dev en cours

src/main/java/fr/triplea/demovote/security/SecurityConfig.java

@@ -17,10 +17,14 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.channel.ChannelProcessingFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
+//import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
+import fr.triplea.demovote.security.cors.CorsFilter;
+import fr.triplea.demovote.security.csrf.CsrfHeaderFilter;
 import fr.triplea.demovote.security.jwt.JwtTokenFilter;
 
 import org.springframework.security.web.context.DelegatingSecurityContextRepository;
@@ -86,11 +90,15 @@ public class SecurityConfig
  
   Class<? extends ChannelProcessingFilter> cpf_clazz = ChannelProcessingFilter.class;
 
+  @Bean
+  public CsrfHeaderFilter csrfHeaderFilter() { return new CsrfHeaderFilter(); }
+  
+  Class<? extends HeaderWriterFilter> csrfhf_clazz = HeaderWriterFilter.class;
   
   @Bean
   SecurityFilterChain securityFilterChain(HttpSecurity http, SecurityContextRepository securityContextRepository) throws Exception 
   {
-    http.csrf(csrf -> csrf.disable())
+    http.csrf(csrf -> csrf.disable())//csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
         .requiresChannel(channel -> channel.anyRequest().requiresSecure())
         .authenticationProvider(authenticationProvider())
         .authorizeHttpRequests((ahreq) -> ahreq
@@ -102,6 +110,7 @@ public class SecurityConfig
           )
         .addFilterBefore(jwtTokenFilter(), upaf_clazz)
         .addFilterBefore(corsFilter(), cpf_clazz)
+        //.addFilterBefore(csrfHeaderFilter(), csrfhf_clazz)
         .securityContext(sc -> sc.securityContextRepository(securityContextRepository).requireExplicitSave(true))
         .headers(headers -> headers
           .xssProtection(xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))

src/main/java/fr/triplea/demovote/security/CorsFilter.java → src/main/java/fr/triplea/demovote/security/cors/CorsFilter.java

@@ -1,4 +1,4 @@
-package fr.triplea.demovote.security;
+package fr.triplea.demovote.security.cors;
 
 import java.io.IOException;
 

src/main/java/fr/triplea/demovote/security/csrf/CsrfHeaderFilter.java

@@ -0,0 +1,55 @@
+package fr.triplea.demovote.security.csrf;
+
+import java.io.IOException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.WebUtils;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+
+public class CsrfHeaderFilter extends OncePerRequestFilter 
+{
+  
+  private final Logger LOG = LoggerFactory.getLogger(CsrfHeaderFilter.class);
+
+  public CsrfHeaderFilter() { LOG.info("CsrfHeaderFilter init"); }
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException 
+  {
+    CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());   
+    
+    if (csrf != null) 
+    {
+      Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
+      LOG.info("cookie=" + cookie.toString());
+
+      String token = csrf.getToken();
+      LOG.info("token=" + token);
+      
+      if ((cookie == null) || ((token != null) && !(token.equals(cookie.getValue())))) 
+      {
+        cookie = new Cookie("XSRF-TOKEN", token);
+        cookie.setPath("/");
+        
+        response.addCookie(cookie);
+        LOG.info("response=cookie added");
+
+      }
+    }
+      
+    filterChain.doFilter(request, response);
+  }
+
+  @Override
+  public void destroy() {}
+
+}

src/main/java/fr/triplea/demovote/web/controller/AuthController.java

@@ -13,6 +13,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -20,6 +21,7 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.LocaleResolver;
 
 import fr.triplea.demovote.dao.ParticipantRepository;
+import fr.triplea.demovote.dto.JourneesTransfer;
 import fr.triplea.demovote.dto.ParticipantTransfer;
 import fr.triplea.demovote.dto.RefreshTokenTransfer;
 import fr.triplea.demovote.dto.UserCredentials;
@@ -63,6 +65,16 @@ public class AuthController
   private MessageSource messageSource;
   
   
+  @GetMapping(value = "/hello")
+  public ResponseEntity<JourneesTransfer> getDaysLabels() 
+  { 
+    JourneesTransfer jt = new JourneesTransfer();
+
+    jt.setJour1Court("Hello");
+     
+    return ResponseEntity.ok(jt); 
+  }
+
   @PostMapping(value = "/in")
   public ResponseEntity<UserCredentials> signIn(@RequestBody UserCredentials uc, HttpServletRequest request, HttpServletResponse response)
   {

src/main/java/fr/triplea/demovote/web/controller/ParticipantController.java

@@ -136,7 +136,7 @@ public class ParticipantController
           
           Participant created = participantRepository.save(found);
         
-          return ResponseEntity.ok(created);
+          return ResponseEntity.ok(created); // TODO: retourner ici et ailleurs un message court au lieu de la totalité
         }
       }
     }