Prevents Hunters from accessing hunt information before it starts

Reviewed-on: #5

Dockerfile

@@ -3,7 +3,7 @@ WORKDIR /app
 COPY gradlew .
 COPY gradle/ gradle/
 COPY build.gradle.kts settings.gradle.kts ./
-RUN ./gradlew dependencies --no-daemon
+RUN chmod +x gradlew && ./gradlew dependencies --no-daemon
 COPY src/ src/
 RUN ./gradlew bootJar --no-daemon
 

docker-compose.yml

@@ -1,20 +1,13 @@
-# All services use host networking so inter-service traffic goes over loopback with no bridge overhead.
-# Ports (all bound directly on the host):
-#   API:           8080
-#   MariaDB:       3306
-#   Adminer:       8888
-#   MinIO API:     9000
-#   MinIO Console: 9001
-
 services:
   mariadb:
-    image: mariadb:11
+    image: mariadb
-    network_mode: host
     environment:
-      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
+      MARIADB_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
-      MYSQL_DATABASE: ${DB_NAME}
+      MARIADB_DATABASE: ${DB_NAME}
-      MYSQL_USER: ${DB_USER}
+      MARIADB_USER: ${DB_USER}
-      MYSQL_PASSWORD: ${DB_PASSWORD}
+      MARIADB_PASSWORD: ${DB_PASSWORD}
+    ports:
+      - 3306:3306
     volumes:
       - mariadb_data:/var/lib/mysql
     healthcheck:
@@ -24,55 +17,54 @@ services:
       timeout: 5s
       retries: 5
     restart: unless-stopped
-
   adminer:
     image: adminer
-    network_mode: host
+    ports:
-    command: php -S [::]:8888 -t /var/www/html
+      - 8080:8080
     restart: unless-stopped
-
   minio:
     image: minio/minio
-    network_mode: host
+    command: server /data --console-address ":9001"
-    command: server /data --console-address :9001
     environment:
       MINIO_ROOT_USER: ${MINIO_ACCESS_KEY}
       MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY}
+    ports:
+      - 15900:9000 # API
+      - 15901:9001 # Web UI
     volumes:
       - minio_data:/data
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      test: ["CMD", "curl", "-f", "http://192.168.187.181:15900/minio/health/live"]
       start_period: 10s
       interval: 10s
       timeout: 5s
       retries: 5
     restart: unless-stopped
-
   api:
-    build: .
+    image: git.halfbinary.net/aarbit/scavengerhunt-api:2
-    network_mode: host
     environment:
-      DB_URL: jdbc:mariadb://localhost:3306/${DB_NAME}
+      DB_URL: jdbc:mariadb://192.168.187.181:3306/${DB_NAME}
       DB_USER: ${DB_USER}
       DB_PASSWORD: ${DB_PASSWORD}
       JWT_SECRET: ${JWT_SECRET}
-      MINIO_ENDPOINT: http://localhost:9000
+      MINIO_ENDPOINT: http://192.168.187.181:15900
       MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
       MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
       MINIO_BUCKET: ${MINIO_BUCKET}
+    ports:
+      - 15808:8080
     depends_on:
       mariadb:
         condition: service_healthy
       minio:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/actuator/health"]
+      test: ["CMD", "curl", "-f", "http://192.168.187.181:15808/actuator/health"]
       start_period: 30s
       interval: 15s
       timeout: 5s
       retries: 5
     restart: unless-stopped
-
 volumes:
   mariadb_data:
   minio_data:

src/main/kotlin/net/halfbinary/scavengerhuntapi/config/JwtUtil.kt

@@ -27,9 +27,10 @@ class JwtUtil {
     }
 
     // Generate JWT token
-    fun generateToken(email: String): String {
+    fun generateToken(email: String, isAdmin: Boolean): String {
         return Jwts.builder()
             .subject(email)
+            .claim("isAdmin", isAdmin)
             .issuedAt(Date())
             .expiration(Date(System.currentTimeMillis() + jwtExpirationMs))
             .signWith(key)

src/main/kotlin/net/halfbinary/scavengerhuntapi/config/SecurityConfig.kt

@@ -7,7 +7,6 @@ import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
-import org.springframework.security.config.annotation.web.configurers.CorsConfigurer
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
@@ -16,6 +15,10 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
 import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.web.cors.CorsConfiguration
+import org.springframework.web.cors.CorsConfigurationSource
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource
+
 
