fixed the one_session_per_user feature

Erudika · Nov 25, 2021 · 41d4fc6 · 41d4fc6
1 parent ac7389e
commit 41d4fc6
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 10 deletions.
diff --git a/para-server/src/main/java/com/erudika/para/security/SecurityUtils.java b/para-server/src/main/java/com/erudika/para/security/SecurityUtils.java
@@ -21,6 +21,7 @@
 import com.erudika.para.core.App;
 import com.erudika.para.core.ParaObject;
 import com.erudika.para.core.User;
+import com.erudika.para.core.utils.CoreUtils;
 import com.erudika.para.rest.Signer;
 import com.erudika.para.security.filters.SAMLAuthFilter;
 import com.erudika.para.utils.BufferedRequestWrapper;
@@ -271,7 +272,7 @@ public static SignedJWT generateJWToken(User user, App app) {
 				if (user != null) {
 					if ("true".equals(SecurityUtils.getSettingForApp(app, "security.one_session_per_user", "true"))) {
 						user.resetTokenSecret();
-						Para.getDAO().update(user);
+						CoreUtils.getInstance().overwrite(app.getAppIdentifier(), user);
 					}
 					claimsSet.subject(user.getId());
 					claimsSet.claim("idp", user.getIdentityProvider());

diff --git a/para-server/src/main/java/com/erudika/para/security/SimpleAuthenticationSuccessHandler.java b/para-server/src/main/java/com/erudika/para/security/SimpleAuthenticationSuccessHandler.java
@@ -62,18 +62,10 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
 				if (app.isRootApp() && StringUtils.isBlank(customURI)) {
 					customURI = Config.getConfigParam("security.signin_success", "/");
 				}
-				SignedJWT newJWT = null;
 				if (StringUtils.contains(customURI, "jwt=?")) {
-					newJWT = SecurityUtils.generateJWToken(u, app);
+					SignedJWT newJWT = SecurityUtils.generateJWToken(u, app);
 					customURI = customURI.replace("jwt=?", "jwt=" + newJWT.serialize());
 				}
-				if (StringUtils.contains(customURI, "jwt-cookie=")) {
-					String cookieName = StringUtils.substringAfter(customURI, "jwt-cookie=");
-					cookieName = StringUtils.isBlank(cookieName) ? Config.getRootAppIdentifier() + "-jwt" : cookieName;
-					newJWT = (newJWT == null) ? SecurityUtils.generateJWToken(u, app) : newJWT;
-					HttpUtils.setAuthCookie(cookieName, newJWT.serialize(),
-							app.getTokenValiditySec().intValue(), request, response);
-				}
 				if (!StringUtils.isBlank(customURI)) {
 					redirectStrategy.sendRedirect(request, response, customURI);
 					return;

diff --git a/para-server/src/main/java/com/erudika/para/utils/HttpUtils.java b/para-server/src/main/java/com/erudika/para/utils/HttpUtils.java
@@ -139,6 +139,14 @@ public static String getCookieValue(HttpServletRequest req, String name) {
 		return null;
 	}
 
+	/**
+	 * Sets the auth cookie.
+	 * @param name name
+	 * @param value value
+	 * @param maxAge maxAge
+	 * @param request request
+	 * @param response response
+	 */
 	public static void setAuthCookie(String name, String value, int maxAge,
 			HttpServletRequest request, HttpServletResponse response) {
 		String expires = DateFormatUtils.format(System.currentTimeMillis() + (maxAge * 1000),