From c72703ea328022ad9f78f5ea2a41434aa6b8313b Mon Sep 17 00:00:00 2001
From: akastijn <akastijn@alttd.com>
Date: Mon, 23 Jun 2025 21:34:54 +0200
Subject: [PATCH] Refactor user privilege handling to use `Optional` instead of
 null checks. Remove unused cache entries and update security configuration to
 refine access controls.

---
 .../altitudeweb/config/SecurityConfig.java    |  2 --
 .../controllers/login/LoginController.java    | 24 ++++++++-----------
 .../database/web_db/PrivilegedUserMapper.java |  4 +++-
 3 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/backend/src/main/java/com/alttd/altitudeweb/config/SecurityConfig.java b/backend/src/main/java/com/alttd/altitudeweb/config/SecurityConfig.java
index 8973994..43b37b0 100644
--- a/backend/src/main/java/com/alttd/altitudeweb/config/SecurityConfig.java
+++ b/backend/src/main/java/com/alttd/altitudeweb/config/SecurityConfig.java
@@ -36,8 +36,6 @@ public class SecurityConfig {
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         return http
             .authorizeHttpRequests(auth -> auth
-                .requestMatchers("/login/userLogin/**", "/login/requestNewUserLogin/**").permitAll()
-                .requestMatchers("/team/**", "/history/**").permitAll()
                 .requestMatchers("/form/**").hasAuthority(PermissionClaimDto.USER.getValue())
                 .requestMatchers("/head_mod/**").hasAuthority(PermissionClaimDto.HEAD_MOD.getValue())
                 .anyRequest().permitAll()
diff --git a/backend/src/main/java/com/alttd/altitudeweb/controllers/login/LoginController.java b/backend/src/main/java/com/alttd/altitudeweb/controllers/login/LoginController.java
index 282980a..91c53f5 100644
--- a/backend/src/main/java/com/alttd/altitudeweb/controllers/login/LoginController.java
+++ b/backend/src/main/java/com/alttd/altitudeweb/controllers/login/LoginController.java
@@ -83,8 +83,6 @@ public class LoginController implements LoginApi {
     @RateLimit(limit = 5, timeValue = 1, timeUnit = TimeUnit.MINUTES, key = "login")
     @Override
     public ResponseEntity<String> login(String code) {
-        CacheEntry cacheEntry1 = new CacheEntry(UUID.fromString("55e46bc3-2a29-4c53-850f-dbd944dc5c5f"), Instant.now().plusSeconds(TimeUnit.DAYS.toSeconds(1)));
-        cache.put("23232323", cacheEntry1);
         if (code == null) {
             return ResponseEntity.badRequest().build();
         }
@@ -134,12 +132,12 @@ public class LoginController implements LoginApi {
         Instant now = Instant.now();
         //TODO make a JWT for renewing and one for storing permissions for a session (expiry 1 hour)
         Instant expiryTime = now.plusSeconds(TimeUnit.DAYS.toSeconds(30));
-        CompletableFuture<PrivilegedUser> privilegedUserCompletableFuture = new CompletableFuture<>();
+        CompletableFuture<Optional<PrivilegedUser>> privilegedUserCompletableFuture = new CompletableFuture<>();
         List<PermissionClaimDto> claimList = new ArrayList<>();
         Connection.getConnection(Databases.DEFAULT)
                 .runQuery(sqlSession -> {
                     try {
-                        PrivilegedUser privilegedUser = sqlSession.getMapper(PrivilegedUserMapper.class)
+                        Optional<PrivilegedUser> privilegedUser = sqlSession.getMapper(PrivilegedUserMapper.class)
                                 .getUserByUuid(uuid.toString());
 
                         privilegedUserCompletableFuture.complete(privilegedUser);
@@ -148,17 +146,15 @@ public class LoginController implements LoginApi {
                         privilegedUserCompletableFuture.completeExceptionally(e);
                     }
                 });
-        PrivilegedUser privilegedUser = privilegedUserCompletableFuture.join();
+        Optional<PrivilegedUser> privilegedUser = privilegedUserCompletableFuture.join();
         claimList.add(PermissionClaimDto.USER);
-        if (privilegedUser != null) {
-            privilegedUser.getPermissions().forEach(permission -> {
-                try {
-                    claimList.add(PermissionClaimDto.valueOf(permission));
-                } catch (IllegalArgumentException e) {
-                    log.warn("Received invalid permission claim: {}", permission);
-                }
-            });
-        }
+        privilegedUser.ifPresent(user -> user.getPermissions().forEach(permission -> {
+            try {
+                claimList.add(PermissionClaimDto.valueOf(permission));
+            } catch (IllegalArgumentException e) {
+                log.warn("Received invalid permission claim: {}", permission);
+            }
+        }));
         JwtClaimsSet claims = JwtClaimsSet.builder()
                 .issuer("altitudeweb")
                 .claim("authorities", claimList.stream().map(PermissionClaimDto::getValue).toList())
diff --git a/database/src/main/java/com/alttd/altitudeweb/database/web_db/PrivilegedUserMapper.java b/database/src/main/java/com/alttd/altitudeweb/database/web_db/PrivilegedUserMapper.java
index 4bcad5d..e2842d2 100644
--- a/database/src/main/java/com/alttd/altitudeweb/database/web_db/PrivilegedUserMapper.java
+++ b/database/src/main/java/com/alttd/altitudeweb/database/web_db/PrivilegedUserMapper.java
@@ -1,8 +1,10 @@
 package com.alttd.altitudeweb.database.web_db;
 
 import org.apache.ibatis.annotations.*;
+import org.jetbrains.annotations.Nullable;
 
 import java.util.List;
+import java.util.Optional;
 
 public interface PrivilegedUserMapper {
 
@@ -23,7 +25,7 @@ public interface PrivilegedUserMapper {
             @Result(property = "permissions", column = "id", javaType = List.class,
                     many = @Many(select = "getPermissionsForUser"))
     })
-    PrivilegedUser getUserByUuid(@Param("uuid") String uuid);
+    Optional<PrivilegedUser> getUserByUuid(@Param("uuid") String uuid);
 
     /**
      * Retrieves all privileged users with their permissions