CLDR-16838 Fix login bug: removeLoginCookies if query has email and p…

…assword (#3388) -Undeprecate UserRegistry.internalGetPassword, accessed not only by JSP but also by Auth.java -Fix some compiler warnings for Auth.java
unicode-org · Nov 15, 2023 · 9ce8542 · 9ce8542
1 parent dace6c6
commit 9ce8542
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 18 deletions.
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java
@@ -380,8 +380,7 @@ String getPassword() {
             return password;
         }
 
-        /** here to allow one JSP to get at the password, but otherwise keep the field hidden */
-        @Deprecated
+        /* Accessed by admin-usersWithOldVotes.jsp as well as by Auth.java */
         public String internalGetPassword() {
             return getPassword();
         }

diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java
@@ -1330,10 +1330,18 @@ public void setSession() {
             if (jwt != null && !jwt.isBlank()) {
                 final String jwtId = CookieSession.sm.klm.getSubject(jwt);
                 if (jwtId != null && !jwtId.isBlank()) {
-                    User jwtInfo = CookieSession.sm.reg.getInfo(Integer.parseInt(jwtId));
-                    if (jwtInfo != null) {
-                        user = jwtInfo;
-                        logger.fine("Logged in " + jwtInfo + " #" + jwtId + " using JWT");
+                    if (!email.isEmpty() && !password.isEmpty()) {
+                        // If the user was already logged in as Admin/TC/Manager, then used a URL
+                        // with explicit email/password to log in as a different user, the old
+                        // cookies (especially JWT) must be removed to prevent staying logged
+                        // in as the first user
+                        removeLoginCookies(request, response);
+                    } else {
+                        User jwtInfo = CookieSession.sm.reg.getInfo(Integer.parseInt(jwtId));
+                        if (jwtInfo != null) {
+                            user = jwtInfo;
+                            logger.fine("Logged in " + jwtInfo + " #" + jwtId + " using JWT");
+                        }
                     }
                 }
             }

diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java
@@ -56,17 +56,12 @@ public Response login(
             @Context HttpServletRequest hreq,
             @Context HttpServletResponse hresp,
             @QueryParam("remember")
-                    @Schema(
-                            required = false,
-                            defaultValue = "false",
-                            description = "If true, remember login")
+                    @Schema(defaultValue = "false", description = "If true, remember login")
                     boolean remember,
             LoginRequest request) {
 
         // If there's no user/pass, try to fill one in from cookies.
         if (request.isEmpty()) {
-            // No option to ignore the cookies.
-            // If you want to logout, use the /logout endpoint first.
             // Also compare WebContext.setSession()
             final String jwt = WebContext.getCookieValue(hreq, SurveyMain.COOKIE_SAVELOGIN);
             if (jwt != null && !jwt.isBlank()) {
@@ -96,7 +91,7 @@ public Response login(
                 if (session == null) {
                     session = CookieSession.newSession(user, userIP);
                 }
-                if (remember == true && user != null) {
+                if (remember) {
                     WebContext.loginRemember(hresp, user);
                 }
             } else {
@@ -155,8 +150,8 @@ public Response login(
      * Create a LoginResponse, given a session. Put this here and not in LoginResponse because of
      * serialization
      *
-     * @param session
-     * @return
+     * @param session the cookie session
+     * @return the response
      */
     private LoginResponse createLoginResponse(CookieSession session) {
         LoginResponse resp = new LoginResponse();
@@ -212,7 +207,6 @@ public Response info(
                     final String session,
             @QueryParam("touch")
                     @Schema(
-                            required = false,
                             defaultValue = "false",
                             description = "Whether to mark the session as updated")
                     final boolean touch) {
@@ -294,7 +288,7 @@ public Response lock(
     /**
      * Extract a CookieSession from a session string
      *
-     * @param session
+     * @param session the session string, or null
      * @return session or null
      */
     public static CookieSession getSession(String session) {
@@ -306,7 +300,7 @@ public static CookieSession getSession(String session) {
     /**
      * Convenience function for returning the response when there's no session
      *
-     * @return
+     * @return the response
      */
     public static Response noSessionResponse() {
         return Response.status(Status.UNAUTHORIZED).build();