 
 @Configuration
@@ -48,13 +51,25 @@ class SecurityConfig(private val authEntrypointJwt: AuthEntrypointJwt,
         return BCryptPasswordEncoder()
     }
 
+    @Bean
+    fun corsConfigurationSource(): CorsConfigurationSource {
+        val config = CorsConfiguration()
+        config.allowedOriginPatterns = listOf("*")
+        config.allowedMethods = listOf("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS")
+        config.allowedHeaders = listOf("*")
+        config.allowCredentials = true
+        val source = UrlBasedCorsConfigurationSource()
+        source.registerCorsConfiguration("/**", config)
+        return source
+    }
+
     @Bean
     @Throws(Exception::class)
     fun securityFilterChain(http: HttpSecurity): SecurityFilterChain? {
         // Updated configuration for Spring Security 6.x
         http
-            .csrf { csrf: CsrfConfigurer<HttpSecurity> -> csrf.disable() } // Disable CSRF
+            .csrf { csrf: CsrfConfigurer<HttpSecurity> -> csrf.disable() }
-            .cors { cors: CorsConfigurer<HttpSecurity> -> cors.disable() } // Disable CORS (or configure if needed)
+            .cors { cors -> cors.configurationSource(corsConfigurationSource()) }
             .exceptionHandling { exceptionHandling: ExceptionHandlingConfigurer<HttpSecurity> ->
                 exceptionHandling.authenticationEntryPoint(
                     authEntrypointJwt
@@ -67,7 +82,7 @@ class SecurityConfig(private val authEntrypointJwt: AuthEntrypointJwt,
             }
             .authorizeHttpRequests { authorizeRequests ->
                 authorizeRequests
-                    .requestMatchers("/auth/**", "/signup", "/docs/**")
+                    .requestMatchers("/auth/**", "/signup", "/docs/**", "/actuator/**")
                     .permitAll()
                     .anyRequest().authenticated()
             }

src/main/kotlin/net/halfbinary/scavengerhuntapi/controller/AuthController.kt

@@ -24,9 +24,9 @@ class AuthController(private val loginService: LoginService, private val jwtUtil
     @PostMapping("/login")
     fun login(@Valid @RequestBody body: LoginRequest): ResponseEntity<LoginResponse> {
         val result = loginService.login(body.toDomain())
-        val accessToken = jwtUtils.generateToken(result.email)
+        val accessToken = jwtUtils.generateToken(result.email, result.isAdmin)
         val refreshToken  = refreshTokenService.generateRefreshToken(result.email)
-        val loginResponse = LoginResponse(accessToken, refreshToken)
+        val loginResponse = LoginResponse(accessToken, refreshToken, result.name)
         return ResponseEntity.ok(loginResponse)
     }
 

src/main/kotlin/net/halfbinary/scavengerhuntapi/controller/HunterController.kt

@@ -16,7 +16,6 @@ import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestMapping
-import org.springframework.web.bind.annotation.RequestParam
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
@@ -27,13 +26,13 @@ class HunterController(private val hunterService: HunterService,
 
     @GetMapping("/hunt/ongoing")
     @Operation(summary = "Gets list of all currently running Hunts (filtered by the calling hunter)")
-    fun getOngoingHunts(authentication: Authentication, @RequestParam status: HuntStatus?): ResponseEntity<List<HuntResponse>> {
+    fun getOngoingHunts(authentication: Authentication): ResponseEntity<List<HuntResponse>> {
         val email = authentication.name
         val isAdmin = hunterService.getHunterByEmail(email).isAdmin
         return if(isAdmin) {
             ResponseEntity.ok(huntService.getAllHunts(HuntStatus.ONGOING).map { it.toResponse() })
         } else {
-            ResponseEntity.ok(huntService.getHuntsByEmail(email, status).map { it.toResponse() })
+            ResponseEntity.ok(huntService.getHuntsByEmail(email, HuntStatus.ONGOING).map { it.toResponse() })
         }
     }
 

