From c717ea30e6fe65e2c4dffc3faddfd6266114b427 Mon Sep 17 00:00:00 2001
From: Vassili Moskaljov <112167412+ExiRain@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:16:10 +0200
Subject: [PATCH] Fixed, styling, added use of nonce (#1067)

---
 .../hbs/delete_conversations_cron.handlebars  |  5 +--
 DSL/Resql/get-new-nonce.sql                   |  1 +
 DSL/Resql/use-nonce.sql                       |  1 +
 DSL/Ruuter.private/DSL/GET/.guard             | 41 ++++++++++++++++---
 DSL/Ruuter.private/DSL/POST/.guard            | 41 +++++++++++++++++--
 .../sync/delete-conversations-cron.yml        |  6 +--
 .../Settings/DeleteConversations/index.tsx    |  1 +
 docker-compose.yml                            |  2 +
 8 files changed, 82 insertions(+), 16 deletions(-)
 create mode 100644 DSL/Resql/get-new-nonce.sql
 create mode 100644 DSL/Resql/use-nonce.sql

diff --git a/DSL/DMapper/hbs/delete_conversations_cron.handlebars b/DSL/DMapper/hbs/delete_conversations_cron.handlebars
index 2d29dd242..5b3f2fee0 100644
--- a/DSL/DMapper/hbs/delete_conversations_cron.handlebars
+++ b/DSL/DMapper/hbs/delete_conversations_cron.handlebars
@@ -1,6 +1,5 @@
 {
     "trigger": "{{ cronExpression }}",
-    "type": "http",
-    "method": "{{ method }}",
-    "url": "{{{ url }}}"
+    "type": "exec",
+    "command": "{{{ command }}}"
 }
\ No newline at end of file
diff --git a/DSL/Resql/get-new-nonce.sql b/DSL/Resql/get-new-nonce.sql
new file mode 100644
index 000000000..2a1a04173
--- /dev/null
+++ b/DSL/Resql/get-new-nonce.sql
@@ -0,0 +1 @@
+INSERT INTO request_nonces (valid_until) VALUES ( now() + interval '1 day') RETURNING nonce;
\ No newline at end of file
diff --git a/DSL/Resql/use-nonce.sql b/DSL/Resql/use-nonce.sql
new file mode 100644
index 000000000..af0d7d748
--- /dev/null
+++ b/DSL/Resql/use-nonce.sql
@@ -0,0 +1 @@
+update request_nonces set used_at = now() where nonce = :updated_nonce and used_at is null returning nonce;
\ No newline at end of file
diff --git a/DSL/Ruuter.private/DSL/GET/.guard b/DSL/Ruuter.private/DSL/GET/.guard
index 68568305c..cbab9dd56 100644
--- a/DSL/Ruuter.private/DSL/GET/.guard
+++ b/DSL/Ruuter.private/DSL/GET/.guard
@@ -1,17 +1,48 @@
-check_for_cookie:
+process_request:
   switch:
-    - condition: ${incoming.params.skipAuth ===  "true"}
-      next: guard_success
+    - condition: ${ incoming.headers['x-ruuter-nonce'] != null }
+      next: verify_header_nonce
+    - condition: ${ incoming.params['ruuter-nonce'] != null }
+      next: verify_param_nonce
     - condition: ${incoming.headers == null || incoming.headers.cookie == null}
       next: guard_fail
   next: authenticate
 
+verify_header_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.headers['x-ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+verify_param_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.params['ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+check_inline:
+  inline: extAuth
+  result: extauth
+
+check_nonce:
+  switch:
+    - condition: ${ !extauth || (nonce_response.response.body[0] == null) }
+      next: guard_fail
+  next: guard_success
+
 authenticate:
   template: check-user-authority
   requestType: templates
   headers:
     cookie: ${incoming.headers.cookie}
   result: authority_result
+  next: check_authority_result
 
 check_authority_result:
   switch:
@@ -26,5 +57,5 @@ guard_success:
 
