No CSRF Token loaded from session store.

Explorer | Level 3

5 years ago

import lombok.RequiredArgsConstructor;
import mz.co.instite.certifications.organization.domain.Organization;
import mz.co.instite.certifications.organization.infrastructure.persistence.OrganizationRepository;
import mz.co.instite.certifications.user.domain.User;
import mz.co.instite.certifications.user.domain.UserRole;
import mz.co.instite.certifications.user.infrastructure.UserRepository;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;

@Controller
@RequestMapping(path = "/api/v1/oauth/dbx")
@RequiredArgsConstructor
@CrossOrigin
public class DbxOauthController {
    private final DbxFileSystem dbxFileSystem;
    private final UserRepository userRepository;
    private final OrganizationRepository organizationRepository;
    private User user;

    @GetMapping("/start")
    public ResponseEntity<?> authStart(HttpServletRequest request) {

            Map<?, ?> authResponse = dbxFileSystem.authorize(request);
            String authorizeUrl = (String) authResponse.get("authorizeUrl");

            if (Objects.nonNull(authorizeUrl)) {
                //response.sendRedirect(authorizeUrl);
                return ResponseEntity.ok(authorizeUrl);
            }
            return ResponseEntity.badRequest().body("Falha ao autorizar o pedido.");


    }

    @GetMapping("/finish")
    @ResponseBody
    public ResponseEntity<Map<String, Object>> authFinish(HttpServletRequest request) {
        try {
            Map<String, Object> token = dbxFileSystem.getTokenFromUri(request);
            setAccessToken((String)token.get("accessToken"),(String)token.get("refreshToken"));
            return ResponseEntity.ok(token);
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.FORBIDDEN).body(exceptionToResponse(e.getMessage()));
        }
    }
}

import com.dropbox.core.*;
import com.dropbox.core.v2.DbxClientV2;
import com.dropbox.core.v2.DbxPathV2;
import com.dropbox.core.v2.files.*;
import mz.co.instite.certifications.infrastructure.fileSystem.FileResponse;
import org.springframework.beans.factory.annotation.Autowired;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Paths;
import java.util.*;
import java.util.stream.Collectors;

public class DbxFileSystem {
    @Autowired
    HttpServletRequest request;

    private final DbxRequestConfig requestConfig;
    private final String redirectUri;
    private DbxPKCEWebAuth pkceWebAuth;
    private final String sessionKey = "dbx-auth-csrf-token";
    private final String storagePath;
    private DbxAppInfo appInfo;
    private String accessToken;

    public DbxFileSystem(String appKey, String redirectUri, String storagePath) {
        this.requestConfig = DbxRequestConfig.newBuilder("insite-certifications").build();
        this.redirectUri = redirectUri;
        this.appInfo = new DbxAppInfo(appKey);
        this.pkceWebAuth = new DbxPKCEWebAuth(requestConfig, appInfo);
        this.storagePath = storagePath.startsWith("/") ? storagePath : "/" + storagePath;
        this.accessToken = "";
    }

    /**
     * Authorizes a user using OAuth2 PKCE
     *
     * @param appKey
     * @return
     */
    public Map<String, ?> authorize(String appKey) {
        this.appInfo = new DbxAppInfo(appKey);
        return authorize();
    }

    public Map<String, ?> authorize() {
        DbxSessionStore sessionStore = new DbxStandardSessionStore(request.getSession(), sessionKey);
        DbxWebAuth.Request authRequest = DbxWebAuth.newRequestBuilder()
                .withRedirectUri(redirectUri, sessionStore)
                .withScope(Arrays.asList("files.content.read","files.content.write"))
                //.withTokenAccessType(TokenAccessType.ONLINE)
                .build();

        Map<String, String> response = new HashMap<>();
        try {
            response.put("authorizeUrl", pkceWebAuth.authorize(authRequest));
        }catch (java.lang.IllegalStateException e){
            pkceWebAuth = new DbxPKCEWebAuth(requestConfig, appInfo);
            response.put("authorizeUrl", pkceWebAuth.authorize(authRequest));
        };

        return response;
    }

    public Map<String, ?> authorize(HttpServletRequest request) {
        this.request = request;
        return authorize();
    }

    public Map<String, Object> getTokenFromUri(HttpServletRequest request) throws DbxException, DbxWebAuth.NotApprovedException, DbxWebAuth.BadRequestException, DbxWebAuth.BadStateException, DbxWebAuth.CsrfException, DbxWebAuth.ProviderException {
        DbxAuthFinish response = pkceWebAuth.finishFromRedirect(redirectUri, new DbxStandardSessionStore(request.getSession(), sessionKey), request.getParameterMap());
        Map<String, Object> tokens = new HashMap<>();
        tokens.put("accessToken", response.getAccessToken());
        tokens.put("refreshToken", response.getRefreshToken());
        return tokens;
    }
}

Forum Discussion

No CSRF Token loaded from session store.

About Dropbox API Support & Feedback

Related Content

Dropbox Paper images aren't loaded on the web

Dropbox website not loading. Why?

Loading Dropbox in Windows 11

socket.timeout issue even with session upload

Log out of all sessions

Recent Discussions

Shared Link - Download in .NET

Dropbox API server root certificate changes for .Net

GetCurrentAccountAsync API Failing for some Team Members while using Impersonation

Find DBID on Local PC

How to replace a non-existent permanent token? Any auto-refresh alternative for automation?