WIP SB 4.0.0

Author: bukajsytlos

src/inttest/java/com/faforever/api/clan/ClanControllerTest.java

@@ -106,7 +106,7 @@ public void createClanWithoutAuth() throws Exception {
     mockMvc.perform(
       post("/clans/create")
         .params(params))
-      .andExpect(status().isForbidden());
+      .andExpect(status().isUnauthorized());
   }
 
   @Test

src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java

@@ -63,7 +63,7 @@ public void anonymousUserCannotCreateValidModerationReport() throws Exception {
       post("/data/moderationReport")
         .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
-      .andExpect(status().isForbidden());
+      .andExpect(status().isUnauthorized());
   }
 
   @Test

src/inttest/java/com/faforever/api/user/MeControllerTest.java

@@ -18,7 +18,7 @@ public class MeControllerTest extends AbstractIntegrationTest {
   @Test
   public void withoutTokenUnauthorized() throws Exception {
     mockMvc.perform(get("/me"))
-      .andExpect(status().isForbidden());
+      .andExpect(status().isUnauthorized());
   }
 
   @Test

src/inttest/java/com/faforever/api/user/UsersControllerTest.java

@@ -232,7 +232,7 @@ public void resetPasswordWithEmail() throws Exception {
     params.add("identifier", "[email protected]");
 
     mockMvc.perform(
-      post("/users/requestPasswordReset")
+        post("/users/requestPasswordReset")
         .params(params))
       .andExpect(status().isOk());
 
@@ -256,13 +256,14 @@ public void performPasswordReset() throws Exception {
   public void buildSteamLinkUrlUnauthorized() throws Exception {
     mockMvc.perform(
       post("/users/buildSteamLinkUrl?callbackUrl=foo"))
-      .andExpect(status().isForbidden());
+      .andExpect(status().isUnauthorized());
   }
 
   @Test
   public void buildSteamLinkUrlWithWrongScope() throws Exception {
     mockMvc.perform(
-      post("/users/buildSteamLinkUrl?callbackUrl=foo"))
+      post("/users/buildSteamLinkUrl?callbackUrl=foo")
+        .with(getOAuthTokenForUserId(USERID_MODERATOR, OAuthScope._LOBBY)))
       .andExpect(status().isForbidden());
   }
 
@@ -350,7 +351,7 @@ public void changeUsernameUnauthorized() throws Exception {
     mockMvc.perform(
       post("/users/changeUsername")
         .params(params))
-      .andExpect(status().isForbidden());
+      .andExpect(status().isUnauthorized());
   }
 
   @Test

src/inttest/resources/config/application.yml

@@ -19,9 +19,6 @@ spring:
       ddl-auto: ${DATABASE_DDL_AUTO:none}
       naming:
         physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
-    properties:
-      hibernate:
-        current_session_context_class: org.springframework.orm.hibernate5.SpringSessionContext
   h2:
     console:
       enabled: true
@@ -110,3 +107,4 @@ logging:
   level:
     org.hibernate.SQL: DEBUG
     org.hibernate.engine.spi.EntityEntry: TRACE
+    org.springframework.security: DEBUG

src/main/java/com/faforever/api/config/elide/ElideConfig.java

@@ -34,11 +34,6 @@ public class ElideConfig {
 
   public static final String DEFAULT_CACHE_NAME = "Elide.defaultCache";
 
-  @Bean
-  ObjectMapper objectMapper() {
-    return new ObjectMapper();
-  }
-
   @Bean
   MultiplexManager multiplexDataStore(
     DataStore fafDataStore,

src/main/java/com/faforever/api/config/security/WebSecurityConfig.java

@@ -50,6 +50,17 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         "/favicon.ico",
         "/robots.txt"
       ).permitAll();
+      authorizeConfig.requestMatchers(
+        "/exe/upload",
+        "/game/*/replay",
+        "/users/register",
+        "/users/activate",
+        "/users/requestPasswordReset",
+        "/users/requestPasswordReset",
+        "/users/performPasswordReset",
+        "/users/linkToSteam/**"
+      ).permitAll();
+      authorizeConfig.anyRequest().authenticated();
     });
     // @formatter:on
     return http.build();

src/main/java/com/faforever/api/security/method/CustomMethodSecurityExpressionHandler.java

@@ -1,26 +1,31 @@
 package com.faforever.api.security.method;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.Nullable;
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
-import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 
+import java.util.function.Supplier;
+
 /**
  * Wraps the CustomMethodSecurityExpressionRoot into an expression handler
  */
 public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
   private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
   @Override
-  protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
+  public EvaluationContext createEvaluationContext(Supplier<? extends @Nullable Authentication> authentication, MethodInvocation mi) {
+    StandardEvaluationContext context = (StandardEvaluationContext) super.createEvaluationContext(authentication, mi);
     var root = new CustomMethodSecurityExpressionRoot(authentication);
 
     root.setPermissionEvaluator(getPermissionEvaluator());
     root.setTrustResolver(trustResolver);
     root.setRoleHierarchy(getRoleHierarchy());
-
-    return root;
+    context.setRootObject(root);
+    return context;
   }
 }

src/main/java/com/faforever/api/security/method/CustomMethodSecurityExpressionRoot.java

@@ -1,9 +1,12 @@
 package com.faforever.api.security.method;
 
+import org.jspecify.annotations.Nullable;
 import org.springframework.security.access.expression.SecurityExpressionRoot;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations;
 import org.springframework.security.core.Authentication;
 
+import java.util.function.Supplier;
+
 import static com.faforever.api.security.FafScope.SCOPE_PREFIX;
 
 /**
@@ -14,7 +17,7 @@ public class CustomMethodSecurityExpressionRoot extends SecurityExpressionRoot i
   private Object filterObject;
   private Object returnObject;
 
-  public CustomMethodSecurityExpressionRoot(Authentication authentication) {
+  public CustomMethodSecurityExpressionRoot(Supplier<? extends @Nullable Authentication> authentication) {
     super(authentication);
   }
 

src/main/resources/config/application.yml

@@ -128,7 +128,6 @@ spring:
         physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
     properties:
       hibernate:
-        current_session_context_class: org.springframework.orm.hibernate5.SpringSessionContext
         dialect: org.hibernate.dialect.MariaDBDialect
   jackson:
     serialization: