marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(auth): extract authenticateInSession to AuthService

Browse Source 
Remove duplicated private authenticateInSession from AuthController and
HouseholdController. Add a single public implementation on AuthService
with session fixation protection built in. HouseholdController now
injects AuthService and passes role "user" for invite-accepted accounts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel Raddatz
2026-04-10 22:24:58 +02:00
parent 73af11e84b
commit 0b182a33fd
4 changed files with 37 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
backend/src/main/java/com/recipeapp/household/HouseholdController.java
View File

@@ -1,17 +1,12 @@
package com.recipeapp.household;
import com.recipeapp.auth.entity.UserAccount;
import com.recipeapp.auth.AuthService;
import com.recipeapp.common.ApiResponse;
import com.recipeapp.household.dto.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.web.bind.annotation.*;
import java.security.Principal;
@@ -24,9 +19,11 @@ import java.util.UUID;
public class HouseholdController {
private final HouseholdService householdService;
private final AuthService authService;
public HouseholdController(HouseholdService householdService) {
public HouseholdController(HouseholdService householdService, AuthService authService) {
this.householdService = householdService;
this.authService = authService;
}
@PostMapping("/households")
@@ -91,21 +88,7 @@ public class HouseholdController {
HttpServletRequest httpRequest) {
AcceptInviteResponse response = householdService.acceptInvite(
code, request.name(), request.email(), request.password());
authenticateInSession(request.email(), httpRequest);
authService.authenticateInSession(request.email(), "user", httpRequest);
return ResponseEntity.ok(ApiResponse.success(response));
}
private void authenticateInSession(String email, HttpServletRequest request) {
var oldSession = request.getSession(false);
if (oldSession != null) {
oldSession.invalidate();
}
var auth = UsernamePasswordAuthenticationToken.authenticated(
email, null, List.of(new SimpleGrantedAuthority("ROLE_USER")));
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(auth);
SecurityContextHolder.setContext(context);
request.getSession(true).setAttribute(
HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
}
}