#102: DataTransferPublicSession.kt

#102: DataTransferPublicSession.kt

plugins/org.projectforge.plugins.datatransfer/src/main/kotlin/org/projectforge/plugins/datatransfer/restPublic/DataTransferPublicSession.kt

Type: Kotlin · Role: Plugin Registration · Source: plugins/org.projectforge.plugins.datatransfer/src/main/kotlin/org/projectforge/plugins/datatransfer/restPublic/DataTransferPublicSession.kt 281 lines · 216 code · 46 comments · 19 blank

REST API endpoint for DataTransferPublicSession. Handles HTTP requests and returns JSON responses for the React frontend.

Code Structure

Functions (9): checkLogin, login, checkDataBaseEntry, register, unregister, logout, isOwnerOfFile, registerFileAsOwner, getSessionMap

Properties (28): id, accessToken, password, userInfo, ownedFiles, dataTransferArea, failedAccessMessage, dataTransferAreaDao, data, area, errorMessage, loginProtection, clientIpAddress, offset, seconds, numberOfFailedAttempts, loginResultStatus, dbo, errorMessage, map, map, id, data, map, data...

Source Code (abridged)

package org.projectforge.plugins.datatransfer.restPublic import com.fasterxml.jackson.annotation.JsonIgnore import mu.KotlinLogging import org.projectforge.business.login.LoginProtection import org.projectforge.business.login.LoginResultStatus import org.projectforge.framework.ToStringUtil import org.projectforge.framework.i18n.translate import org.projectforge.plugins.datatransfer.DataTransferAreaDO import org.projectforge.plugins.datatransfer.DataTransferAreaDao import org.projectforge.rest.config.RestUtils import org.springframework.beans.factory.annotation.Autowired import org.springframework.stereotype.Service import jakarta.servlet.http.HttpServletRequest private val log = KotlinLogging.logger {} /** * A minimal session handling for avoiding annoying re-logins for external users of the data transfer tool. */ @Service class DataTransferPublicSession { internal class TransferAreaData( var id: Long, var accessToken: String, @JsonIgnore var password: String?, var userInfo: String?, var ownedFiles: MutableList<String> = mutableListOf() ) internal class CheckAccessResult( val dataTransferArea: DataTransferAreaDO? = null, val failedAccessMessage: String? = null ) @Autowired private lateinit var dataTransferAreaDao: DataTransferAreaDao /** * Checks if the user has a valid entry (accessToken/password) in his session. * @param areaId Search area by id in user's session. * @param accessToken Search area by accessToken in user's session. */ internal fun checkLogin( request: HttpServletRequest, areaId: Long? = null, accessToken: String? = null ): Pair<DataTransferAreaDO, TransferAreaData>? { check(areaId != null || !accessToken.isNullOrBlank()) val data = if (areaId != null) { getSessionMap(request)?.get(areaId) } else { getSessionMap(request)?.entries?.find { it.value.accessToken == accessToken }?.value } ?: return null val area = dataTransferAreaDao.getAnonymousArea(data.accessToken) ?: return null val errorMessage = checkDataBaseEntry(request, area, data.id, data.accessToken, data.password, data.userInfo) if (errorMessage != null) { unregister(request, data.id) // Unregister, force re-login. return null } log.info { "External user info restored from session: ${ToStringUtil.toJsonString(data)}, ip=${ RestUtils.getClientIp( request ) }" } return Pair(area, data) } /** * Tries to log-in the user. Uses LoginProtection. Doesn't check if the user is already logged-in. * The session id will be changed (session fixation), but any previous logged-in area will be put in the new session. */ internal fun login( request: HttpServletRequest, accessToken: String?, password: String?, userInfo: String? ): CheckAccessResult { if (accessToken == null || password == null) { return CheckAccessResult(failedAccessMessage = LoginResultStatus.FAILED.localizedMessage) } val loginProtection = LoginProtection.instance() val clientIpAddress = RestUtils.getClientIp(request) val offset = loginProtection.getFailedLoginTimeOffsetIfExists(accessToken, clientIpAddress) if (offset > 0) { // Time offset still exists. Ignore login try. val seconds = (offset / 1000).toString() log.warn("The account for '${accessToken}', ip=$clientIpAddress, userInfo='$userInfo' is locked for $seconds seconds due to failed login attempts. Please try again later.") val numberOfFailedAttempts = loginProtection.getNumberOfFailedLoginAttempts(accessToken, clientIpAddress) val loginResultStatus = LoginResultStatus.LOGIN_TIME_OFFSET loginResultStatus.setMsgParams( seconds, numberOfFailedAttempts.toString() ) return CheckAccessResult(failedAccessMessage = loginResultStatus.localizedMessage) } val dbo = dataTransferAreaDao.getAnonymousArea(accessToken) if (dbo == null) { log.warn { "Data transfer area with externalAccessToken '$accessToken' not found. Requested by ip=$clientIpAddress, userInfo='$userInfo'." } loginProtection.incrementFailedLoginTimeOffset(accessToken, clientIpAddress) return CheckAccessResult(failedAccessMessage = LoginResultStatus.FAILED.localizedMessage) } val errorMessage = checkDataBaseEntry(request, dbo, dbo.id!!, accessToken, password, userInfo) if (errorMessage != null) { loginProtection.incrementFailedLoginTimeOffset(accessToken, clientIpAddress) return CheckAccessResult(failedAccessMessage = errorMessage) } // Successfully logged in: loginProtection.clearLoginTimeOffset(accessToken, null, clientIpAddress) log.info { "Data transfer area with externalAccessToken '$accessToken': login successful by ip=$clientIpAddress, userInfo='$userInfo'." } // Session Fixation: Change JSESSIONID after login (due to security reasons / XSS attack on login page) request.getSession(false)?.let { session -> if (!session.isNew) { val map = getSessionMap(request) // ... (truncated, total 259 lines)

Git History

868d6abb7 2025 -> 2026
63081666f Source file headers: 2024-> 2025.
4c04cfd65 MAJOR-CHANGE! Migration of integer id's to Long id's (including fk's etc.)
77bade6df javax.* -> jakarta.*
b6092df09 Copyright 2023 -> 2024