Fix login/logout flow and use Redis to store sessions

Author: Breus

build.gradle

@@ -31,8 +31,10 @@ dependencies {
     runtimeOnly 'org.postgresql:postgresql'
     // Spring security is used to handle user authentication and authorization
     implementation 'org.springframework.boot:spring-boot-starter-security'
-    // Spring Data Redis is used to interact with Redis, which we use as a key value database to store user sessions
+    // Spring session is used to manage user sessions using Redis as the session store
     implementation("org.springframework.session:spring-session-data-redis")
+    // Spring Data Redis is used to interact with Redis, which we use as a key value database to store user sessions
+    implementation 'org.springframework.boot:spring-boot-starter-data-redis'
     // Validation starter is used to validate user input
     implementation 'org.springframework.boot:spring-boot-starter-validation'
     // Web starter is used to build our web APIs (HTTP endpoints)

src/main/java/net/hackyourfuture/coursehub/SecurityConfig.java

@@ -29,6 +29,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     config.setAllowCredentials(true);
                     return config;
                 }))
+                // Disable the default logout endpoint as we implemented our own
+                .logout(AbstractHttpConfigurer::disable)
+                // Disable the default login (form) endpoint as we implemented our own
+                .formLogin(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(auth -> auth
                         // allow CORS pre-flight requests to any endpoint
                         .requestMatchers(HttpMethod.OPTIONS, "/**")
@@ -37,7 +41,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         // allowing it without authentication so that errors are displayed correctly
                         .requestMatchers("/error")
                         .permitAll()
-                        .requestMatchers(HttpMethod.POST, "/login", "/register")
+                        .requestMatchers(HttpMethod.POST, "/login", "/logout", "/register")
                         .permitAll()
                         .requestMatchers(HttpMethod.GET, "/courses", "/swagger-ui/**", "/v3/api-docs/**")
                         .permitAll()

src/main/java/net/hackyourfuture/coursehub/web/UserAuthenticationController.java

@@ -38,7 +38,8 @@ public UserAuthenticationController(
     }
 
     @PostMapping("/login")
-    public ResponseEntity<Object> login(@RequestBody LoginRequest request, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+    public ResponseEntity<Object> login(
+            @RequestBody LoginRequest request, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
         try {
             var response = authenticate(httpRequest, httpResponse, request.emailAddress(), request.password());
             return ResponseEntity.ok(response);
@@ -59,7 +60,10 @@ public ResponseEntity<Object> login(@RequestBody LoginRequest request, HttpServl
     @PostMapping("/logout")
     public ResponseEntity<?> logout(HttpServletRequest httpRequest) {
         SecurityContextHolder.clearContext();
-        httpRequest.getSession().invalidate();
+        var session = httpRequest.getSession(false);
+        if (session != null) {
+            session.invalidate();
+        }
         return ResponseEntity.ok().build();
     }
 

src/main/resources/application.properties

@@ -8,3 +8,7 @@ spring.datasource.password=course_user_password
 
 # Server configuration
 server.port=8080
+
+# Session in Redis Configuration
+# We want users to stay logged in for 7 days for convenience
+spring.session.timeout=7d