-
Notifications
You must be signed in to change notification settings - Fork 44
Expand file tree
/
Copy pathDevLoginController.java
More file actions
90 lines (80 loc) · 3.72 KB
/
Copy pathDevLoginController.java
File metadata and controls
90 lines (80 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
package com.digitalsanctuary.spring.user.dev;
import java.util.List;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import com.digitalsanctuary.spring.user.persistence.model.User;
import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
import com.digitalsanctuary.spring.user.service.UserService;
import com.digitalsanctuary.spring.user.util.JSONResponse;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
/**
* Development-only controller providing quick login-as functionality.
* <p>
* This controller is only active when the "local" Spring profile is active AND
* {@code user.dev.auto-login-enabled} is set to {@code true}. It allows developers
* to quickly switch between user accounts without entering passwords.
* </p>
* <p>
* <strong>SECURITY WARNING:</strong> This controller must NEVER be enabled in
* production environments. It bypasses all password authentication.
* </p>
*/
@Slf4j
@RestController
@RequestMapping("/dev")
@RequiredArgsConstructor
@Profile("local")
@ConditionalOnProperty(name = "user.dev.auto-login-enabled", havingValue = "true", matchIfMissing = false)
public class DevLoginController {
private final UserService userService;
private final UserRepository userRepository;
private final DevLoginConfigProperties devLoginConfigProperties;
/**
* Logs in as the specified user by email without requiring a password.
* After successful authentication, returns a redirect response to the configured URL.
*
* @param email the email of the user to log in as
* @return a redirect response on success, or an error response with 404/403 status
*/
@GetMapping("/login-as/{email}")
public ResponseEntity<JSONResponse> loginAs(@PathVariable String email) {
log.warn("Dev login attempt for user: {}", email);
User user = userService.findUserByEmail(email);
if (user == null) {
log.warn("Dev login failed: user not found for email: {}", email);
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(JSONResponse.builder().success(false).message("User not found: " + email).code(404).build());
}
if (!user.isEnabled()) {
log.warn("Dev login failed: user is disabled: {}", email);
return ResponseEntity.status(HttpStatus.FORBIDDEN)
.body(JSONResponse.builder().success(false).message("User is disabled: " + email).code(403)
.build());
}
userService.authWithoutPassword(user);
log.warn("Dev login successful for user: {}", email);
return ResponseEntity.status(HttpStatus.FOUND)
.header("Location", devLoginConfigProperties.getLoginRedirectUrl())
.build();
}
/**
* Lists all enabled user emails available for dev login.
*
* @return a JSONResponse containing the list of enabled user emails
*/
@GetMapping("/users")
public ResponseEntity<JSONResponse> listUsers() {
List<String> enabledEmails = userRepository.findAllByEnabledTrue().stream()
.map(User::getEmail)
.toList();
return ResponseEntity.ok(JSONResponse.builder().success(true)
.message("Found " + enabledEmails.size() + " enabled users").data(enabledEmails).build());
}
}