src/main/java/me/imsonmia/epqapi/controller/AuthController.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

package me.imsonmia.epqapi.controller;

import java.util.Date;
import java.util.Optional;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;

import io.micrometer.common.lang.Nullable;
import me.imsonmia.epqapi.repository.UserRepository;

@RequestMapping("/api/v1")
public class AuthController {
    private UserRepository userRepository;
    private Logger logger = LoggerFactory.getLogger(getClass());

    /**
     * AuthData
     */
    public class AuthData {

        private boolean success;
        private boolean hasProfile;
        private boolean exists;
        private String authMessage;
        private long authResponseTimestampMillis;

        public AuthData(boolean success, boolean hasProfile, @Nullable String authMessage) {
            this.success = success;
            this.hasProfile = hasProfile;
            this.authMessage = authMessage == null ? "" : authMessage;
            this.authResponseTimestampMillis = new Date().getTime();
        }
    }

    public abstract class AuthRequestData {
        private String userName;
        private String userPasswordHash;

        public AuthRequestData(String userName, String userPasswordHash) {
            this.userName = userName;
            this.userPasswordHash = userPasswordHash;
        }
    }

    /**
     * Authentication HTTPS endpoint used instead of client-side verification which
     * is unsafe
     */
    @PostMapping("/auth")
    public ResponseEntity<AuthData> authLogin(@RequestBody AuthRequestData authRequestData) {
        if (!userRepository.existsByUserName(authRequestData.userName)) {

            logger.info("Invalid login since user doesn't exist");
            return new ResponseEntity<AuthData>(new AuthData(
                    false,
                    false,
                    "Login invalid: User doesn't exist in database."),
                    null,
                    200);
        }
        String pwdHash = userRepository.findByUserName(authRequestData.userName).get().getPasswordHash();
        if (pwdHash != authRequestData.userPasswordHash) {
            return new ResponseEntity<>(new AuthData(false, true, "Login invalid: Password incorrect."), null, 200);
        } else {
            return new ResponseEntity<>(new AuthData(true, true, "Authentication success"), null, 200);
        }
    }
}