src/main/kotlin/net/halfbinary/scavengerhuntapi/controller/ItemController.kt

@@ -8,11 +8,15 @@ import net.halfbinary.scavengerhuntapi.model.ItemId
 import net.halfbinary.scavengerhuntapi.model.converter.toDomain
 import net.halfbinary.scavengerhuntapi.model.converter.toResponse
 import net.halfbinary.scavengerhuntapi.model.request.ItemRequest
+import net.halfbinary.scavengerhuntapi.model.request.ItemUpdateRequest
 import net.halfbinary.scavengerhuntapi.model.response.ItemResponse
 import net.halfbinary.scavengerhuntapi.service.HuntService
 import org.springframework.http.ResponseEntity
 import org.springframework.security.access.prepost.PreAuthorize
+import org.springframework.security.core.Authentication
+import org.springframework.web.bind.annotation.DeleteMapping
 import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.PatchMapping
 import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestBody
@@ -24,8 +28,8 @@ import org.springframework.web.bind.annotation.RestController
 class ItemController(private val huntService: HuntService) {
 
     @GetMapping
-    fun getItemsForHunt(@PathVariable huntId: HuntId): ResponseEntity<List<ItemResponse>> {
+    fun getItemsForHunt(@PathVariable huntId: HuntId, authentication: Authentication): ResponseEntity<List<ItemResponse>> {
-        return ResponseEntity.ok(huntService.getItemsForHunt(huntId).map { it.toResponse() })
+        return ResponseEntity.ok(huntService.getItemsForHunt(huntId, authentication.name).map { it.toResponse() })
     }
 
     @GetMapping("/{itemId}")
@@ -41,4 +45,21 @@ class ItemController(private val huntService: HuntService) {
         return ResponseEntity.ok(huntService.addItemToHunt(huntId, body.toDomain()).toResponse())
     }
 
+    @PreAuthorize("hasRole('ADMIN')")
+    @Tag(name = "Admin")
+    @PatchMapping("/{itemId}")
+    @Operation(summary = "Updates name and/or points for the specified Item in the specified Hunt")
+    fun updateItem(@PathVariable huntId: HuntId, @PathVariable itemId: ItemId, @RequestBody body: ItemUpdateRequest): ResponseEntity<ItemResponse> {
+        return ResponseEntity.ok(huntService.updateItem(huntId, itemId, body).toResponse())
+    }
+
+    @PreAuthorize("hasRole('ADMIN')")
+    @Tag(name = "Admin")
+    @DeleteMapping("/{itemId}")
+    @Operation(summary = "Deletes the specified Item from the specified Hunt")
+    fun deleteItem(@PathVariable huntId: HuntId, @PathVariable itemId: ItemId): ResponseEntity<Unit> {
+        huntService.deleteItem(huntId, itemId)
+        return ResponseEntity.noContent().build()
+    }
+
 }

src/main/kotlin/net/halfbinary/scavengerhuntapi/model/domain/Hunt.kt

@@ -10,4 +10,7 @@ data class Hunt(
     val startDateTime: LocalDateTime,
     val endDateTime: LocalDateTime,
     val isTerminated: Boolean
-)
+) {
+    val isOngoing: Boolean
+        get() = !isTerminated && startDateTime < LocalDateTime.now() && endDateTime > LocalDateTime.now()
+}

src/main/kotlin/net/halfbinary/scavengerhuntapi/model/request/ItemUpdateRequest.kt

@@ -0,0 +1,6 @@
+package net.halfbinary.scavengerhuntapi.model.request
+
+data class ItemUpdateRequest(
+    val name: String?,
+    val points: Int?
+)

src/main/kotlin/net/halfbinary/scavengerhuntapi/model/response/LoginResponse.kt

@@ -4,5 +4,6 @@ import net.halfbinary.scavengerhuntapi.model.RefreshId
 
 data class LoginResponse(
     val accessToken: String,
-    val refreshToken: RefreshId
+    val refreshToken: RefreshId,
+    val name: String
 )

src/main/kotlin/net/halfbinary/scavengerhuntapi/repository/HuntItemRepository.kt

@@ -1,9 +1,13 @@
 package net.halfbinary.scavengerhuntapi.repository
 
+import net.halfbinary.scavengerhuntapi.model.HuntId
+import net.halfbinary.scavengerhuntapi.model.ItemId
 import net.halfbinary.scavengerhuntapi.model.record.HuntItemRecord
 import org.springframework.data.jpa.repository.JpaRepository
 import org.springframework.stereotype.Repository
 import java.util.*
 
