Add additional service for security #60

Author: Sherzod Mamadaliev

src/main/java/com/reckue/account/controller/AccountController.java

@@ -3,19 +3,17 @@
 import com.reckue.account.controller.api.AccountApi;
 import com.reckue.account.exception.AuthenticationException;
 import com.reckue.account.service.AccountService;
+import com.reckue.account.service.SecurityService;
 import com.reckue.account.transfer.AccountTransfer;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.dozer.Mapper;
-import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.List;
 import java.util.stream.Collectors;
 
-import static org.springframework.http.HttpHeaders.AUTHORIZATION;
-
 /**
  * Class AccountController represents a REST-Controller with get and delete operations connecting with users.
  *
@@ -30,6 +28,7 @@ public class AccountController implements AccountApi {
 
     private final Mapper mapper;
     private final AccountService accountService;
+    private final SecurityService securityService;
 
     /**
      * This type of request allows to get all the users that meet the requirements.
@@ -80,32 +79,24 @@ public AccountTransfer getByUsername(@PathVariable String username) {
      * Throws {@link AuthenticationException} in case if token is absent.
      *
      * @param id the object identifier
+     * @param request information for HTTP servlets
      */
     @DeleteMapping("/delete/id/{id}")
     // @PreAuthorize("hasRole('ROLE_ADMIN')") doesn't work
     public void deleteById(@PathVariable String id, HttpServletRequest request) {
-        try {
-            String token = request.getHeader(AUTHORIZATION).substring(7);
-            accountService.deleteById(id, token);
-        } catch (NullPointerException e) {
-            throw new AuthenticationException("Token missing", HttpStatus.BAD_REQUEST);
-        }
+        accountService.deleteById(id, securityService.checkAndGetInfo(request));
     }
 
     /**
      * This type of request allows to delete the account by name.
      * Throws {@link AuthenticationException} in case if token is absent.
      *
      * @param username the object name
+     * @param request information for HTTP servlets
      */
     @DeleteMapping("/delete/username/{username}")
     //  @PreAuthorize("hasRole('ROLE_ADMIN')") doesn't work
     public void deleteByUsername(@PathVariable String username, HttpServletRequest request) {
-        try {
-            String token = request.getHeader(AUTHORIZATION).substring(7);
-            accountService.deleteByUsername(username, token);
-        } catch (NullPointerException e) {
-            throw new AuthenticationException("Token missing", HttpStatus.BAD_REQUEST);
-        }
+        accountService.deleteByUsername(username, securityService.checkAndGetInfo(request));
     }
 }

src/main/java/com/reckue/account/controller/AuthController.java

@@ -3,12 +3,12 @@
 import com.reckue.account.controller.api.AuthApi;
 import com.reckue.account.exception.AuthenticationException;
 import com.reckue.account.service.AuthService;
+import com.reckue.account.service.SecurityService;
 import com.reckue.account.transfer.AccountTransfer;
 import com.reckue.account.transfer.RegisterRequest;
 import io.swagger.annotations.ApiParam;
 import lombok.RequiredArgsConstructor;
 import org.dozer.Mapper;
-import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
@@ -21,8 +21,6 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import static org.springframework.http.HttpHeaders.AUTHORIZATION;
-
 /**
  * Class AuthСontroller represents a REST-Controller with post and get operations connection with authentication.
  *
@@ -37,6 +35,7 @@ public class AuthController implements AuthApi {
     private final Mapper mapper;
     private final AuthService authService;
     private final TokenEndpoint tokenEndpoint;
+    private final SecurityService securityService;
 
     /**
      * This type of request allows to register a new account.
@@ -45,9 +44,8 @@ public class AuthController implements AuthApi {
      * @return string
      */
     @PostMapping("/register")
-    public String register(@RequestBody RegisterRequest registerForm) {
-        authService.register(registerForm);
-        return "You have successfully registered";
+    public AccountTransfer register(@RequestBody RegisterRequest registerForm) {
+        return mapper.map(authService.register(registerForm), AccountTransfer.class);
     }
 
     /**
@@ -99,13 +97,7 @@ public ResponseEntity<OAuth2AccessToken> getToken(Principal principal,
     @GetMapping(value = "/current")
     @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')")
     public AccountTransfer getCurrentUser(HttpServletRequest request) {
-        try {
-            String token = request.getHeader(AUTHORIZATION).substring(7);
-            return mapper.map(authService.getCurrentUser(token), AccountTransfer.class);
-        } catch (NullPointerException e) {
-            throw new AuthenticationException("Token missing", HttpStatus.BAD_REQUEST);
-        } catch (StringIndexOutOfBoundsException e) {
-            throw new AuthenticationException("Token is too short", HttpStatus.BAD_REQUEST);
-        }
+        return mapper.map(authService.getCurrentUser(
+                (String) securityService.checkAndGetInfo(request).get("userId")), AccountTransfer.class);
     }
 }

src/main/java/com/reckue/account/controller/api/AuthApi.java

@@ -3,9 +3,11 @@
 import com.reckue.account.transfer.AccountTransfer;
 import com.reckue.account.transfer.RegisterRequest;
 import io.swagger.annotations.*;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
+import org.springframework.web.bind.annotation.ResponseStatus;
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
@@ -24,27 +26,26 @@ public interface AuthApi {
             @ApiResponse(code = 201, message = "Register form has created"),
             @ApiResponse(code = 400, message = "You need to change the incoming parameters"),
             @ApiResponse(code = 500, message = "Access to the resource you tried to obtain is not possible")})
-    String register(RegisterRequest registerForm);
+    @ResponseStatus(code = HttpStatus.CREATED)
+    AccountTransfer register(RegisterRequest registerForm);
 
