From 080932d9e1acc229e4f79335ca21b343e590b5c5 Mon Sep 17 00:00:00 2001
From: Nicky Gerritsen <nickygerritsen@me.com>
Date: Sat, 25 May 2024 12:24:08 -0400
Subject: [PATCH] When you log in to the main DOMjudge, allow to use the API
 with the same user

---
 webapp/config/packages/security.yaml          |  4 +++-
 .../NoSessionCookieForApiListener.php         | 24 +++++++++++++++++++
 webapp/tests/Unit/BaseTestCase.php            |  2 +-
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 webapp/src/EventListener/NoSessionCookieForApiListener.php

diff --git a/webapp/config/packages/security.yaml b/webapp/config/packages/security.yaml
index 90be4c137e6..33361a36db3 100644
--- a/webapp/config/packages/security.yaml
+++ b/webapp/config/packages/security.yaml
@@ -33,8 +33,8 @@ security:
         # API does Basic Auth and IP address auth
         api:
             pattern: ^/api
+            context: domjudge
             provider: domjudge_db_provider
-            stateless: true
             user_checker: App\Security\UserChecker
             entry_point: App\Security\DOMJudgeIPAuthenticator
             # SEE NOTE ABOVE IF CHANGING ANYTHING HERE
@@ -45,6 +45,7 @@ security:
         # Provides prometheus metrics
         metrics:
             pattern: ^/prometheus/metrics
+            context: domjudge
             provider: domjudge_db_provider
             stateless: true
             user_checker: App\Security\UserChecker
@@ -57,6 +58,7 @@ security:
         # rest of app does form_login
         main:
             pattern: ^/
+            context: domjudge
             provider: domjudge_db_provider
             user_checker: App\Security\UserChecker
             entry_point: App\Security\DOMJudgeXHeadersAuthenticator
diff --git a/webapp/src/EventListener/NoSessionCookieForApiListener.php b/webapp/src/EventListener/NoSessionCookieForApiListener.php
new file mode 100644
index 00000000000..69e8e644544
--- /dev/null
+++ b/webapp/src/EventListener/NoSessionCookieForApiListener.php
@@ -0,0 +1,24 @@
+<?php declare(strict_types=1);
+
+namespace App\EventListener;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+
+// The AbstractSessionListener (which sets the cookie) has a priority of -1000, so we need to
+// set a priority of -1001 to run before it.
+#[AsEventListener(priority: -1001)]
+class NoSessionCookieForApiListener
+{
+    public function __invoke(ResponseEvent $event): void
+    {
+        // We do not want to set the session cookie for API requests. Since the firewall is
+        // stateful (because we want form logins to allow to access the API), we need to remove
+        // the cookie
+        $request = $event->getRequest();
+        $response = $event->getResponse();
+        if ($request->attributes->get('_firewall_context') === 'security.firewall.map.context.api') {
+            $response->headers->removeCookie($request->getSession()->getName());
+        }
+    }
+}
diff --git a/webapp/tests/Unit/BaseTestCase.php b/webapp/tests/Unit/BaseTestCase.php
index 49ffd026915..fbe52541b78 100644
--- a/webapp/tests/Unit/BaseTestCase.php
+++ b/webapp/tests/Unit/BaseTestCase.php
@@ -141,7 +141,7 @@ protected function loginHelper(
      */
     protected function logIn(): void
     {
-        $this->client->loginUser($this->setupUser());
+        $this->client->loginUser($this->setupUser(), 'domjudge');
     }
 
     /**