updates

chtrembl · Nov 9, 2023 · f2a9c7b · f2a9c7b
1 parent d98de8b
commit f2a9c7b
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 57 deletions.
diff --git a/...tore/petstoreapp/src/main/java/com/chtrembl/petstoreapp/controller/RestAPIController.java b/...tore/petstoreapp/src/main/java/com/chtrembl/petstoreapp/controller/RestAPIController.java
@@ -1,5 +1,6 @@
 package com.chtrembl.petstoreapp.controller;
 
+import java.net.http.HttpRequest;
 import java.util.Map;
 import java.util.Optional;
 
@@ -9,6 +10,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -49,9 +51,14 @@ public String sessionid() {
 		return this.sessionUser.getSessionId();
 	}
 
-	// helper api call for soul machines dp demo...
-	@PostMapping(value = "/api/updatecart", produces = MediaType.TEXT_HTML_VALUE)
-	public String updatecart(Model model, OAuth2AuthenticationToken token, @RequestParam Map<String, String> params) {
+	// helper api call for soul machines dp demo... POST URL Encoding intermittent missing headers with POST/FORM Encoding hence the GET hack with UUID
+	@GetMapping(value = "/api/updatecart", produces = MediaType.TEXT_HTML_VALUE)
+	public String updatecart(Model model, @RequestParam Map<String, String> params, HttpServletRequest request) {
+		if(params.get("csrf") == null || !params.get("csrf").equals(new HttpSessionCsrfTokenRepository().loadToken(request).getToken().toString()))
+		{
+			return "Invalid CSRF token";
+		}
+
 		this.sessionUser.getTelemetryClient().trackEvent(
 				String.format("PetStoreApp user %s requesting update cart", this.sessionUser.getName()),
 				this.sessionUser.getCustomEventProperties(), null);
@@ -78,36 +85,7 @@ public String updatecart(Model model, OAuth2AuthenticationToken token, @RequestP
 		return "success";
 	}
 
-	// helper api call for soul machines dp demo...
-	@PostMapping(value = "/api/completecart", produces = MediaType.TEXT_HTML_VALUE)
-	public String completecart(Model model, OAuth2AuthenticationToken token, @RequestParam Map<String, String> params) {
-		this.sessionUser.getTelemetryClient().trackEvent(
-				String.format("PetStoreApp user %s requesting complete cart", this.sessionUser.getName()),
-				this.sessionUser.getCustomEventProperties(), null);
-
-		try
-		{
-			this.petStoreService.updateOrder(0, 0, true);
-			return "I just completed your order.";
-		}
-		catch (Exception e)
-		{
-			return "I'm sorry, I was unable to complete your order.";
-		}
-	}
-
-	// helper api call for soul machines dp demo...
-	@GetMapping(value = "/api/cartcount", produces = MediaType.TEXT_HTML_VALUE)
-	public String cartcount() {
-
-		this.sessionUser.getTelemetryClient().trackEvent(
-				String.format("PetStoreApp user %s requesting cart count", this.sessionUser.getName()),
-				this.sessionUser.getCustomEventProperties(), null);
-
-		return String.valueOf(this.sessionUser.getCartCount());
-	}
-
-	// helper api call for soul machines dp demo...
+	// helper api call for soul machines dp demo... POST URL Encoding intermittent missing headers with POST/FORM Encoding hence the GET hack with UUID
 	@GetMapping(value = "/api/viewcart", produces = MediaType.TEXT_HTML_VALUE)
 	public String viewcart() {
 		this.sessionUser.getTelemetryClient().trackEvent(
@@ -133,6 +111,45 @@ public String viewcart() {
 		return sb.toString();
 	}
 
