implemented user list and editing other users for admin
This commit is contained in:
@@ -12,12 +12,14 @@ import static de.srsoftware.umbrella.user.Paths.WHOAMI;
|
||||
import static de.srsoftware.umbrella.user.model.DbUser.PERMISSION.LIST_USERS;
|
||||
import static de.srsoftware.umbrella.user.model.DbUser.PERMISSION.UPDATE_USERS;
|
||||
import static java.lang.System.Logger.Level.WARNING;
|
||||
import static java.net.HttpURLConnection.*;
|
||||
import static java.time.temporal.ChronoUnit.DAYS;
|
||||
|
||||
import com.sun.net.httpserver.HttpExchange;
|
||||
import de.srsoftware.tools.Path;
|
||||
import de.srsoftware.tools.PathHandler;
|
||||
import de.srsoftware.tools.SessionToken;
|
||||
import de.srsoftware.umbrella.core.ResponseCode;
|
||||
import de.srsoftware.umbrella.core.UmbrellaException;
|
||||
import de.srsoftware.umbrella.user.api.UserDb;
|
||||
import de.srsoftware.umbrella.user.model.*;
|
||||
@@ -26,7 +28,6 @@ import java.security.NoSuchAlgorithmException;
|
||||
import java.time.Instant;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
|
||||
import org.json.JSONObject;
|
||||
|
||||
|
||||
@@ -72,12 +73,24 @@ public class UserModule extends PathHandler {
|
||||
LOG.log(WARNING,e);
|
||||
}
|
||||
addCors(ex);
|
||||
return switch (path.toString()) {
|
||||
case LIST -> getUserList(ex, user);
|
||||
case LOGOUT -> logout(ex, sessionToken);
|
||||
case WHOAMI -> getUser(ex, user);
|
||||
default -> super.doGet(path, ex);
|
||||
var head = path.pop();
|
||||
switch (head) {
|
||||
case LIST: return getUserList(ex, user);
|
||||
case LOGOUT: return logout(ex, sessionToken);
|
||||
case WHOAMI: return getUser(ex, user);
|
||||
|
||||
};
|
||||
try {
|
||||
long userId = Long.parseLong(head);
|
||||
if (userId == user.id() || (user instanceof DbUser dbUser && dbUser.permissions().contains(LIST_USERS))) {
|
||||
var requestedUser = users.load(userId);
|
||||
return sendContent(ex,requestedUser);
|
||||
}
|
||||
} catch (UmbrellaException e) {
|
||||
return sendContent(ex,e.statusCode(),e.getMessage());
|
||||
} catch (NumberFormatException ignored) {}
|
||||
return super.doGet(path, ex);
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -89,7 +102,7 @@ public class UserModule extends PathHandler {
|
||||
addCors(ex);
|
||||
|
||||
var sessionToken = SessionToken.from(ex);
|
||||
if (sessionToken.isEmpty()) return sendEmptyResponse(UNAUTHORIZED,ex);
|
||||
if (sessionToken.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED,ex);
|
||||
|
||||
UmbrellaUser requestingUser;
|
||||
try {
|
||||
@@ -102,11 +115,11 @@ public class UserModule extends PathHandler {
|
||||
var head = path.pop();
|
||||
long userId;
|
||||
try {
|
||||
if (head == null || head.isBlank()) return sendContent(ex,UNPROCESSABLE,"User id missing!");
|
||||
if (head == null || head.isBlank()) return sendContent(ex, HTTP_UNPROCESSABLE,"User id missing!");
|
||||
if (PASSWORD.equals(head)) return patchPassword(ex,requestingUser);
|
||||
userId = Long.parseLong(head);
|
||||
} catch (NumberFormatException e) {
|
||||
return sendContent(ex,UNPROCESSABLE,"Invalid user id: "+head);
|
||||
return sendContent(ex, HTTP_UNPROCESSABLE,"Invalid user id: "+head);
|
||||
}
|
||||
|
||||
DbUser editedUser;
|
||||
@@ -117,7 +130,7 @@ public class UserModule extends PathHandler {
|
||||
}
|
||||
|
||||
