in
+																																																														 // seconds
+			final String cookiePath = "/";
+
+			Cookie cookie = new Cookie("MINERVA_AUTH_TOKEN", token.getId());
+
+			cookie.setSecure(useSecureCookie);
+			cookie.setMaxAge(expiryTime);
+			cookie.setPath(cookiePath);
+
+			response.addCookie(cookie);
+			response.getWriter().write("{\"info\":\"Login successful. TOKEN returned as a cookie\"}");
+			response.getWriter().flush();
+			response.getWriter().close();
+			return result;
 		}
-		return result;
 	}
 
 	@RequestMapping(value = "/users/{login}", method = { RequestMethod.GET, RequestMethod.POST }, produces = { MediaType.APPLICATION_JSON_VALUE })
-- 
GitLab