From b2147537ca45030efac5ad647c31284377409d2d Mon Sep 17 00:00:00 2001 From: Sonali2109 Date: Sun, 27 Jul 2025 15:05:33 +0530 Subject: [PATCH] Handled Download API by not passing sensitive info --- .../controller/AuthController.java | 48 ++++--------------- .../controller/FileController.java | 11 +++-- .../dto/FileDownloadRequest.java | 23 +++++++++ .../skycrateBackend/services/FileService.java | 36 -------------- .../services/RefreshTokenService.java | 17 ------- 5 files changed, 38 insertions(+), 97 deletions(-) create mode 100644 src/main/java/com/skycrate/backend/skycrateBackend/dto/FileDownloadRequest.java diff --git a/src/main/java/com/skycrate/backend/skycrateBackend/controller/AuthController.java b/src/main/java/com/skycrate/backend/skycrateBackend/controller/AuthController.java index 4da9f45..8a30efa 100644 --- a/src/main/java/com/skycrate/backend/skycrateBackend/controller/AuthController.java +++ b/src/main/java/com/skycrate/backend/skycrateBackend/controller/AuthController.java @@ -9,10 +9,7 @@ import com.skycrate.backend.skycrateBackend.entity.RefreshToken; import com.skycrate.backend.skycrateBackend.entity.User; import com.skycrate.backend.skycrateBackend.repository.UserRepository; import com.skycrate.backend.skycrateBackend.security.TokenBlacklistService; -import com.skycrate.backend.skycrateBackend.services.AuthenticationService; -import com.skycrate.backend.skycrateBackend.services.JwtService; -import com.skycrate.backend.skycrateBackend.services.RateLimiterService; -import com.skycrate.backend.skycrateBackend.services.RefreshTokenService; +import com.skycrate.backend.skycrateBackend.services.*; import jakarta.servlet.http.HttpServletRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -25,6 +22,7 @@ import org.springframework.web.bind.annotation.*; @RequestMapping("/api/auth") public class AuthController { + private static final Logger log = LoggerFactory.getLogger(FileService.class); private final AuthenticationManager authManager; private final JwtService jwtService; private final UserRepository userRepository; @@ -86,23 +84,6 @@ public class AuthController { return ResponseEntity.ok(new LoginResponse(accessToken, refreshToken.getToken())); } -// @PostMapping("/logout") -// public ResponseEntity logout(HttpServletRequest request) { -// String authHeader = request.getHeader("Authorization"); -// if (authHeader == null || !authHeader.startsWith("Bearer ")) { -// return ResponseEntity.badRequest().body("Missing or invalid Authorization header"); -// } -// -// String token = authHeader.substring(7); -// -// tokenBlacklistService.blacklistToken(token); -// -// String email = jwtService.extractUsername(token); -// userRepository.findByEmail(email).ifPresent(refreshTokenService::deleteByUser); -// -// return ResponseEntity.ok("Logged out successfully"); -// } - @PostMapping("/logout") public ResponseEntity logout(HttpServletRequest request) { String authHeader = request.getHeader("Authorization"); @@ -126,30 +107,15 @@ public class AuthController { return ResponseEntity.ok("Logged out successfully"); } -// @PostMapping("/refresh") -// public ResponseEntity refresh(@RequestBody TokenRefreshRequest request) { -// String requestToken = request.getRefreshToken(); -// -// return refreshTokenService.findByToken(requestToken) -// .map(token -> { -// if (refreshTokenService.isExpired(token)) { -// return ResponseEntity.status(403).body("Refresh token expired"); -// } -// -// User user = token.getUser(); -// String newAccessToken = jwtService.generateToken(user); -// return ResponseEntity.ok(new TokenRefreshResponse(newAccessToken, requestToken)); -// }) -// .orElseGet(() -> ResponseEntity.status(403).body("Invalid refresh token")); -// } - @PostMapping("/refresh") public ResponseEntity refresh(@RequestBody