if (requestingUser.id() != userId && (!(requestingUser instanceof DbUser dbUser) || !dbUser.permissions().contains(UPDATE_USERS))){
|
||||
return sendContent(ex,FORBIDDEN,"You are not allowed to update user "+editedUser.name());
|
||||
return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());
|
||||
}
|
||||
|
||||
JSONObject json;
|
||||
@@ -125,7 +138,7 @@ public class UserModule extends PathHandler {
|
||||
json = json(ex);
|
||||
} catch (Exception e){
|
||||
LOG.log(WARNING,"Request does not contain valid JSON",e);
|
||||
return sendContent(ex,BAD_REQUEST,"Body contains no JSON data");
|
||||
return sendContent(ex,HTTP_BAD_REQUEST,"Body contains no JSON data");
|
||||
}
|
||||
|
||||
|
||||
@@ -137,7 +150,6 @@ public class UserModule extends PathHandler {
|
||||
}
|
||||
|
||||
private boolean getUserList(HttpExchange ex, UmbrellaUser user) throws IOException {
|
||||
|
||||
if (user instanceof DbUser dbUser && dbUser.permissions().contains(LIST_USERS)){
|
||||
try {
|
||||
var list = users.list(0, null).stream().map(UmbrellaUser::toMap).toList();
|
||||
@@ -146,23 +158,23 @@ public class UserModule extends PathHandler {
|
||||
return sendContent(ex,e.statusCode(),e.getMessage());
|
||||
}
|
||||
}
|
||||
return sendContent(ex,FORBIDDEN,"You are not allowed to list users!");
|
||||
return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to list users!");
|
||||
}
|
||||
|
||||
private boolean patchPassword(HttpExchange ex, UmbrellaUser requestingUser) throws IOException {
|
||||
if (!(requestingUser instanceof DbUser user)) return sendContent(ex,SERVER_ERROR,"DbUser expected");
|
||||
if (!(requestingUser instanceof DbUser user)) return sendContent(ex, ResponseCode.HTTP_SERVER_ERROR,"DbUser expected");
|
||||
JSONObject json;
|
||||
try {
|
||||
json = json(ex);
|
||||
} catch (Exception e){
|
||||
LOG.log(WARNING,"Request does not contain valid JSON",e);
|
||||
return sendContent(ex,BAD_REQUEST,"Body contains no JSON data");
|
||||
return sendContent(ex,HTTP_BAD_REQUEST,"Body contains no JSON data");
|
||||
}
|
||||
if (!json.has("old") || !(json.get("old") instanceof String oldpass) || oldpass.isBlank()) return sendContent(ex,UNPROCESSABLE,"old password missing!");
|
||||
if (!json.has("new") || !(json.get("new") instanceof String newpass) || newpass.isBlank()) return sendContent(ex,UNPROCESSABLE,"new password missing!");
|
||||
if (!json.has("old") || !(json.get("old") instanceof String oldpass) || oldpass.isBlank()) return sendContent(ex, HTTP_UNPROCESSABLE,"old password missing!");
|
||||
if (!json.has("new") || !(json.get("new") instanceof String newpass) || newpass.isBlank()) return sendContent(ex, HTTP_UNPROCESSABLE,"new password missing!");
|
||||
var old = Password.of(BAD_HASHER.hash(oldpass,null));
|
||||
if (!user.hashedPassword().equals(old)) return sendContent(ex,UNAUTHORIZED,"Wrong password (old)");
|
||||
if (weak(newpass)) return sendContent(ex,BAD_REQUEST,"New password too weak!");
|
||||
if (!user.hashedPassword().equals(old)) return sendContent(ex,HTTP_UNAUTHORIZED,"Wrong password (old)");
|
||||
if (weak(newpass)) return sendContent(ex,HTTP_BAD_REQUEST,"New password too weak!");
|
||||
var pass = Password.of(BAD_HASHER.hash(newpass,null));
|
||||
try {
|
||||
var updated = users.save(new DbUser(user.id(), user.name(), user.email(), pass, user.theme(), user.language(), user.permissions(), null));
|
||||