+	// helper api call for soul machines dp demo... POST URL Encoding intermittent missing headers with POST/FORM Encoding hence the GET hack with UUID
+	@GetMapping(value = "/api/completecart", produces = MediaType.TEXT_HTML_VALUE)
+	public String completecart(Model model, @RequestParam Map<String, String> params, HttpServletRequest request, OAuth2AuthenticationToken token) {
+		if(params.get("csrf") == null || !params.get("csrf").equals(new HttpSessionCsrfTokenRepository().loadToken(request).getToken().toString()))
+		{
+			return "Invalid CSRF token";
+		}
+
+		this.sessionUser.getTelemetryClient().trackEvent(
+				String.format("PetStoreApp user %s requesting complete cart", this.sessionUser.getName()),
+				this.sessionUser.getCustomEventProperties(), null);
+
+		if(token == null)
+		{
+			return "You must be logged in to complete your order.";
+		}
+
+		try
+		{
+			this.petStoreService.updateOrder(0, 0, true);
+			return "I just completed your order.";
+		}
+		catch (Exception e)
+		{
+			return "I'm sorry, I was unable to complete your order.";
+		}
+	}
+
+	// helper api call for soul machines dp demo...
+	@GetMapping(value = "/api/cartcount", produces = MediaType.TEXT_HTML_VALUE)
+	public String cartcount() {
+
+		this.sessionUser.getTelemetryClient().trackEvent(
+				String.format("PetStoreApp user %s requesting cart count", this.sessionUser.getName()),
+				this.sessionUser.getCustomEventProperties(), null);
+
+		return String.valueOf(this.sessionUser.getCartCount());
+	}
+
 	@GetMapping(value = "/introspectionSimulation", produces = MediaType.APPLICATION_JSON_VALUE)
 	public String introspectionSimulation(Model model, HttpServletRequest request,
 			@RequestParam(name = "sessionIdToIntrospect") Optional<String> sessionIdToIntrospect) {

diff --git a/...petstoreassistant/src/main/java/com/chtrembl/petstoreassistant/service/AzurePetStore.java b/...petstoreassistant/src/main/java/com/chtrembl/petstoreassistant/service/AzurePetStore.java
@@ -8,10 +8,8 @@
 import com.chtrembl.petstoreassistant.model.AzurePetStoreSessionInfo;
 import com.chtrembl.petstoreassistant.model.DPResponse;
 
-import okhttp3.MediaType;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
-import okhttp3.RequestBody;
 import okhttp3.Response;
 
 @Service
@@ -21,31 +19,29 @@ public class AzurePetStore implements IAzurePetStore {
         @Autowired
         private ICosmosDB cosmosDB;
 
-        // investigate why Web Client wasnt working
+        // investigate why GET is needed instead of POST
+        // POST URL Encoding intermittent missing headers with POST/FORM Encoding hence
+        // the GET hack with UUID
         private OkHttpClient client = new OkHttpClient().newBuilder().build();
 
         private String UPDATE_CART_URL = "https://azurepetstore.com/api/updatecart";
         private String VIEW_CART_URL = "https://azurepetstore.com/api/viewcart";
         private String COMPLETE_CART_URL = "https://azurepetstore.com/api/completecart";
-
 
         @Override
         public DPResponse updateCart(AzurePetStoreSessionInfo azurePetStoreSessionInfo, String productId) {
                 DPResponse dpResponse = new DPResponse();
 
                 try {
-
-                        MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
-                        RequestBody body = RequestBody.create(mediaType,
-                                        "_csrf=" + azurePetStoreSessionInfo.getCsrfToken() + "&productId=" + productId);
                         Request request = new Request.Builder()
-                                        .url(this.UPDATE_CART_URL)
-                                        .method("POST", body)
+                                        .url(this.UPDATE_CART_URL + "?csrf=" + azurePetStoreSessionInfo.getCsrfToken()
+                                                        + "&productId=" + productId)
+                                        .method("GET", null)
                                         .addHeader("Cookie", "JSESSIONID=" + azurePetStoreSessionInfo.getSessionID())
-                                        .addHeader("Content-Type", "application/x-www-form-urlencoded")
+                                        .addHeader("Content-Type", "text/html")
                                         .build();
 
-                        client.newCall(request).execute();
+                        this.client.newCall(request).execute();
 
