switched to a more secure JWT delegation via cookies, instead of quer…

…y param
Erudika · Jul 16, 2019 · 6bdfe90 · 6bdfe90
1 parent dfae16e
commit 6bdfe90
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/src/main/java/com/erudika/scoold/ScooldServer.java b/src/main/java/com/erudika/scoold/ScooldServer.java
@@ -252,7 +252,7 @@ public ParaClient paraClientBean() {
 		settings.put("security.allow_unverified_emails", Config.getConfigBoolean("security.allow_unverified_emails", false));
 
 		// URLs for success and failure
-		settings.put("signin_success", getServerURL() + CONTEXT_PATH + SIGNINLINK + "/success?jwt=?");
+		settings.put("signin_success", getServerURL() + CONTEXT_PATH + SIGNINLINK + "/success?jwt=incookie");
 		settings.put("signin_failure", getServerURL() + CONTEXT_PATH + SIGNINLINK + "?code=3&error=true");
 
 		ScooldUtils.tryConnectToPara(() -> {

diff --git a/src/main/java/com/erudika/scoold/controllers/SigninController.java b/src/main/java/com/erudika/scoold/controllers/SigninController.java
@@ -19,6 +19,7 @@
 
 import com.erudika.para.annotations.Email;
 import com.erudika.para.client.ParaClient;
+import com.erudika.para.core.App;
 import com.erudika.para.core.Sysprop;
 import com.erudika.para.core.User;
 import com.erudika.para.utils.Config;
@@ -104,8 +105,10 @@ public String signinPost(@RequestParam("access_token") String accessToken, @Requ
 
 	@GetMapping("/signin/success")
 	public String signinSuccess(@RequestParam String jwt, HttpServletRequest req, HttpServletResponse res, Model model) {
-		if (!StringUtils.isBlank(jwt) && !"?".equals(jwt)) {
-			setAuthCookie(jwt, req, res);
+		String jwtFromCookie = HttpUtils.getCookieValue(req,
+				App.identifier(Config.getConfigParam("access_key", "")) + "-auth");
+		if (!StringUtils.isBlank(jwtFromCookie)) {
+			setAuthCookie(jwtFromCookie, req, res);
 		} else {
 			return "redirect:" + SIGNINLINK + "?code=3&error=true";
 		}