change token do httpOnly

Author: HernandoJunior

src/main/java/com/virtusconsultoria/configsecurity/SecurityConfig.java

@@ -78,6 +78,12 @@ public SecurityFilterChain filtrarCadeiaDeSeguranca(HttpSecurity httpSecurity) t
                         .requestMatchers(HttpMethod.GET, "/propostas/**").authenticated()
                         .requestMatchers(HttpMethod.GET, "/clientes/**").authenticated()
 
+                        // SecurityConfig.java
+                        .requestMatchers(HttpMethod.POST, "/auth/login").permitAll()
+                        .requestMatchers(HttpMethod.POST, "/auth/refresh").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/auth/me").authenticated()
+                        .requestMatchers(HttpMethod.POST, "/auth/logout").authenticated()
+
                         // Qualquer outra requisição precisa de autenticação
                         .anyRequest().authenticated()
                 )
@@ -110,16 +116,14 @@ public PasswordEncoder passwordEncoder() {
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
         configuration.setAllowedOrigins(Arrays.asList(
+                "http://localhost:5173",
                 "http://localhost:8081",
                 "http://localhost:8080",
-                "http://localhost:8080/",
-                "http://localhost:8081/",
-                "http://192.168.0.38:8080/",
-                "https://front-end-virtus.vercel.app/"
+                "https://front-end-virtus.vercel.app"
         ));
         configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
         configuration.setAllowedHeaders(Arrays.asList("*"));
-        configuration.setAllowCredentials(true);
+        configuration.setAllowCredentials(true); // CRUCIAL para cookies
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);

src/main/java/com/virtusconsultoria/configsecurity/TokenService.java

@@ -1,42 +1,67 @@
+// src/main/java/com/virtusconsultoria/configsecurity/TokenService.java
 package com.virtusconsultoria.configsecurity;
 
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTCreationException;
 import com.auth0.jwt.exceptions.JWTVerificationException;
-import com.virtusconsultoria.model.Administrador;
-import com.virtusconsultoria.model.Colaborador;
+import com.virtusconsultoria.model.RefreshToken;
+import com.virtusconsultoria.repository.RefreshTokenRepository;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
 
 import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.ZoneOffset;
+import java.util.Optional;
+import java.util.UUID;
 
 @Service
 public class TokenService {
 
     @Value("${minha.chave.secreta}")
     private String palavraSecreta;
 
-    public String gerarToken(UserDetails userDetails){
-        System.out.println("Gerando token para: " + userDetails.getUsername());
+    @Autowired
+    private RefreshTokenRepository refreshTokenRepository;
+
+    // Access Token: 15 minutos
+    public String gerarAccessToken(UserDetails userDetails) {
         try {
             Algorithm algoritmo = Algorithm.HMAC256(palavraSecreta);
-            String token = JWT.create()
+            return JWT.create()
                     .withIssuer("virtus-api")
                     .withSubject(userDetails.getUsername())
-                    .withExpiresAt(gerarDataDeExpiracao())
+                    .withExpiresAt(gerarDataExpiracaoAccessToken())
                     .sign(algoritmo);
-
-            return token;
         } catch (JWTCreationException erro) {
-            return erro.getMessage();
+            throw new RuntimeException("Erro ao gerar access token", erro);
         }
     }
 
-    public String validarToken(String token){
+    // Refresh Token: 7 dias (armazenado no banco)
+    @Transactional
+    public String gerarRefreshToken(String userEmail) {
+        // Revoga tokens anteriores do usuário
+        refreshTokenRepository.revokeAllByUserEmail(userEmail);
+
+        // Cria novo refresh token
+        RefreshToken refreshToken = RefreshToken.builder()
+                .token(UUID.randomUUID().toString())
+                .userEmail(userEmail)
+                .expiryDate(Instant.now().plusSeconds(7 * 24 * 60 * 60)) // 7 dias
+                .createdAt(Instant.now())
+                .revoked(false)
+                .build();
+
+        refreshTokenRepository.save(refreshToken);
+        return refreshToken.getToken();
+    }
+
+    public String validarAccessToken(String token) {
         try {
             Algorithm algoritmo = Algorithm.HMAC256(palavraSecreta);
             return JWT.require(algoritmo)
@@ -45,12 +70,30 @@ public String validarToken(String token){
                     .verify(token)
                     .getSubject();
         } catch (JWTVerificationException erro) {
-            return erro.getMessage();
+            return null;
         }
     }
 