                         LOGGER.info("Updated cart with product id: " + productId + " for session id: "
                                         + azurePetStoreSessionInfo.getSessionID() + " csrf: "
@@ -61,7 +57,8 @@ public DPResponse updateCart(AzurePetStoreSessionInfo azurePetStoreSessionInfo,
                                         + azurePetStoreSessionInfo.getSessionID() + " " + e.getMessage());
                         dpResponse.setDpResponseText("I'm sorry, I wasn't able to add the "
                                         + this.cosmosDB.getCachedProducts().get(productId).getName()
-                                        + " to your cart. "+azurePetStoreSessionInfo.getSessionID()+"|"+azurePetStoreSessionInfo.getCsrfToken());
+                                        + " to your cart. " + azurePetStoreSessionInfo.getSessionID() + "|"
+                                        + azurePetStoreSessionInfo.getCsrfToken());
                 }
 
                 return dpResponse;
@@ -79,7 +76,7 @@ public DPResponse viewCart(AzurePetStoreSessionInfo azurePetStoreSessionInfo) {
                                         .addHeader("Content-Type", "text/html")
                                         .build();
 
-                        Response response = client.newCall(request).execute();
+                        Response response = this.client.newCall(request).execute();
 
                         LOGGER.info("Retrieved cart items for session id: "
                                         + azurePetStoreSessionInfo.getSessionID() + " csrf: "
@@ -91,7 +88,9 @@ public DPResponse viewCart(AzurePetStoreSessionInfo azurePetStoreSessionInfo) {
                 } catch (Exception e) {
                         LOGGER.error("Error retrieving cart items for session id: "
                                         + azurePetStoreSessionInfo.getSessionID() + " " + e.getMessage());
-                        dpResponse.setDpResponseText("I'm sorry, I wasn't able to retrieve your shopping cart. "+azurePetStoreSessionInfo.getSessionID()+"|"+azurePetStoreSessionInfo.getCsrfToken());
+                        dpResponse.setDpResponseText("I'm sorry, I wasn't able to retrieve your shopping cart. "
+                                        + azurePetStoreSessionInfo.getSessionID() + "|"
+                                        + azurePetStoreSessionInfo.getCsrfToken());
                 }
 
                 return dpResponse;
@@ -102,18 +101,14 @@ public DPResponse completeCart(AzurePetStoreSessionInfo azurePetStoreSessionInfo
                 DPResponse dpResponse = new DPResponse();
 
                 try {
-
-                        MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
-                        RequestBody body = RequestBody.create(mediaType,
-                                        "_csrf=" + azurePetStoreSessionInfo.getCsrfToken());
                         Request request = new Request.Builder()
-                                        .url(this.COMPLETE_CART_URL)
-                                        .method("POST", body)
+                                        .url(this.COMPLETE_CART_URL + "?csrf=" + azurePetStoreSessionInfo.getCsrfToken())
+                                        .method("GET", null)
                                         .addHeader("Cookie", "JSESSIONID=" + azurePetStoreSessionInfo.getSessionID())
-                                        .addHeader("Content-Type", "application/x-www-form-urlencoded")
+                                        .addHeader("Content-Type", "text/html")
                                         .build();
 
-                        Response response = client.newCall(request).execute();
+                        Response response = this.client.newCall(request).execute();
 
                         LOGGER.info("Completed cart for session id: "
                                         + azurePetStoreSessionInfo.getSessionID() + " csrf: "
@@ -125,7 +120,9 @@ public DPResponse completeCart(AzurePetStoreSessionInfo azurePetStoreSessionInfo
                 } catch (Exception e) {
                         LOGGER.error("Error completing cart for session id: "
                                         + azurePetStoreSessionInfo.getSessionID() + " " + e.getMessage());
-                        dpResponse.setDpResponseText("I'm sorry, I wasn't able to place your order. "+azurePetStoreSessionInfo.getSessionID()+"|"+azurePetStoreSessionInfo.getCsrfToken());
+                        dpResponse.setDpResponseText("I'm sorry, I wasn't able to place your order. "
+                                        + azurePetStoreSessionInfo.getSessionID() + "|"
+                                        + azurePetStoreSessionInfo.getCsrfToken());
                 }
 
                 return dpResponse;