Login fixes (#881)

* init

* user and pass to just pass lang update

* session management fixes and avoid demo user locking

* Hardening suggestions for Stirling-PDF / loginFixes (#882)

Switch order of literals to prevent NullPointerException

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>

---------

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>

src/main/java/stirling/software/SPDF/config/security/CustomAuthenticationFailureHandler.java

@@ -1,6 +1,7 @@
 package stirling.software.SPDF.config.security;
 
 import java.io.IOException;
+import java.util.Optional;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -12,15 +13,19 @@ import org.springframework.stereotype.Component;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import stirling.software.SPDF.model.User;
 
 @Component
 public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
 
     @Autowired private final LoginAttemptService loginAttemptService;
 
-    @Autowired
+    @Autowired private final UserService userService; // Inject the UserService
-    public CustomAuthenticationFailureHandler(LoginAttemptService loginAttemptService) {
+
+    public CustomAuthenticationFailureHandler(
+            LoginAttemptService loginAttemptService, UserService userService) {
         this.loginAttemptService = loginAttemptService;
+        this.userService = userService;
     }
 
     @Override
@@ -33,17 +38,27 @@ public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationF
         logger.error("Failed login attempt from IP: " + ip);
 
         String username = request.getParameter("username");
-        if (loginAttemptService.loginAttemptCheck(username)) {
+        if (!isDemoUser(username)) {
-            setDefaultFailureUrl("/login?error=locked");
+            if (loginAttemptService.loginAttemptCheck(username)) {
-
-        } else {
-            if (exception.getClass().isAssignableFrom(BadCredentialsException.class)) {
-                setDefaultFailureUrl("/login?error=badcredentials");
-            } else if (exception.getClass().isAssignableFrom(LockedException.class)) {
                 setDefaultFailureUrl("/login?error=locked");
+
+            } else {
+                if (exception.getClass().isAssignableFrom(LockedException.class)) {
+                    setDefaultFailureUrl("/login?error=locked");
+                }
             }
         }
+        if (exception.getClass().isAssignableFrom(BadCredentialsException.class)) {
+            setDefaultFailureUrl("/login?error=badcredentials");
+        }
 
         super.onAuthenticationFailure(request, response, exception);
     }
+
+    private boolean isDemoUser(String username) {
+        Optional<User> user = userService.findByUsername(username);
+        return user.isPresent()
+                && user.get().getAuthorities().stream()
+                        .anyMatch(authority -> "ROLE_DEMO_USER".equals(authority.getAuthority()));
+    }
 }

src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java

@@ -21,6 +21,7 @@ import org.springframework.security.web.authentication.rememberme.PersistentToke
 import org.springframework.security.web.savedrequest.NullRequestCache;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import jakarta.servlet.http.HttpSession;
 import stirling.software.SPDF.repository.JPATokenRepositoryImpl;
 
 @Configuration
@@ -78,7 +79,7 @@ public class SecurityConfiguration {
                                             .defaultSuccessUrl("/")
                                             .failureHandler(
                                                     new CustomAuthenticationFailureHandler(
-                                                            loginAttemptService))
+                                                            loginAttemptService, userService))
                                             .permitAll())
                     .requestCache(requestCache -> requestCache.requestCache(new NullRequestCache()))
                     .logout(
@@ -87,7 +88,19 @@ public class SecurityConfiguration {
                                                     new AntPathRequestMatcher("/logout"))
                                             .logoutSuccessUrl("/login?logout=true")
                                             .invalidateHttpSession(true) // Invalidate session
-                                            .deleteCookies("JSESSIONID", "remember-me"))
+                                            .deleteCookies("JSESSIONID", "remember-me")
+                                            .addLogoutHandler(
+                                                    (request, response, authentication) -> {
+                                                        HttpSession session =
+                                                                request.getSession(
+                                                                        false); 
+                                                        if (session != null) {
+                                                            String sessionId = session.getId();
+                                                            sessionRegistry()
+                                                                    .removeSessionInformation(
+                                                                            sessionId);
+                                                        }
+                                                    }))
                     .rememberMe(
                             rememberMeConfigurer ->
                                     rememberMeConfigurer // Use the configurator directly