0045960: We are sending credentials using GET

From a28ffe225d50f38c7b3cea68a368526f2cdde1ed Mon Sep 17 00:00:00 2001
From: Prakash M <prakash@qualiantech.com>
Date: Fri, 25 Mar 2022 10:47:19 +0530
Subject: [PATCH] Backport of BUG 45167, 45960 *  Ability to provide custom
 information on login * Changed Terminal Authentication request from GET to
 POST for security purpose * Included post method in
 MobileCoreLoginUtilsServlet

---
 .../mobile/core/login/LoginDataProvider.java  | 32 ++++++++++
 .../login/MobileCoreLoginUtilsServlet.java    | 60 ++++++++++++++++++-
 2 files changed, 90 insertions(+), 2 deletions(-)
 create mode 100644 src/org/openbravo/mobile/core/login/LoginDataProvider.java

diff --git a/src/org/openbravo/mobile/core/login/LoginDataProvider.java b/src/org/openbravo/mobile/core/login/LoginDataProvider.java
new file mode 100644
index 00000000..cf71230e
--- /dev/null
+++ b/src/org/openbravo/mobile/core/login/LoginDataProvider.java
@@ -0,0 +1,32 @@
+/*
+ ************************************************************************************
+ * Copyright (C) 2020 Openbravo S.L.U.
+ * Licensed under the Openbravo Commercial License version 1.0
+ * You may obtain a copy of the License at http://www.openbravo.com/legal/obcl.html
+ * or in the legal folder of this module distribution.
+ ************************************************************************************
+ */
+package org.openbravo.mobile.core.login;
+
+import java.util.Map;
+
+/**
+ * Allows to provides extra data to be returned together with the default login data.
+ */
+public interface LoginDataProvider {
+
+  /**
+   * Returns data that should be appended to the default login data returned by the
+   * MobileCoreLoginUtilsServlet servlet when it is invoked with the provided context.
+   * 
+   * @param context
+   *          context information like the current role or the command used in the request to the
+   *          servlet which may be used by the provider to retrieve the data.
+   * 
+   * 
+   * @return a map with the data. The keys are the keys of the properties that will be added into
+   *         the resulting object returned by the servlet and the values are objects with the data
+   *         for each property.
+   */
+  public Map<String, Object> getData(Map<String, String> context);
+}
diff --git a/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java b/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java
index da0bb0bc..012464d7 100644
--- a/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java
+++ b/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java
@@ -10,8 +10,12 @@ package org.openbravo.mobile.core.login;
 
 import java.io.IOException;
 import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Properties;
 
+import javax.enterprise.inject.Any;
+import javax.enterprise.inject.Instance;
 import javax.inject.Inject;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -66,6 +70,10 @@ public class MobileCoreLoginUtilsServlet extends WebServiceAbstractServlet {
   @Inject
   private MobileDefaultsHandler defaultsHandler;
 
+  @Inject
+  @Any
+  private Instance<LoginDataProvider> dataProviders;
+  
   @Override
   public void doGet(HttpServletRequest request, HttpServletResponse response)
       throws IOException, ServletException {
@@ -97,12 +105,12 @@ public class MobileCoreLoginUtilsServlet extends WebServiceAbstractServlet {
         result = getCompanyLogo(request);
       } else if (command.equals("userImages")) {
         result = getUserImages(request);
-      } else if (command.equals("preLoginActions")) {
-        result = preLogin(request);
       } else if (command.equals("initActions")) {
         result = initActions(request);
       }
 
+      addExtraLoginData(result, request);
+
       writeResult(response, result.toString());
     } catch (JSONException e) {
       log.error(e.getMessage(), e);
@@ -121,6 +129,54 @@ public class MobileCoreLoginUtilsServlet extends WebServiceAbstractServlet {
     }
   }
 
+  @Override
+  public void doPost(HttpServletRequest request, HttpServletResponse response)
+      throws IOException, ServletException {
+    OBContext.setAdminMode(false);
+    try {
+      final String command = request.getParameter("command");
+      JSONObject result = new JSONObject();
+
+      if (command.equals("preLoginActions")) {
+        result = preLogin(request);
+      }
+
+      addExtraLoginData(result, request);
+      writeResult(response, result.toString());
+    } catch (JSONException e) {
+      log.error(e.getMessage(), e);
+      writeResult(response, JsonUtils.convertExceptionToJson(e));
+    } catch (Exception e) {
+      if (ExternalConnectionPool.getInstance().hasNoConnections(e)) {
+        log.error("Pool has run out of database connections", e);
+        writeTechnicalError(response, JsonUtils.convertExceptionToJson(e));
+      } else {
+        log.error(e.getMessage(), e);
+        writeResult(response, JsonUtils.convertExceptionToJson(e));
+      }
+    } finally {
+      OBContext.restorePreviousMode();
+      OBContext.setOBContext((OBContext) null);
+    }
+  }
+
+  private void addExtraLoginData(JSONObject result, HttpServletRequest request)
+      throws JSONException {
+    Map<String, String> context = getContextData(request);
+    for (LoginDataProvider dataProvider : dataProviders) {
+      for (Entry<String, Object> entry : dataProvider.getData(context).entrySet()) {
+        result.put(entry.getKey(), entry.getValue());
+      }
+    }
+  }
+
+  private Map<String, String> getContextData(HttpServletRequest request) {
+    Map<String, String> context = new HashMap<>();
+    context.put("command", request.getParameter("command"));
+    context.put("moduleId", getModuleId());
+    return context;
+  }
+
   protected JSONObject getPrerrenderData(HttpServletRequest request) throws JSONException {
     JSONObject data = new JSONObject();
     JSONObject item = null;
-- 
2.20.1

From d40439ef90567a47a5268c8cfe0f48c7bd3c7a47 Mon Sep 17 00:00:00 2001
From: Prakash M <prakash@qualiantech.com>
Date: Thu, 24 Mar 2022 14:19:22 +0530
Subject: [PATCH] Backport of BUG-45963 : Changed Terminal Authentication
 request from GET to POST for security purpose

---
 .../js/login/model/login-model.js                             | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web/org.openbravo.retail.posterminal/js/login/model/login-model.js b/web/org.openbravo.retail.posterminal/js/login/model/login-model.js
index 05959cb75..a8136f02d 100644
--- a/web/org.openbravo.retail.posterminal/js/login/model/login-model.js
+++ b/web/org.openbravo.retail.posterminal/js/login/model/login-model.js
@@ -1913,7 +1913,9 @@
           '"'
       );
       new OB.OBPOSLogin.UI.LoginRequest({
-        url: OB.MobileApp.model.get('loginUtilsUrl')
+        url: OB.MobileApp.model.get('loginUtilsUrl'),
+        method: 'POST',
+        contentType: 'application/x-www-form-urlencoded; charset=UTF-8'
       })
         .response(this, function(inSender, inResponse) {
           if (
-- 
2.20.1