     @ApiOperation(value = "Authorization", response = OAuth2AccessToken.class)
     @ApiResponses(value = {
-            @ApiResponse(code = 202, message = "JWT has created"),
+            @ApiResponse(code = 201, message = "JWT has created"),
             @ApiResponse(code = 400, message = "You need to change the incoming parameters"),
-            @ApiResponse(code = 401, message = "Unauthorized"),
-            @ApiResponse(code = 403, message = "Forbidden"),
             @ApiResponse(code = 404, message = "The account by this username is not found"),
             @ApiResponse(code = 500, message = "Access to the resource you tried to obtain is not possible")})
+    @ResponseStatus(code = HttpStatus.CREATED)
     ResponseEntity<OAuth2AccessToken> getToken(Principal principal, String scope, String grantType, String username,
                                                String password, String refreshToken) throws HttpRequestMethodNotSupportedException;
 
 
     @ApiOperation(value = "Get current user", response = AccountTransfer.class,
             authorizations = {@Authorization(value = "Bearer token")})
     @ApiResponses(value = {
-            @ApiResponse(code = 202, message = "The request has accepted"),
+            @ApiResponse(code = 200, message = "The request has completed"),
             @ApiResponse(code = 400, message = "You need to change the incoming parameters"),
             @ApiResponse(code = 401, message = "Unauthorized"),
-            @ApiResponse(code = 403, message = "Forbidden"),
             @ApiResponse(code = 404, message = "The account by this username is not found"),
             @ApiResponse(code = 500, message = "Access to the resource you tried to obtain is not possible")})
     AccountTransfer getCurrentUser(HttpServletRequest request);

src/main/java/com/reckue/account/service/AccountService.java

@@ -15,7 +15,6 @@
 import org.springframework.data.domain.Sort;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.oauth2.provider.token.TokenStore;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -38,7 +37,6 @@ public class AccountService {
 
     private final AccountRepository accountRepository;
     private final PasswordEncoder passwordEncoder;
-    private final TokenStore tokenStore;
 
     /**
      * This method is used to find all the users in the database that meet the requirements.
@@ -100,13 +98,13 @@ public Account create(Account accountModel) {
      * Throws {@link AccessDeniedException} in case if the user isn't the same user or
      * hasn't admin authorities.
      *
-     * @param username the object name
+     * @param username  the object name
+     * @param tokenInfo additional information from a token
      */
-    public void deleteByUsername(String username, String token) {
+    public void deleteByUsername(String username, Map<String, Object> tokenInfo) {
         if (!accountRepository.existsByUsername(username)) {
             throw new NotFoundException("The account by username '" + username + "' not found", HttpStatus.NOT_FOUND);
         }
-        Map<String, Object> tokenInfo = tokenStore.readAccessToken(token).getAdditionalInformation();
         Optional<Account> account = accountRepository.findByUsername(username);
         if (account.isPresent()) {
             String userId = account.get().getId();
@@ -124,13 +122,13 @@ public void deleteByUsername(String username, String token) {
      * Throws {@link AccessDeniedException} in case if the user isn't the same user or
      * hasn't admin authorities.
      *
-     * @param id the object identifier
+     * @param id        the object identifier
+     * @param tokenInfo additional information from a token
      */
-    public void deleteById(String id, String token) {
+    public void deleteById(String id, Map<String, Object> tokenInfo) {
         if (!accountRepository.existsById(id)) {
             throw new NotFoundException("The account by id '" + id + "' not found", HttpStatus.NOT_FOUND);
         }
-        Map<String, Object> tokenInfo = tokenStore.readAccessToken(token).getAdditionalInformation();
         Optional<Account> account = accountRepository.findById(id);
         if (account.isPresent()) {
             String userId = account.get().getId();

src/main/java/com/reckue/account/service/AuthService.java

@@ -16,7 +16,6 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
-import org.springframework.security.oauth2.provider.token.TokenStore;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -33,7 +32,6 @@
 @RequiredArgsConstructor
 public class AuthService {
 
-    private final TokenStore tokenStore;
     private final AccountRepository accountRepository;
     private final PasswordEncoder passwordEncoder;
 