-    public Instant gerarDataDeExpiracao(){
-        return LocalDateTime.now().plusHours(16).toInstant(ZoneOffset.of("-03:00"));
+    @Transactional
+    public Optional<String> validarRefreshToken(String token) {
+        return refreshTokenRepository.findByToken(token)
+                .filter(rt -> !rt.isRevoked())
+                .filter(rt -> rt.getExpiryDate().isAfter(Instant.now()))
+                .map(RefreshToken::getUserEmail);
+    }
+
+    @Transactional
+    public void revogarRefreshToken(String token) {
+        refreshTokenRepository.findByToken(token)
+                .ifPresent(rt -> {
+                    rt.setRevoked(true);
+                    refreshTokenRepository.save(rt);
+                });
     }
 
-}
+    private Instant gerarDataExpiracaoAccessToken() {
+        return LocalDateTime.now()
+                .plusMinutes(15) // 15 minutos
+                .toInstant(ZoneOffset.of("-03:00"));
+    }
+}

src/main/java/com/virtusconsultoria/configsecurity/VerificarToken.java

@@ -1,8 +1,10 @@
+// src/main/java/com/virtusconsultoria/configsecurity/VerificarToken.java
 package com.virtusconsultoria.configsecurity;
 
 import com.virtusconsultoria.service.AuthorizationService;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -12,8 +14,8 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
+import java.util.Arrays;
 
-//Anotação usada para falar ao string que ele deve gerenciar essa classe
 @Component
 public class VerificarToken extends OncePerRequestFilter {
 
@@ -29,28 +31,34 @@ public VerificarToken(TokenService tokenService, AuthorizationService authorizat
     protected void doFilterInternal(
             HttpServletRequest request,
             HttpServletResponse response,
-            FilterChain filterChain) throws ServletException, IOException
-    {
-        var token = this.recuperarToken(request);
-        if(token != null){
-            var login = tokenService.validarToken(token);
-            if (!login.isEmpty()) {
-                // Use o serviço unificado para carregar o usuário
+            FilterChain filterChain) throws ServletException, IOException {
+
+        String token = recuperarTokenDoCookie(request);
+
+        if (token != null) {
+            String login = tokenService.validarAccessToken(token);
+
+            if (login != null) {
                 UserDetails user = authorizationService.loadUserByUsername(login);
                 var authentication = new UsernamePasswordAuthenticationToken(
-                        user,
-                        null,
-                        user.getAuthorities());
-
+                        user, null, user.getAuthorities()
+                );
                 SecurityContextHolder.getContext().setAuthentication(authentication);
             }
         }
+
         filterChain.doFilter(request, response);
     }
 
-    private String recuperarToken(HttpServletRequest request){
-        var authHeader = request.getHeader("Authorization");
-        if(authHeader == null) return null;
-        return authHeader.replace("Bearer ", "");
+    private String recuperarTokenDoCookie(HttpServletRequest request) {
+        Cookie[] cookies = request.getCookies();
+        if (cookies != null) {
+            return Arrays.stream(cookies)
+                    .filter(cookie -> "accessToken".equals(cookie.getName()))
+                    .map(Cookie::getValue)
+                    .findFirst()
+                    .orElse(null);
+        }
+        return null;
     }
 }

src/main/java/com/virtusconsultoria/controllers/AuthenticationController.java

@@ -1,3 +1,4 @@
+// src/main/java/com/virtusconsultoria/controllers/AuthenticationController.java
 package com.virtusconsultoria.controllers;
 
 import com.virtusconsultoria.configsecurity.TokenService;
@@ -9,6 +10,10 @@
 import com.virtusconsultoria.model.Administrador;
 import com.virtusconsultoria.model.Colaborador;
 import com.virtusconsultoria.model.Supervisor;
+import com.virtusconsultoria.service.AuthorizationService;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
@@ -19,6 +24,8 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.*;
 
+import java.util.Map;
+
 @RestController
 @RequestMapping("/auth")
 public class AuthenticationController {
@@ -29,30 +36,114 @@ public class AuthenticationController {
     @Autowired
     private TokenService tokenService;
 
