CLDR-16838 Fix login bug: removeLoginCookies if query has email and p…

…assword

-Undeprecate UserRegistry.internalGetPassword, accessed not only by JSP but also by Auth.java

-Fix some compiler warnings for Auth.java

tools/cldr-apps/src/main/java/org/unicode/cldr/web/KeepLoggedInManager.java

@@ -12,8 +12,6 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Date;
-import java.util.HashSet;
-import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.crypto.SecretKey;
@@ -33,8 +31,6 @@ public class KeepLoggedInManager {
     private final File keyFile;
     private SecretKey key;
 
-    private final Set<String> excludedJwtId = new HashSet<>();
-
     public static File getDefaultParent() {
         final CLDRConfig config = CLDRConfig.getInstance();
         if (config instanceof CLDRConfigImpl) {
@@ -179,12 +175,4 @@ public Jws<Claims> getClaims(String jwt) {
             return null;
         }
     }
-
-    public boolean jwtIsInExcludedSet(String jwtId) {
-        return excludedJwtId.contains(jwtId);
-    }
-
-    public void addToExcludedSet(String jwtId) {
-        excludedJwtId.add(jwtId);
-    }
 }

tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java

@@ -1328,11 +1328,13 @@ public void setSession() {
         {
             final String jwt = getCookieValue(SurveyMain.COOKIE_SAVELOGIN);
             if (jwt != null && !jwt.isBlank()) {
-                KeepLoggedInManager klm = CookieSession.sm.klm;
-                final String jwtId = klm.getSubject(jwt);
-                if (jwtId != null && !jwtId.isBlank() && !klm.jwtIsInExcludedSet(jwtId)) {
+                final String jwtId = CookieSession.sm.klm.getSubject(jwt);
+                if (jwtId != null && !jwtId.isBlank()) {
                     if (!email.isEmpty() && !password.isEmpty()) {
-                        // klm.addToExcludedSet(jwtId);
+                        // If the user was already logged in as Admin/TC/Manager, then used a URL
+                        // with explicit email/password to log in as a different user, the old
+                        // cookies (especially JWT) must be removed to prevent staying logged
+                        // in as the first user
                         removeLoginCookies(request, response);
                     } else {
                         User jwtInfo = CookieSession.sm.reg.getInfo(Integer.parseInt(jwtId));

tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java

@@ -19,7 +19,6 @@
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponses;
 import org.eclipse.microprofile.openapi.annotations.tags.Tag;
 import org.unicode.cldr.web.CookieSession;
-import org.unicode.cldr.web.KeepLoggedInManager;
 import org.unicode.cldr.web.SurveyLog;
 import org.unicode.cldr.web.SurveyMain;
 import org.unicode.cldr.web.UserRegistry;
@@ -66,9 +65,8 @@ public Response login(
             // Also compare WebContext.setSession()
             final String jwt = WebContext.getCookieValue(hreq, SurveyMain.COOKIE_SAVELOGIN);
             if (jwt != null && !jwt.isBlank()) {
-                KeepLoggedInManager klm = CookieSession.sm.klm;
-                final String jwtId = klm.getSubject(jwt);
-                if (jwtId != null && !jwtId.isBlank() && !klm.jwtIsInExcludedSet(jwtId)) {
+                final String jwtId = CookieSession.sm.klm.getSubject(jwt);
+                if (jwtId != null && !jwtId.isBlank()) {
                     User jwtInfo = CookieSession.sm.reg.getInfo(Integer.parseInt(jwtId));
                     if (jwtInfo != null) {
                         request.password = jwtInfo.internalGetPassword();