From 6bdfe9044472887ccb16d424c4403f904d9f2ad7 Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Tue, 16 Jul 2019 13:56:00 +0300
Subject: [PATCH] switched to a more secure JWT delegation via cookies, instead
 of query param

---
 src/main/java/com/erudika/scoold/ScooldServer.java         | 2 +-
 .../com/erudika/scoold/controllers/SigninController.java   | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/erudika/scoold/ScooldServer.java b/src/main/java/com/erudika/scoold/ScooldServer.java
index d600d690..9d6050c8 100644
--- a/src/main/java/com/erudika/scoold/ScooldServer.java
+++ b/src/main/java/com/erudika/scoold/ScooldServer.java
@@ -252,7 +252,7 @@ public ParaClient paraClientBean() {
 		settings.put("security.allow_unverified_emails", Config.getConfigBoolean("security.allow_unverified_emails", false));
 
 		// URLs for success and failure
-		settings.put("signin_success", getServerURL() + CONTEXT_PATH + SIGNINLINK + "/success?jwt=?");
+		settings.put("signin_success", getServerURL() + CONTEXT_PATH + SIGNINLINK + "/success?jwt=incookie");
 		settings.put("signin_failure", getServerURL() + CONTEXT_PATH + SIGNINLINK + "?code=3&error=true");
 
 		ScooldUtils.tryConnectToPara(() -> {
diff --git a/src/main/java/com/erudika/scoold/controllers/SigninController.java b/src/main/java/com/erudika/scoold/controllers/SigninController.java
index a7c79a10..fa023f13 100755
--- a/src/main/java/com/erudika/scoold/controllers/SigninController.java
+++ b/src/main/java/com/erudika/scoold/controllers/SigninController.java
@@ -19,6 +19,7 @@
 
 import com.erudika.para.annotations.Email;
 import com.erudika.para.client.ParaClient;
+import com.erudika.para.core.App;
 import com.erudika.para.core.Sysprop;
 import com.erudika.para.core.User;
 import com.erudika.para.utils.Config;
@@ -104,8 +105,10 @@ public String signinPost(@RequestParam("access_token") String accessToken, @Requ
 
 	@GetMapping("/signin/success")
 	public String signinSuccess(@RequestParam String jwt, HttpServletRequest req, HttpServletResponse res, Model model) {
-		if (!StringUtils.isBlank(jwt) && !"?".equals(jwt)) {
-			setAuthCookie(jwt, req, res);
+		String jwtFromCookie = HttpUtils.getCookieValue(req,
+				App.identifier(Config.getConfigParam("access_key", "")) + "-auth");
+		if (!StringUtils.isBlank(jwtFromCookie)) {
+			setAuthCookie(jwtFromCookie, req, res);
 		} else {
 			return "redirect:" + SIGNINLINK + "?code=3&error=true";
 		}