TokenRefreshRequest request) { String requestToken = request.getRefreshToken(); + log.error("Received refresh token: " + requestToken); return refreshTokenService.findByToken(requestToken) .map(token -> { if (refreshTokenService.isExpired(token)) { + log.error("Refresh token expired for user: " + token.getUser().getUsername()); // Clear the cached key on token expiry authenticationService.clearDecryptedPrivateKeyCache(token.getUser().getId().toString()); return ResponseEntity.status(403).body("Refresh token expired"); @@ -157,8 +123,12 @@ public class AuthController { User user = token.getUser(); String newAccessToken = jwtService.generateToken(user); + log.info("Generated new access token for user: " + user.getUsername()); return ResponseEntity.ok(new TokenRefreshResponse(newAccessToken, requestToken)); }) - .orElseGet(() -> ResponseEntity.status(403).body("Invalid refresh token")); + .orElseGet(() -> { + log.error("Invalid refresh token: " + requestToken); + return ResponseEntity.status(403).body("Invalid refresh token"); + }); } } \ No newline at end of file diff --git a/src/main/java/com/skycrate/backend/skycrateBackend/controller/FileController.java b/src/main/java/com/skycrate/backend/skycrateBackend/controller/FileController.java index 583094e..81eb19f 100644 --- a/src/main/java/com/skycrate/backend/skycrateBackend/controller/FileController.java +++ b/src/main/java/com/skycrate/backend/skycrateBackend/controller/FileController.java @@ -1,5 +1,6 @@ package com.skycrate.backend.skycrateBackend.controller; +import com.skycrate.backend.skycrateBackend.dto.FileDownloadRequest; import com.skycrate.backend.skycrateBackend.services.FileService; import com.skycrate.backend.skycrateBackend.services.JwtService; import jakarta.servlet.http.HttpServletRequest; @@ -39,20 +40,20 @@ public class FileController { } } - @GetMapping("/download/{filename}") + @GetMapping("/download") public ResponseEntity downloadFile( - @PathVariable String filename, - @RequestParam("password") String password, + @RequestBody FileDownloadRequest fileDownloadRequest, HttpServletRequest request ) { try { String token = extractToken(request); String username = jwtService.extractUsername(token); - byte[] decryptedData = fileService.downloadDecryptedFile(username, password, filename); + // Use the password and filename from the FileDownloadRequest DTO + byte[] decryptedData = fileService.downloadDecryptedFile(username, fileDownloadRequest.getPassword(), fileDownloadRequest.getFilename()); return ResponseEntity.ok() - .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + filename + "\"") + .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + fileDownloadRequest.getFilename() + "\"") .contentLength(decryptedData.length) .contentType(MediaType.APPLICATION_OCTET_STREAM) .body(decryptedData); diff --git a/src/main/java/com/skycrate/backend/skycrateBackend/dto/FileDownloadRequest.java b/src/main/java/com/skycrate/backend/skycrateBackend/dto/FileDownloadRequest.java new file mode 100644 index 0000000..b1ece08 --- /dev/null +++ b/src/main/java/com/skycrate/backend/skycrateBackend/dto/FileDownloadRequest.java @@ -0,0 +1,23 @@ +package com.skycrate.backend.skycrateBackend.dto; + +public class FileDownloadRequest { + private String filename; + private String password; + + // Getters and Setters + public String getFilename() { + return filename; + } + + public void setFilename(String filename) { + this.filename = filename; + } + + public String getPassword() { + return password; + } + + public void setPassword(String password) { + this.password = password; + } +} diff --git a/src/main/java/com/skycrate/backend/skycrateBackend/services/FileService.java b/src/main/java/com/skycrate/backend/skycrateBackend/services/FileService.java index 