switch user id to uuid cookie, fix user id check

Author: Christian Wansart

build.gradle

@@ -5,7 +5,7 @@ plugins {
 }
 
 group = 'de.cwansart'
-version = '1.0.0'
+version = '1.0.2'
 
 java {
 	toolchain {

src/main/java/de/cwansart/unipoll/VoteController.java

@@ -1,8 +1,10 @@
 package de.cwansart.unipoll;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
+import java.util.UUID;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatusCode;
@@ -14,7 +16,9 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.server.ResponseStatusException;
 
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 class ChoiceElement {
 	private int id;
@@ -67,10 +71,9 @@ public String show(
 			throw new ResponseStatusException(HttpStatusCode.valueOf(404), "poll does not exist");
 		}
 
-		String userId = request.getRemoteAddr();
-		
+		Optional<Cookie> userIdCookie = Arrays.asList(request.getCookies()).stream().filter(c -> c.getName().equals("unipoll-user-id")).findFirst();
 		// check if user already voted
-		if (voteRepo.findByIdAndUserId(id, userId).isPresent()) {
+		if (userIdCookie.isPresent() && voteRepo.findByPollIdAndUserId(id, userIdCookie.get().getValue()).isPresent()) {
 			return "redirect:/results?id=" + id + "&v=1";
 		}
 		model.addAttribute("choices", poll.get().getChoices());
@@ -84,17 +87,17 @@ public String save(
 			@RequestParam(name = "id", required = true) long id,
 			@ModelAttribute("voteForm") VoteForm voteForm, 
 			Model model, 
-			HttpServletRequest request
+			HttpServletResponse response
 	) {
 		Optional<Poll> poll = pollRepo.findById(id);
 		if (poll.isEmpty()) {
 			throw new ResponseStatusException(HttpStatusCode.valueOf(404), "poll does not exist");
 		}
 
-		String userId = request.getRemoteAddr();
+		String userId = UUID.randomUUID().toString();
 
 		// check if user has already voted
-		if (voteRepo.findByIdAndUserId(id, userId).isPresent()) {
+		if (voteRepo.findByPollIdAndUserId(id, userId).isPresent()) {
 			return "redirect:/results?id=" + id + "&v=1";
 		}
 
@@ -115,6 +118,9 @@ public String save(
 		vote.setChoices(choices);
 		vote.setUserId(userId);
 		voteRepo.save(vote);
+		
+		response.addCookie(new Cookie("unipoll-user-id", userId));
+		
 		return "redirect:/vote?id=" + id;
 	}
 }

src/main/java/de/cwansart/unipoll/VoteRepository.java

@@ -8,7 +8,7 @@
 public interface VoteRepository extends Repository<Vote, Long> {
 	Vote save(Vote vote);
 	Optional<Vote> findById(Long id);
-	Optional<Vote> findByIdAndUserId(Long id, String userId);
+	Optional<Vote> findByPollIdAndUserId(Long pollId, String userId);
 	List<Vote> findByPollId(Long pollId);
 	long countById(Long id);
 }

src/main/resources/application.properties

@@ -1,48 +1,54 @@
 spring.application.name=unipoll
 
 
-
-
-
-
-
-
-
-
-
+########################################################################
+# FOR LOCAL DEVELOPMENT
+########################################################################
+## default connection pool
+spring.datasource.hikari.connectionTimeout=20000
+spring.datasource.hikari.maximumPoolSize=5
+
+## PostgreSQL
+spring.datasource.url=jdbc:postgresql://localhost:5432/unipoll
+spring.datasource.username=unipoll
+spring.datasource.password=unipoll
+# create and drop table, good for testing, production set to none or comment it
+spring.jpa.hibernate.ddl-auto=create-drop
+
+#debug=true
 
 #spring.datasource.url=jdbc:h2:mem:testdb;MODE=PostgreSQL;
 #spring.datasource.driverClassName=org.h2.Driver
 #spring.datasource.username=sa
 #spring.datasource.password=password
 #spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
-#
-#spring.jpa.show-sql=true
-#spring.jpa.properties.hibernate.format_sql=true
-#logging.level.org.hibernate.SQL=DEBUG
-#logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE
-#logging.level.org.hibernate.orm.jdbc.bind=TRACE
-#logging.level.org.hibernate.type=TRACE
-#
-#logging.level.org.hibernate=info
-## Statistics and slow queries
-#logging.level.org.hibernate.stat=debug
-#logging.level.org.hibernate.SQL_SLOW=info
-## 2nd Level Cache
-#logging.level.org.hibernate.cache=debug
-## Direct log messages to stdout
-#log4j.appender.stdout=org.apache.log4j.ConsoleAppender
-#log4j.appender.stdout.Target=System.out
-#log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-#log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n
-## Root logger option
-#log4j.rootLogger=INFO, stdout
-## Hibernate logging options (INFO only shows startup messages)
-#log4j.logger.org.hibernate=INFO
-## Log JDBC bind parameter runtime arguments
-#log4j.logger.org.hibernate.type=trace
-#
-#spring.h2.console.enabled=true
-#spring.h2.console.path=/h2-console
-#spring.h2.console.settings.trace=false
-#spring.h2.console.settings.web-allow-others=false
+
+spring.jpa.show-sql=true
+spring.jpa.properties.hibernate.format_sql=true
+logging.level.org.hibernate.SQL=DEBUG
+logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE
+logging.level.org.hibernate.orm.jdbc.bind=TRACE
+logging.level.org.hibernate.type=TRACE
+
+logging.level.org.hibernate=info
+# Statistics and slow queries
+logging.level.org.hibernate.stat=debug
+logging.level.org.hibernate.SQL_SLOW=info
+# 2nd Level Cache
+logging.level.org.hibernate.cache=debug
+# Direct log messages to stdout
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.Target=System.out
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n
+# Root logger option
+log4j.rootLogger=INFO, stdout
+# Hibernate logging options (INFO only shows startup messages)
+log4j.logger.org.hibernate=INFO
+# Log JDBC bind parameter runtime arguments
+log4j.logger.org.hibernate.type=trace
+
+spring.h2.console.enabled=true
+spring.h2.console.path=/h2-console
+spring.h2.console.settings.trace=false
+spring.h2.console.settings.web-allow-others=false