+    @Autowired
+    private AuthorizationService authorizationService;
+
     @PostMapping("/login")
-    @ResponseStatus(HttpStatus.CREATED)
-    public ResponseEntity<LoginUserResponse> login(@RequestBody @Valid LoginRequestDto loginDto) {
-        var usernamePassword = new UsernamePasswordAuthenticationToken(loginDto.email(), loginDto.senha());
-        Authentication auth = this.authenticationManager.authenticate(usernamePassword);
+    @ResponseStatus(HttpStatus.OK)
+    public ResponseEntity<LoginUserResponse> login(
+            @RequestBody @Valid LoginRequestDto loginDto,
+            HttpServletResponse response
+    ) {
+        var usernamePassword = new UsernamePasswordAuthenticationToken(
+                loginDto.email(),
+                loginDto.senha()
+        );
+        Authentication auth = authenticationManager.authenticate(usernamePassword);
+
+        UserDetails userDetails = (UserDetails) auth.getPrincipal();
+
+        // Gera tokens
+        String accessToken = tokenService.gerarAccessToken(userDetails);
+        String refreshToken = tokenService.gerarRefreshToken(userDetails.getUsername());
+
+        // Define cookies httpOnly
+        Cookie accessCookie = criarCookie("accessToken", accessToken, 15 * 60); // 15 min
+        Cookie refreshCookie = criarCookie("refreshToken", refreshToken, 7 * 24 * 60 * 60); // 7 dias
+
+        response.addCookie(accessCookie);
+        response.addCookie(refreshCookie);
+
+        // Retorna dados públicos do usuário
+        Object userResponseDto = montarUserResponse(auth.getPrincipal());
+
+        return ResponseEntity.ok(new LoginUserResponse(null, userResponseDto));
+    }
+
+    @PostMapping("/refresh")
+    public ResponseEntity<?> refresh(
+            @CookieValue(name = "refreshToken", required = false) String refreshToken,
+            HttpServletResponse response
+    ) {
+        if (refreshToken == null) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                    .body("Refresh token não fornecido");
+        }
+
+        return tokenService.validarRefreshToken(refreshToken)
+                .map(email -> {
+                    UserDetails userDetails = authorizationService.loadUserByUsername(email);
+                    String newAccessToken = tokenService.gerarAccessToken(userDetails);
+
+                    Cookie accessCookie = criarCookie("accessToken", newAccessToken, 15 * 60);
+                    response.addCookie(accessCookie);
 
-        System.out.println("UserNamePassword" + usernamePassword);
-        
-        // Gera o token com o usuário autenticado (que pode ser de qualquer tipo)
-        var token = tokenService.gerarToken((UserDetails) auth.getPrincipal());
+                    return ResponseEntity.ok().body("Token renovado com sucesso");
+                })
+                .orElseGet(() -> ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                        .body("Refresh token inválido ou expirado"));
+    }
+
+    @PostMapping("/logout")
+    public ResponseEntity<?> logout(
+            @CookieValue(name = "refreshToken", required = false) String refreshToken,
+            HttpServletResponse response
+    ) {
+        // Revoga refresh token
+        if (refreshToken != null) {
+            tokenService.revogarRefreshToken(refreshToken);
+        }
+
+        // Limpa cookies
+        Cookie accessCookie = criarCookie("accessToken", "", 0);
+        Cookie refreshCookie = criarCookie("refreshToken", "", 0);
+
+        response.addCookie(accessCookie);
+        response.addCookie(refreshCookie);
+
+        return ResponseEntity.ok("Logout realizado com sucesso");
+    }
 
-        // Pega o objeto principal (o usuário completo)
-        Object principal = auth.getPrincipal();
-        Object userResponseDto = null;
+    @GetMapping("/me")
+    public ResponseEntity<?> getCurrentUser(Authentication authentication) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+        }
+
+        Object principal = authentication.getPrincipal();
+        Object userResponseDto = montarUserResponse(principal);
+
+        return ResponseEntity.ok(Map.of("user", userResponseDto));
+    }
 
-        // Verifica qual é o tipo do usuário para criar o DTO de resposta correto
+    private Cookie criarCookie(String nome, String valor, int maxAge) {
+        Cookie cookie = new Cookie(nome, valor);
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true); // HTTPS apenas em produção
+        cookie.setPath("/");
+        cookie.setMaxAge(maxAge);
+        cookie.setAttribute("SameSite", "Strict");
+        return cookie;
+    }
+
+    private Object montarUserResponse(Object principal) {
         if (principal instanceof Administrador user) {
-            userResponseDto = new AdministradorResponseDto(user);
+            return new AdministradorResponseDto(user);
         } else if (principal instanceof Supervisor user) {
-            userResponseDto = new SupervisorResponseDto(user);
+            return new SupervisorResponseDto(user);
         } else if (principal instanceof Colaborador user) {
-            userResponseDto = new ColaboradorResponseDto(user);
+            return new ColaboradorResponseDto(user);
         }
-
-        return ResponseEntity.ok(new LoginUserResponse(token, userResponseDto));
+        return null;
     }
 }

src/main/java/com/virtusconsultoria/dtos/cliente/ClienteResponseDto.java

@@ -8,7 +8,8 @@
 
 public record ClienteResponseDto (
         Long ID_CLIENTE,
-        Colaborador colaborador,
+        String nomeColaborador,
+        Long ID_COLABORADOR,
         String nome,
         String cpf,
         String email,
@@ -39,7 +40,8 @@ public record ClienteResponseDto (
     public ClienteResponseDto(Clientes clientes){
         this(
                 clientes.getID_CLIENTE(),
-                clientes.getColaborador(),
+                clientes.getColaborador().getNome(),
+                clientes.getColaborador().getID_COLABORADOR(),
                 clientes.getNome(),
                 clientes.getCpf(),
                 clientes.getEmail(),