@@ -44,7 +42,7 @@ public class AuthService {
      * @param registerForm with required fields
      */
     @Transactional
-    public void register(RegisterRequest registerForm) {
+    public Account register(RegisterRequest registerForm) {
         // todo: send a mail about registration to user email
         //checking that the account exists in the database
         if (!accountRepository.existsByUsername(registerForm.getUsername())) {
@@ -77,7 +75,7 @@ public void register(RegisterRequest registerForm) {
             account.getRoles().add(new Role("ROLE_USER"));
 
             // save the account in database
-            accountRepository.save(account);
+            return accountRepository.save(account);
 
         } else {
             throw new AuthenticationException("Username already exists", HttpStatus.BAD_REQUEST);
@@ -111,28 +109,17 @@ public void saveAndCheckRefreshToken(ResponseEntity<OAuth2AccessToken> responseE
     /**
      * This method is used to get the account by user token.
      * Throws {@link NotFoundException} in case if such account isn't contained in database.
-     * Throws {@link AuthenticationException} in case of invalid token.
      *
-     * @param token user token
+     * @param userId token user id
      * @return the object of class AccountTransfer
      */
-    public Account getCurrentUser(String token) {
-        // get userId from jwt token
-        try {
-            String userId = (String) tokenStore.readAccessToken(token).getAdditionalInformation().get("userId");
-
-            // find account by username from database
-            Account account = accountRepository.findById(userId)
-                    .orElseThrow(() -> new NotFoundException("The account by id [" + userId + "] not found",
-                            HttpStatus.NOT_FOUND));
-
-            // update last visit date
-            account.setLastVisit(TimestampHelper.getCurrentTimestamp());
-
-            return account;
-        } catch (Exception e) {
-            throw new AuthenticationException("Invalid token", HttpStatus.UNAUTHORIZED);
-        }
+    public Account getCurrentUser(String userId) {
+        Account account = accountRepository.findById(userId)
+                .orElseThrow(() -> new NotFoundException("The account by id [" + userId + "] not found",
+                        HttpStatus.NOT_FOUND));
+        // update last visit date
+        account.setLastVisit(TimestampHelper.getCurrentTimestamp());
+        return account;
 
     }
 }

src/main/java/com/reckue/account/service/SecurityService.java

@@ -0,0 +1,41 @@
+package com.reckue.account.service;
+
+import com.reckue.account.exception.AuthenticationException;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Map;
+
+/**
+ * Class SecurityService represents the service for work with token.
+ *
+ * @author Kamila Meshcheryakova
+ */
+public interface SecurityService {
+
+    /**
+     * The default realization of the algorithm:
+     * check token and get additional information from a token.
+     *
+     * @param request information for HTTP servlets
+     * @return additional information from token
+     */
+    default Map<String, Object> checkAndGetInfo(HttpServletRequest request) throws AuthenticationException {
+        return getTokenInfo(checkToken(request));
+    }
+
+    /**
+     * The method allows to get all additional information from a token.
+     *
+     * @param token user token
+     * @return additional information from a token
+     */
+    Map<String, Object> getTokenInfo(String token);
+
+    /**
+     * The method allows to check for token availability.
+     *
+     * @param request information for HTTP servlets
+     * @return access token
+     */
+    String checkToken(HttpServletRequest request);
+}

src/main/java/com/reckue/account/service/impl/SecurityServiceImpl.java

@@ -0,0 +1,62 @@
+package com.reckue.account.service.impl;
+
+import com.reckue.account.exception.AuthenticationException;
+import com.reckue.account.service.SecurityService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Map;
+
+import static org.springframework.http.HttpHeaders.AUTHORIZATION;
+
+/**
+ * Class SecurityServiceImpl represents realization of SecurityService.
+ *
+ * @author Kamila Meshcheryakova
+ */
+@Service
+@RequiredArgsConstructor
+public class SecurityServiceImpl implements SecurityService {
+
+    private final TokenStore tokenStore;
+
+    /**
+     * The method allows to get all additional information from a token.
+     * Throws {@link AuthenticationException} in case of invalid token.
+     *
+     * @param token user token
+     * @return additional information from a token
+     */
+    @Override
+    public Map<String, Object> getTokenInfo(String token) {
+        try {
+            return tokenStore.readAccessToken(token).getAdditionalInformation();
+        } catch (Exception e) {
+            throw new AuthenticationException("Invalid token", HttpStatus.UNAUTHORIZED);
+        }
+    }
+
+    /**
+     * The method allows to check for token availability.
+     * Throws {@link AuthenticationException} in case if the token is missing or
+     * is too short.
+     *
+     * @param request information for HTTP servlets
+     * @return access token
+     */
+    @Override
+    public String checkToken(HttpServletRequest request) {
+        String token;
+        try {
+            token = request.getHeader(AUTHORIZATION).substring(7);
+            return token;
+        } catch (NullPointerException e) {
+            throw new AuthenticationException("Token missing", HttpStatus.BAD_REQUEST);
+        } catch (StringIndexOutOfBoundsException e) {
+            throw new AuthenticationException("Token is too short", HttpStatus.BAD_REQUEST);
+        }
+    }
+}