 @Repository
-interface HuntItemRepository : JpaRepository<HuntItemRecord, UUID>
+interface HuntItemRepository : JpaRepository<HuntItemRecord, UUID> {
+    fun findByHuntIdAndItemId(huntId: HuntId, itemId: ItemId): HuntItemRecord?
+}

src/main/kotlin/net/halfbinary/scavengerhuntapi/service/HuntService.kt

@@ -1,14 +1,17 @@
 package net.halfbinary.scavengerhuntapi.service
 
+import net.halfbinary.scavengerhuntapi.error.exception.ForbiddenException
 import net.halfbinary.scavengerhuntapi.error.exception.NotFoundException
 import net.halfbinary.scavengerhuntapi.model.HuntId
 import net.halfbinary.scavengerhuntapi.model.HunterId
+import net.halfbinary.scavengerhuntapi.model.ItemId
 import net.halfbinary.scavengerhuntapi.model.converter.toDomain
 import net.halfbinary.scavengerhuntapi.model.converter.toRecord
 import net.halfbinary.scavengerhuntapi.model.domain.Hunt
 import net.halfbinary.scavengerhuntapi.model.domain.HuntItem
 import net.halfbinary.scavengerhuntapi.model.domain.Item
 import net.halfbinary.scavengerhuntapi.model.request.HuntStatus
+import net.halfbinary.scavengerhuntapi.model.request.ItemUpdateRequest
 import net.halfbinary.scavengerhuntapi.repository.HuntItemRepository
 import net.halfbinary.scavengerhuntapi.repository.HuntRepository
 import net.halfbinary.scavengerhuntapi.repository.ItemRepository
@@ -20,7 +23,8 @@ import java.time.LocalDateTime
 class HuntService(
     private val huntRepository: HuntRepository,
     private val itemRepository: ItemRepository,
-    private val huntItemRepository: HuntItemRepository
+    private val huntItemRepository: HuntItemRepository,
+    private val hunterService: HunterService
 ) {
     fun getHunt(huntId: HuntId): Hunt {
         return huntRepository.findByIdOrNull(huntId)?.toDomain() ?: throw NotFoundException("No hunt with id $huntId found")
@@ -64,8 +68,10 @@ class HuntService(
         return huntRepository.save(hunt.toRecord()).toDomain()
     }
 
-    fun getItemsForHunt(huntId: HuntId): List<Item> {
+    fun getItemsForHunt(huntId: HuntId, email: String): List<Item> {
-        huntRepository.findByIdOrNull(huntId) ?: throw NotFoundException("No hunt with id $huntId found")
+        val hunt = huntRepository.findByIdOrNull(huntId)?.toDomain() ?: throw NotFoundException("No hunt with id $huntId found")
+        val hunter = hunterService.getHunterByEmail(email)
+        if (!hunter.isAdmin && !hunt.isOngoing) throw ForbiddenException()
         return itemRepository.findAllByHuntId(huntId).map { it.toDomain() }
     }
 
@@ -75,4 +81,23 @@ class HuntService(
         huntItemRepository.save(HuntItem(huntId = huntId, itemId = savedItem.id).toRecord())
         return savedItem
     }
+
+    fun updateItem(huntId: HuntId, itemId: ItemId, request: ItemUpdateRequest): Item {
+        huntItemRepository.findByHuntIdAndItemId(huntId, itemId)
+            ?: throw NotFoundException("No item with id $itemId found in hunt $huntId")
+        val existing = itemRepository.findByIdOrNull(itemId)
+            ?: throw NotFoundException("No item with id $itemId found")
+        val updated = existing.copy(
+            name = request.name ?: existing.name,
+            points = request.points ?: existing.points
+        )
+        return itemRepository.save(updated).toDomain()
+    }
+
+    fun deleteItem(huntId: HuntId, itemId: ItemId) {
+        val huntItem = huntItemRepository.findByHuntIdAndItemId(huntId, itemId)
+            ?: throw NotFoundException("No item with id $itemId found in hunt $huntId")
+        huntItemRepository.delete(huntItem)
+        itemRepository.deleteById(itemId)
+    }
 }

src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt

@@ -36,10 +36,15 @@ class PhotoService(
     private val photoRepository: PhotoRepository,
     private val hunterService: HunterService,
     private val teamService: TeamService,
+    private val huntService: HuntService,
     private val s3StorageService: S3StorageService,
     private val fileProbeService: FileProbeService
 ) {
     fun submitPhoto(huntId: HuntId, itemId: ItemId, email: String, file: MultipartFile) {
+        val hunter = hunterService.getHunterByEmail(email)
+        val hunt = huntService.getHunt(huntId)
+        if (!hunter.isAdmin && !hunt.isOngoing) throw ForbiddenException()
+
         val originalBytes = file.bytes
         val fileType = fileProbeService.getFileType(originalBytes)
 