 guard_fail:
   return: "unauthorized"
-  status: 200
-  next: end
+  status: 403
+  next: end
\ No newline at end of file
diff --git a/DSL/Ruuter.private/DSL/POST/.guard b/DSL/Ruuter.private/DSL/POST/.guard
index faac86f60..135ad53cf 100644
--- a/DSL/Ruuter.private/DSL/POST/.guard
+++ b/DSL/Ruuter.private/DSL/POST/.guard
@@ -1,15 +1,48 @@
-check_for_cookie:
+process_request:
   switch:
+    - condition: ${ incoming.headers['x-ruuter-nonce'] != null }
+      next: verify_header_nonce
+    - condition: ${ incoming.params['ruuter-nonce'] != null }
+      next: verify_param_nonce
     - condition: ${incoming.headers == null || incoming.headers.cookie == null}
-      next: guard_fail
+      next: guard_fail  
   next: authenticate
 
+verify_header_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.headers['x-ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+verify_param_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.params['ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+check_inline:
+  inline: extAuth
+  result: extauth
+
+check_nonce:
+  switch:
+    - condition: ${ !extauth || (nonce_response.response.body[0] == null) }
+      next: guard_fail
+  next: guard_success
+
 authenticate:
   template: check-user-authority
   requestType: templates
   headers:
     cookie: ${incoming.headers.cookie}
   result: authority_result
+  next: check_authority_result
 
 check_authority_result:
   switch:
@@ -24,5 +57,5 @@ guard_success:
 
 guard_fail:
   return: "unauthorized"
-  status: 200
-  next: end
+  status: 403
+  next: end
\ No newline at end of file
diff --git a/DSL/Ruuter.private/DSL/POST/internal/sync/delete-conversations-cron.yml b/DSL/Ruuter.private/DSL/POST/internal/sync/delete-conversations-cron.yml
index 7ac4fe5c6..613c68b36 100644
--- a/DSL/Ruuter.private/DSL/POST/internal/sync/delete-conversations-cron.yml
+++ b/DSL/Ruuter.private/DSL/POST/internal/sync/delete-conversations-cron.yml
@@ -58,8 +58,7 @@ createAuthCronJson:
       type: "json"
     body:
       cronExpression: ${expression}
-      method: "GET"
-      url: "[#CHATBOT_RUUTER_PRIVATE_INTERNAL]/cron-tasks/delete-conversations?isAuth=true&skipAuth=true"
+      command: "./scripts/remove-auth-conversations.sh"
   result: authCronJson
 
 createAnonCronJson:
@@ -70,8 +69,7 @@ createAnonCronJson:
       type: "json"
     body:
       cronExpression: ${expression}
-      method: "GET"
-      url: "[#CHATBOT_RUUTER_PRIVATE_INTERNAL]/cron-tasks/delete-conversations?isAuth=false&skipAuth=true"
+      command: "./scripts/remove-anonym-conversations.sh"
   result: anonCronJson
 
 checkAuthConditions:
diff --git a/GUI/src/pages/Settings/DeleteConversations/index.tsx b/GUI/src/pages/Settings/DeleteConversations/index.tsx
index b72dc7792..0f72f911a 100644
--- a/GUI/src/pages/Settings/DeleteConversations/index.tsx
+++ b/GUI/src/pages/Settings/DeleteConversations/index.tsx
@@ -162,6 +162,7 @@ const DeleteConversations: FC = () => {
             <Card
                 isHeaderLight={true}
                 isBodyDivided={true}
+                isScrollable={true}
                 footer={
                     <Track justify="end">
                         <Button onClick={handleFormSubmit}>{t('global.save')}</Button>
diff --git a/docker-compose.yml b/docker-compose.yml
index fce2e5cb5..51e9aec51 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -48,9 +48,11 @@ services:
       - application.logging.printStackTrace=true
       - application.internalRequests.disabled=true
       - server.port=8088
+      - application.externalAuthAllowed=/cron-tasks/delete-conversations
     volumes:
       - ./DSL/Ruuter.private/DSL:/DSL
       - ./constants.ini:/app/constants.ini
+      - jwt-integration.signature.key-store-password=defaultpassword
     ports:
       - 8088:8088
     networks: