From 9ce854203ad80e7f5253509d5c929f747aa465cb Mon Sep 17 00:00:00 2001 From: Tom Bishop Date: Wed, 15 Nov 2023 13:43:53 -0500 Subject: [PATCH] CLDR-16838 Fix login bug: removeLoginCookies if query has email and password (#3388) -Undeprecate UserRegistry.internalGetPassword, accessed not only by JSP but also by Auth.java -Fix some compiler warnings for Auth.java --- .../org/unicode/cldr/web/UserRegistry.java | 3 +-- .../java/org/unicode/cldr/web/WebContext.java | 16 ++++++++++++---- .../java/org/unicode/cldr/web/api/Auth.java | 18 ++++++------------ 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java index 00e747f0e42..4777f27ab75 100644 --- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java +++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java @@ -380,8 +380,7 @@ String getPassword() { return password; } - /** here to allow one JSP to get at the password, but otherwise keep the field hidden */ - @Deprecated + /* Accessed by admin-usersWithOldVotes.jsp as well as by Auth.java */ public String internalGetPassword() { return getPassword(); } diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java index 34b17870043..47c31ed8e13 100644 --- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java +++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/WebContext.java @@ -1330,10 +1330,18 @@ public void setSession() { if (jwt != null && !jwt.isBlank()) { final String jwtId = CookieSession.sm.klm.getSubject(jwt); if (jwtId != null && !jwtId.isBlank()) { - User jwtInfo = CookieSession.sm.reg.getInfo(Integer.parseInt(jwtId)); - if (jwtInfo != null) { - user = jwtInfo; - logger.fine("Logged in " + jwtInfo + " #" + jwtId + " using JWT"); + if (!email.isEmpty() && !password.isEmpty()) { + // If the user was already logged in as Admin/TC/Manager, then used a URL + // with explicit email/password to log in as a different user, the old + // cookies (especially JWT) must be removed to prevent staying logged + // in as the first user + removeLoginCookies(request, response); + } else { + User jwtInfo = CookieSession.sm.reg.getInfo(Integer.parseInt(jwtId)); + if (jwtInfo != null) { + user = jwtInfo; + logger.fine("Logged in " + jwtInfo + " #" + jwtId + " using JWT"); + } } } } diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java index d9975f6bf0c..b6ba90fadd7 100644 --- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java +++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java @@ -56,17 +56,12 @@ public Response login( @Context HttpServletRequest hreq, @Context HttpServletResponse hresp, @QueryParam("remember") - @Schema( - required = false, - defaultValue = "false", - description = "If true, remember login") + @Schema(defaultValue = "false", description = "If true, remember login") boolean remember, LoginRequest request) { // If there's no user/pass, try to fill one in from cookies. if (request.isEmpty()) { - // No option to ignore the cookies. - // If you want to logout, use the /logout endpoint first. // Also compare WebContext.setSession() final String jwt = WebContext.getCookieValue(hreq, SurveyMain.COOKIE_SAVELOGIN); if (jwt != null && !jwt.isBlank()) { @@ -96,7 +91,7 @@ public Response login( if (session == null) { session = CookieSession.newSession(user, userIP); } - if (remember == true && user != null) { + if (remember) { WebContext.loginRemember(hresp, user); } } else { @@ -155,8 +150,8 @@ public Response login( * Create a LoginResponse, given a session. Put this here and not in LoginResponse because of * serialization * - * @param session - * @return + * @param session the cookie session + * @return the response */ private LoginResponse createLoginResponse(CookieSession session) { LoginResponse resp = new LoginResponse(); @@ -212,7 +207,6 @@ public Response info( final String session, @QueryParam("touch") @Schema( - required = false, defaultValue = "false", description = "Whether to mark the session as updated") final boolean touch) { @@ -294,7 +288,7 @@ public Response lock( /** * Extract a CookieSession from a session string * - * @param session + * @param session the session string, or null * @return session or null */ public static CookieSession getSession(String session) { @@ -306,7 +300,7 @@ public static CookieSession getSession(String session) { /** * Convenience function for returning the response when there's no session * - * @return + * @return the response */ public static Response noSessionResponse() { return Response.status(Status.UNAUTHORIZED).build();