24655bc..91d3609 100644 --- a/src/main/java/com/skycrate/backend/skycrateBackend/services/FileService.java +++ b/src/main/java/com/skycrate/backend/skycrateBackend/services/FileService.java @@ -30,11 +30,6 @@ public class FileService { private final FileMetadataRepository fileMetadataRepository; private final UserRepository userRepository; -// public FileService(FileMetadataRepository fileMetadataRepository, UserRepository userRepository) { -// this.fileMetadataRepository = fileMetadataRepository; -// this.userRepository = userRepository; -// } - @Autowired public FileService(FileMetadataRepository fileMetadataRepository, UserRepository userRepository, AuthenticationService authenticationService) { this.fileMetadataRepository = fileMetadataRepository; @@ -91,37 +86,6 @@ public class FileService { } } -// public byte[] downloadDecryptedFile(String username, String password, String filename) throws Exception { -// log.info("Download request: user={}, file={}", username, filename); -// try { -// User user = userRepository.findByUsername(username) -// .orElseThrow(() -> new RuntimeException("User not found: " + username)); -// -// Path filePath = new Path("/" + username + "/" + filename); -// FileMetadata metadata = fileMetadataRepository.findByUsernameAndFilePath(username, filePath.toString()) -// .orElseThrow(() -> new RuntimeException("File metadata not found for: " + filePath)); -// -// SecretKey derivedKey = EncryptionUtil.deriveKey(password.toCharArray(), user.getPrivateKeySalt()); -// byte[] decryptedPrivateKeyBytes = EncryptionUtil.decrypt(user.getPrivateKey(), derivedKey, user.getPrivateKeyIv()); -// PrivateKey privateKey = RSAKeyUtil.decodePrivateKey(decryptedPrivateKeyBytes); -// -// byte[] aesKeyBytes = EncryptionUtil.decryptRSA(metadata.getEncryptedKey(), privateKey); -// SecretKey aesKey = EncryptionUtil.rebuildAESKey(aesKeyBytes); -// -// FileSystem fs = HDFSConfig.getHDFS(); -// byte[] encryptedData; -// try (FSDataInputStream in = fs.open(filePath)) { -// encryptedData = in.readAllBytes(); -// } -// -// return EncryptionUtil.decrypt(encryptedData, aesKey, metadata.getIv()); -// -// } catch (Exception e) { -// log.error("Download failed for user={}, file={}: {}", username, filename, e.getMessage(), e); -// throw e; -// } -// } - public byte[] downloadDecryptedFile(String username, String password, String filename) throws Exception { log.info("Download request: user={}, file={}", username, filename); try { diff --git a/src/main/java/com/skycrate/backend/skycrateBackend/services/RefreshTokenService.java b/src/main/java/com/skycrate/backend/skycrateBackend/services/RefreshTokenService.java index bedb9f5..64a928a 100644 --- a/src/main/java/com/skycrate/backend/skycrateBackend/services/RefreshTokenService.java +++ b/src/main/java/com/skycrate/backend/skycrateBackend/services/RefreshTokenService.java @@ -23,18 +23,6 @@ public class RefreshTokenService { this.refreshTokenRepo = refreshTokenRepo; } -// @Transactional -// public RefreshToken createRefreshToken(User user) { -// refreshTokenRepo.deleteByUser(user); -// refreshTokenRepo.flush(); -// -// RefreshToken token = new RefreshToken(); -// token.setUser(user); -// token.setExpiryDate(Instant.now().plusMillis(refreshTokenDurationMs)); -// token.setToken(UUID.randomUUID().toString()); -// return refreshTokenRepo.save(token); -// } - @Transactional public RefreshToken createRefreshToken(User user) { refreshTokenRepo.deleteByUser(user); @@ -55,11 +43,6 @@ public class RefreshTokenService { public boolean isExpired(RefreshToken token) { return token.getExpiryDate().isBefore(Instant.now()); } -// -// @Transactional -// public void deleteByUser(User user) { -// refreshTokenRepo.deleteByUser(user); -// } @Transactional public void deleteByUser(User user) {