@@ -51,7 +56,6 @@ class PhotoService(
             throw BadFileException("Image type is not supported")
         }
 
-        val hunter = hunterService.getHunterByEmail(email)
         val now = LocalDateTime.now()
         val photo = Photo(
             itemId = itemId,
@@ -76,6 +80,8 @@ class PhotoService(
             ?: throw NotFoundException(PHOTO_NOT_FOUND)
 
         if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
             val team = try {
                 teamService.getTeamForHunterInHunt(huntId, email)
             } catch (_: NotFoundException) {
@@ -121,6 +127,8 @@ class PhotoService(
         val requestingHunter = hunterService.getHunterByEmail(email)
 
         if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
             val team = try {
                 teamService.getTeamForHunterInHunt(huntId, email)
             } catch (_: NotFoundException) {
@@ -142,15 +150,24 @@ class PhotoService(
     }
 
     fun removePhoto(huntId: HuntId, teamId: TeamId, itemId: ItemId, photoId: PhotoId, email: String) {
+        val requestingHunter = hunterService.getHunterByEmail(email)
+
+        if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
+        }
+
         val photoRecord = photoRepository.findByIdAndItemIdAndHuntId(photoId, itemId, huntId)
             ?: throw NotFoundException(PHOTO_NOT_FOUND)
 
+        if (!requestingHunter.isAdmin) {
             val team = try {
                 teamService.getTeamForHunterInHunt(huntId, email)
             } catch (_: NotFoundException) {
                 throw ForbiddenException()
             }
             if (team.id != teamId) throw ForbiddenException()
+        }
 
         if (photoRecord.status == PhotoStatus.APPROVED) throw ConflictException("Cannot remove an approved photo")
 
@@ -161,6 +178,8 @@ class PhotoService(
         val requestingHunter = hunterService.getHunterByEmail(email)
 
         if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
             val team = try {
                 teamService.getTeamForHunterInHunt(huntId, email)
             } catch (_: NotFoundException) {

src/main/kotlin/net/halfbinary/scavengerhuntapi/service/RefreshTokenService.kt

@@ -5,6 +5,7 @@ import net.halfbinary.scavengerhuntapi.error.exception.ExpiredRefreshTokenExcept
 import net.halfbinary.scavengerhuntapi.error.exception.InvalidRefreshTokenException
 import net.halfbinary.scavengerhuntapi.model.RefreshId
 import net.halfbinary.scavengerhuntapi.model.record.RefreshTokenRecord
+import net.halfbinary.scavengerhuntapi.repository.HunterRepository
 import net.halfbinary.scavengerhuntapi.repository.RefreshTokenRepository
 import org.slf4j.LoggerFactory
 import org.springframework.data.repository.findByIdOrNull
@@ -13,7 +14,7 @@ import java.time.LocalDateTime
 import java.time.temporal.ChronoUnit
 
 @Service
-class RefreshTokenService(private val refreshTokenRepository: RefreshTokenRepository, private val jwtUtil: JwtUtil) {
+class RefreshTokenService(private val refreshTokenRepository: RefreshTokenRepository, private val jwtUtil: JwtUtil, private val hunterRepository: HunterRepository) {
 
     companion object {
         private val log = LoggerFactory.getLogger(RefreshTokenService::class.java)
@@ -25,7 +26,8 @@ class RefreshTokenService(private val refreshTokenRepository: RefreshTokenReposi
                 removeToken(tokenId)
                 throw ExpiredRefreshTokenException(tokenId)
             } else {
-                jwtUtil.generateToken(refreshToken.email)
+                val isAdmin = hunterRepository.findByEmail(refreshToken.email)?.isAdmin ?: false
+                jwtUtil.generateToken(refreshToken.email, isAdmin)
             }
         }?: throw InvalidRefreshTokenException(tokenId)
     }