@@ -183,8 +195,8 @@ public class UserModule extends PathHandler {
|
||||
}
|
||||
|
||||
private boolean getUser(HttpExchange ex, UmbrellaUser user) throws IOException {
|
||||
if (user != null) return sendContent(ex,OK,user);
|
||||
return sendEmptyResponse(UNAUTHORIZED,ex);
|
||||
if (user != null) return sendContent(ex,user);
|
||||
return sendEmptyResponse(HTTP_UNAUTHORIZED,ex);
|
||||
}
|
||||
|
||||
public boolean logout(HttpExchange ex, Optional<Token> optToken) throws IOException {
|
||||
@@ -196,23 +208,23 @@ public class UserModule extends PathHandler {
|
||||
|
||||
}
|
||||
new SessionToken(token.toString(),"/", Instant.now().minus(1, DAYS),true).addTo(ex);
|
||||
return sendEmptyResponse(OK,ex);
|
||||
return sendEmptyResponse(HTTP_OK,ex);
|
||||
}
|
||||
return sendEmptyResponse(UNAUTHORIZED,ex);
|
||||
return sendEmptyResponse(HTTP_UNAUTHORIZED,ex);
|
||||
}
|
||||
|
||||
private boolean postLogin(HttpExchange ex) throws IOException {
|
||||
var json = json(ex);
|
||||
if (!(json.has(USERNAME) && json.get(USERNAME) instanceof String username)) return sendContent(ex,UNPROCESSABLE,"Username missing");
|
||||
if (!(json.has(PASSWORD) && json.get(PASSWORD) instanceof String password)) return sendContent(ex,UNPROCESSABLE,"Password missing");
|
||||
if (password.isBlank()) return sendContent(ex,UNAUTHORIZED,"Password must not be blank");
|
||||
if (!(json.has(USERNAME) && json.get(USERNAME) instanceof String username)) return sendContent(ex, HTTP_UNPROCESSABLE,"Username missing");
|
||||
if (!(json.has(PASSWORD) && json.get(PASSWORD) instanceof String password)) return sendContent(ex, HTTP_UNPROCESSABLE,"Password missing");
|
||||
if (password.isBlank()) return sendContent(ex,HTTP_UNAUTHORIZED,"Password must not be blank");
|
||||
var hashedPass = Password.of(BAD_HASHER.hash(password,null));
|
||||
try {
|
||||
var user = users.load(username, hashedPass);
|
||||
users.getSession(user)
|
||||
.cookie()
|
||||
.addTo(ex.getResponseHeaders());
|
||||
return sendContent(ex,200,user);
|
||||
return sendContent(ex,user);
|
||||
} catch (UmbrellaException ue){
|
||||
return sendContent(ex,ue.statusCode(),ue.getMessage());
|
||||
}
|
||||
@@ -226,7 +238,7 @@ public class UserModule extends PathHandler {
|
||||
var theme = json.has(THEME) && json.get(THEME) instanceof String t && !t.isBlank() ? t : user.theme();
|
||||
var lang = json.has(LANGUAGE) && json.get(LANGUAGE) instanceof String l && !l.isBlank() ? l : user.language();
|
||||
var saved = users.save(new DbUser(id,name,email,pass,theme,lang, user.permissions(),null));
|
||||
return sendContent(ex,OK,saved);
|
||||
return sendContent(ex,HTTP_OK,saved);
|
||||
}
|
||||
|
||||
static int score(String password){
|
||||
|
||||
@@ -2,14 +2,14 @@
|
||||
package de.srsoftware.umbrella.user.model;
|
||||
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import static de.srsoftware.umbrella.user.model.DbUser.PERMISSION.*;
|
||||
import static de.srsoftware.umbrella.user.model.DbUser.PERMISSION.IMPERSONATE;
|
||||
import static de.srsoftware.umbrella.user.model.DbUser.PERMISSION.LIST_USERS;
|
||||
import static de.srsoftware.umbrella.user.model.DbUser.PERMISSION.MANAGE_LOGIN_SERVICES;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
public class DbUser extends UmbrellaUser {
|
||||
|
||||
public enum PERMISSION {
|
||||
|
||||
Reference in New Issue
Block a user