Fix session management, added swagger

Author: gavlyukovskiy

build.gradle

@@ -31,6 +31,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.flywaydb:flyway-core:11.13.0'
     implementation 'org.flywaydb:flyway-database-postgresql:11.13.0'
+    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.13'
 
     runtimeOnly 'org.postgresql:postgresql'
 

src/main/java/net/hackyourfuture/coursehub/SecurityConfig.java

@@ -29,13 +29,17 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     config.setAllowCredentials(true);
                     return config;
                 }))
-                .authorizeHttpRequests(auth -> auth.requestMatchers(HttpMethod.POST, "/login", "/register")
+                .authorizeHttpRequests(auth -> auth
+                        // allow CORS pre-flight requests to any endpoint
+                        .requestMatchers(HttpMethod.OPTIONS, "/**")
                         .permitAll()
-                        .requestMatchers(HttpMethod.OPTIONS, "/login", "/register")
+                        // this is an internal mapping to display errors
+                        // allowing it without authentication so that errors are displayed correctly
+                        .requestMatchers("/error")
                         .permitAll()
-                        .requestMatchers(HttpMethod.GET, "/courses")
+                        .requestMatchers(HttpMethod.POST, "/login", "/register")
                         .permitAll()
-                        .requestMatchers(HttpMethod.OPTIONS, "/courses")
+                        .requestMatchers(HttpMethod.GET, "/courses", "/swagger/**")
                         .permitAll()
                         .requestMatchers("/students/**")
                         .hasRole("student")

src/main/java/net/hackyourfuture/coursehub/web/StudentController.java

@@ -2,16 +2,14 @@
 
 import jakarta.validation.constraints.Positive;
 import net.hackyourfuture.coursehub.service.CourseService;
-import net.hackyourfuture.coursehub.web.model.CourseDto;
+import net.hackyourfuture.coursehub.web.model.CourseListResponse;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.List;
-
 @RestController
-@RequestMapping("students")
+@RequestMapping("/students")
 public class StudentController {
 
     private final CourseService courseService;
@@ -21,7 +19,8 @@ public StudentController(CourseService courseService) {
     }
 
     @GetMapping("/{studentId}/courses")
-    public List<CourseDto> getCoursesForStudent(@PathVariable(value = "studentId") @Positive Integer studentId) {
-        return courseService.getCoursesForStudent(studentId);
+    public CourseListResponse getCoursesForStudent(@PathVariable @Positive Integer studentId) {
+        var courses = courseService.getCoursesForStudent(studentId);
+        return new CourseListResponse(courses);
     }
 }

src/main/java/net/hackyourfuture/coursehub/web/UserAuthenticationController.java

@@ -1,7 +1,7 @@
 package net.hackyourfuture.coursehub.web;
 
 import jakarta.servlet.http.HttpServletRequest;
-import net.hackyourfuture.coursehub.repository.StudentRepository;
+import jakarta.servlet.http.HttpServletResponse;
 import net.hackyourfuture.coursehub.service.UserAuthenticationService;
 import net.hackyourfuture.coursehub.web.model.HttpErrorResponse;
 import net.hackyourfuture.coursehub.web.model.LoginRequest;
@@ -16,6 +16,8 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -26,21 +28,19 @@
 public class UserAuthenticationController {
     private final AuthenticationManager authenticationManager;
     private final UserAuthenticationService userAuthenticationService;
-    private final StudentRepository studentRepository;
+    private final SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
 
     public UserAuthenticationController(
             AuthenticationManager authenticationManager,
-            UserAuthenticationService userAuthenticationService,
-            StudentRepository studentRepository) {
+            UserAuthenticationService userAuthenticationService) {
         this.authenticationManager = authenticationManager;
         this.userAuthenticationService = userAuthenticationService;
-        this.studentRepository = studentRepository;
     }
 
     @PostMapping("/login")
-    public ResponseEntity<Object> login(@RequestBody LoginRequest request, HttpServletRequest httpRequest) {
+    public ResponseEntity<Object> login(@RequestBody LoginRequest request, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
         try {
-            var response = authenticate(httpRequest, request.emailAddress(), request.password());
+            var response = authenticate(httpRequest, httpResponse, request.emailAddress(), request.password());
             return ResponseEntity.ok(response);
         } catch (AuthenticationException e) {
             if (e instanceof BadCredentialsException) {
@@ -64,25 +64,29 @@ public ResponseEntity<?> logout(HttpServletRequest httpRequest) {
     }
 
     @PostMapping("/register")
-    public LoginSuccessResponse register(@RequestBody RegisterRequest request, HttpServletRequest httpRequest) {
+    public LoginSuccessResponse register(@RequestBody RegisterRequest request, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
         userAuthenticationService.register(
                 request.firstName(),
                 request.lastName(),
                 request.emailAddress(),
                 request.password()
         );
 
-        return authenticate(httpRequest, request.emailAddress(), request.password());
+        return authenticate(httpRequest, httpResponse, request.emailAddress(), request.password());
     }
 
-    private LoginSuccessResponse authenticate(HttpServletRequest httpRequest, String email, String password) {
+    private LoginSuccessResponse authenticate(HttpServletRequest request, HttpServletResponse response, String email, String password) {
         // Authenticate the user with the provided credentials (email and password)
         Authentication authentication = authenticationManager.authenticate(
                 new UsernamePasswordAuthenticationToken(email, password));
+
+        SecurityContextHolder.clearContext();
+        var context = SecurityContextHolder.createEmptyContext();
+        context.setAuthentication(authentication);
+        SecurityContextHolder.setContext(context);
+
         // Save the authenticated user in the Spring security context
-        SecurityContextHolder.getContext().setAuthentication(authentication);
-        // Ensure a session is created for the authenticated user
-        httpRequest.getSession(true);
+        securityContextRepository.saveContext(context, request, response);
 
         // Retrieve the corresponding user data to return in a login response
         var authenticatedUser = userAuthenticationService.currentAuthenticatedUser();

src/main/resources/application.properties

@@ -8,3 +8,6 @@ spring.datasource.password=course_user_password
 
 # Server configuration
 server.port=8080
+
+springdoc.swagger-ui.path=/swagger/swagger-ui.html
+springdoc.api-docs.path=/swagger/v3/api-docs

ui/src/pages/MyCourses.tsx

@@ -13,7 +13,7 @@ function MyCourses({user}: { user: User | null }) {
     const {backendUrl} = useConfig();
 
     useEffect(() => {
-        fetch(`${backendUrl}/student/${user.userId}/courses`, {
+        fetch(`${backendUrl}/students/${user.userId}/courses`, {
             credentials: "include",
         }).then(res => res.json())
             .then(data => setCourses(data.courses))