From 549308a07bee54a79e1513ff1c5315278f928d79 Mon Sep 17 00:00:00 2001
From: Rostislav Raykov <rostislav.raykov@infinno.eu>
Date: Sat, 26 Oct 2024 00:35:58 +0300
Subject: [PATCH] moved the app auth to using spring security instead of an
 interceptor

---
 .../quickdrop/config/SecurityConfig.java      | 65 +++++++++++++++++--
 .../rostislav/quickdrop/config/WebConfig.java | 21 ------
 .../interceptor/PasswordInterceptor.java      | 29 ---------
 3 files changed, 59 insertions(+), 56 deletions(-)
 delete mode 100644 src/main/java/org/rostislav/quickdrop/config/WebConfig.java
 delete mode 100644 src/main/java/org/rostislav/quickdrop/interceptor/PasswordInterceptor.java

diff --git a/src/main/java/org/rostislav/quickdrop/config/SecurityConfig.java b/src/main/java/org/rostislav/quickdrop/config/SecurityConfig.java
index 65e86cf..167b771 100644
--- a/src/main/java/org/rostislav/quickdrop/config/SecurityConfig.java
+++ b/src/main/java/org/rostislav/quickdrop/config/SecurityConfig.java
@@ -1,30 +1,83 @@
 package org.rostislav.quickdrop.config;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
+import java.util.List;
+
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
 
+    @Value("${app.enable.password}")
+    private boolean enablePassword;
+
+    @Value("${app.basic.password}")
+    private String appPassword;
+
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http.authorizeHttpRequests(authorizeRequests ->
-                authorizeRequests.anyRequest().anonymous()
-        );
-        http.csrf(csrf ->
-                csrf.csrfTokenRepository(new CookieCsrfTokenRepository())
-        );
+        if (enablePassword) {
+            http
+                    .authorizeHttpRequests(authz -> authz
+                            .requestMatchers("/password/login", "/favicon.ico", "/error").permitAll()
+                            .anyRequest().authenticated()
+                    )
+                    .formLogin(form -> form
+                            .loginPage("/password/login")
+                            .permitAll()
+                            .failureUrl("/password/login?error")
+                            .defaultSuccessUrl("/", true)
+                    )
+                    .authenticationProvider(authenticationProvider())
+                    .csrf(csrf -> csrf
+                            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                    );
+        } else {
+            http
+                    .authorizeHttpRequests(authz -> authz
+                            .anyRequest().permitAll()
+                    )
+                    .csrf(csrf -> csrf
+                            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                    );
+        }
 
         return http.build();
     }
 
+    @Bean
+    public AuthenticationProvider authenticationProvider() {
+        return new AuthenticationProvider() {
+            @Override
+            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+                String providedPassword = (String) authentication.getCredentials();
+                if (appPassword.equals(providedPassword)) {
+                    return new UsernamePasswordAuthenticationToken(null, providedPassword, List.of());
+                } else {
+                    throw new BadCredentialsException("Invalid password");
+                }
+            }
+
+            @Override
+            public boolean supports(Class<?> authentication) {
+                return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
+            }
+        };
+    }
+
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
diff --git a/src/main/java/org/rostislav/quickdrop/config/WebConfig.java b/src/main/java/org/rostislav/quickdrop/config/WebConfig.java
deleted file mode 100644
index e601a6e..0000000
--- a/src/main/java/org/rostislav/quickdrop/config/WebConfig.java
+++ /dev/null
@@ -1,21 +0,0 @@
-package org.rostislav.quickdrop.config;
-
-import org.rostislav.quickdrop.interceptor.PasswordInterceptor;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-
-@Configuration
-public class WebConfig implements WebMvcConfigurer {
-    private final PasswordInterceptor passwordInterceptor;
-
-    public WebConfig(PasswordInterceptor passwordInterceptor) {
-        this.passwordInterceptor = passwordInterceptor;
-    }
-
-    @Override
-    public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(passwordInterceptor)
-                .excludePathPatterns("/password/login", "/favicon.ico", "/error");
-    }
-}
diff --git a/src/main/java/org/rostislav/quickdrop/interceptor/PasswordInterceptor.java b/src/main/java/org/rostislav/quickdrop/interceptor/PasswordInterceptor.java
deleted file mode 100644
index 71d3a3e..0000000
--- a/src/main/java/org/rostislav/quickdrop/interceptor/PasswordInterceptor.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package org.rostislav.quickdrop.interceptor;
-
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.stereotype.Component;
-import org.springframework.web.servlet.HandlerInterceptor;
-
-@Component
-public class PasswordInterceptor implements HandlerInterceptor {
-    @Value("${app.enable.password}")
-    private Boolean enablePassword;
-
-    @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-        if (!enablePassword) {
-            return true;
-        }
-
-        Boolean authenticated = (Boolean) request.getSession().getAttribute("authenticated");
-
-        if (authenticated != null && authenticated) {
-            return true;
-        }
-
-        response.sendRedirect("/password/login");
-        return false;
-    }
-}