1 files changed, 69 insertions, 28 deletions

diff --git a/src/main/java/org/traccar/api/resource/SessionResource.java b/src/main/java/org/traccar/api/resource/SessionResource.java
index e3c5d457f..7025d5fa7 100644
--- a/src/main/java/org/traccar/api/resource/SessionResource.java
+++ b/src/main/java/org/traccar/api/resource/SessionResource.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015 Anton Tananaev (anton@traccar.org)
+ * Copyright 2015 - 2022 Anton Tananaev (anton@traccar.org)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,14 +15,20 @@
  */
 package org.traccar.api.resource;
 
-import org.traccar.Context;
 import org.traccar.api.BaseResource;
+import org.traccar.api.security.LoginService;
+import org.traccar.api.signature.TokenManager;
 import org.traccar.helper.DataConverter;
-import org.traccar.helper.ServletHelper;
 import org.traccar.helper.LogAction;
+import org.traccar.helper.ServletHelper;
 import org.traccar.model.User;
+import org.traccar.storage.StorageException;
+import org.traccar.storage.query.Columns;
+import org.traccar.storage.query.Condition;
+import org.traccar.storage.query.Request;
 
 import javax.annotation.security.PermitAll;
+import javax.inject.Inject;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
@@ -31,16 +37,18 @@ import javax.ws.rs.FormParam;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-
-import java.io.UnsupportedEncodingException;
+import java.io.IOException;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
-import java.sql.SQLException;
+import java.security.GeneralSecurityException;
+import java.util.Date;
 
 @Path("session")
 @Produces(MediaType.APPLICATION_JSON)
@@ -51,60 +59,86 @@ public class SessionResource extends BaseResource {
     public static final String USER_COOKIE_KEY = "user";
     public static final String PASS_COOKIE_KEY = "password";
 
-    @javax.ws.rs.core.Context
+    @Inject
+    private LoginService loginService;
+
+    @Inject
+    private TokenManager tokenManager;
+
+    @Context
     private HttpServletRequest request;
 
     @PermitAll
     @GET
-    public User get(@QueryParam("token") String token) throws SQLException, UnsupportedEncodingException {
+    public User get(@QueryParam("token") String token) throws StorageException, IOException, GeneralSecurityException {
+
+        if (token != null) {
+            User user = loginService.login(token);
+            if (user != null) {
+                request.getSession().setAttribute(USER_ID_KEY, user.getId());
+                LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));
+                return user;
+            }
+        }
+
         Long userId = (Long) request.getSession().getAttribute(USER_ID_KEY);
         if (userId == null) {
+
             Cookie[] cookies = request.getCookies();
             String email = null, password = null;
             if (cookies != null) {
                 for (Cookie cookie : cookies) {
                     if (cookie.getName().equals(USER_COOKIE_KEY)) {
                         byte[] emailBytes = DataConverter.parseBase64(
-                                URLDecoder.decode(cookie.getValue(), StandardCharsets.US_ASCII.name()));
+                                URLDecoder.decode(cookie.getValue(), StandardCharsets.US_ASCII));
                         email = new String(emailBytes, StandardCharsets.UTF_8);
                     } else if (cookie.getName().equals(PASS_COOKIE_KEY)) {
                         byte[] passwordBytes = DataConverter.parseBase64(
-                                URLDecoder.decode(cookie.getValue(), StandardCharsets.US_ASCII.name()));
+                                URLDecoder.decode(cookie.getValue(), StandardCharsets.US_ASCII));
                         password = new String(passwordBytes, StandardCharsets.UTF_8);
                     }
                 }
             }
             if (email != null && password != null) {
-                User user = Context.getPermissionsManager().login(email, password);
-                if (user != null) {
-                    userId = user.getId();
-                    request.getSession().setAttribute(USER_ID_KEY, userId);
-                }
-            } else if (token != null) {
-                User user = Context.getUsersManager().getUserByToken(token);
+                User user = loginService.login(email, password);
                 if (user != null) {
-                    userId = user.getId();
-                    request.getSession().setAttribute(USER_ID_KEY, userId);
+                    request.getSession().setAttribute(USER_ID_KEY, user.getId());
+                    LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));
+                    return user;
                 }
             }
-        }
 
-        if (userId != null) {
-            Context.getPermissionsManager().checkUserEnabled(userId);
-            return Context.getPermissionsManager().getUser(userId);
         } else {
-            throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build());
+
+            User user = permissionsService.getUser(userId);
+            if (user != null) {
+                return user;
+            }
+
         }
+
+        throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build());
+    }
+
+    @Path("{id}")
+    @GET
+    public User get(@PathParam("id") long userId) throws StorageException {
+        permissionsService.checkAdmin(getUserId());
+        User user = storage.getObject(User.class, new Request(
+                new Columns.All(), new Condition.Equals("id", userId)));
+        request.getSession().setAttribute(USER_ID_KEY, user.getId());
+        LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));
+        return user;
     }
 
     @PermitAll
     @POST
     public User add(
-            @FormParam("email") String email, @FormParam("password") String password) throws SQLException {
-        User user = Context.getPermissionsManager().login(email, password);
+            @FormParam("email") String email, @FormParam("password") String password) throws StorageException {
+        User user = loginService.login(email, password);
         if (user != null) {
             request.getSession().setAttribute(USER_ID_KEY, user.getId());
-            LogAction.login(user.getId());
+            LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));
             return user;
         } else {
             LogAction.failedLogin(ServletHelper.retrieveRemoteAddress(request));
@@ -114,9 +148,16 @@ public class SessionResource extends BaseResource {
 
     @DELETE
     public Response remove() {
-        LogAction.logout(getUserId());
+        LogAction.logout(getUserId(), ServletHelper.retrieveRemoteAddress(request));
         request.getSession().removeAttribute(USER_ID_KEY);
         return Response.noContent().build();
     }
 
+    @Path("token")
+    @POST
+    public String requestToken(
+            @FormParam("expiration") Date expiration) throws StorageException, GeneralSecurityException, IOException {
+        return tokenManager.generateToken(getUserId(), expiration);
+    }
+
 }