JCH
Java Community | Help. Code. Learn.6mo ago
L4yoos

System of Cookies with your Auth System should be in Controller or maybe Service?

Where i should put logic of Cookie System? Thanks in advance
19 Replies
JavaBot
JavaBot6mo ago
This post has been reserved for your question.
Hey @L4yoos! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
dan1st
dan1st6mo ago
you probably want to handle authentication in some filter or similar
L4yoos
L4yoosOP6mo ago
I have something like JwtAuthFilter, but I have moved the whole cookie system to CookieService but still call it in the controller to avoid flipping HttpServletRequest, HttpServletResponse between: service -> service only controller -> service 
    
@PostMapping("/login")
    public ResponseEntity<LoginResponse> login(@RequestBody LoginRequest request, HttpServletResponse response) {
        LoginResponse loginResponse = authCasePort.executeLogin(request);
        cookieService.setAuthCookies(response, loginResponse.getAccessToken(), loginResponse.getRefreshToken());
        return ResponseEntity.ok(loginResponse);
    }
@Override
    public void setAuthCookies(HttpServletResponse response, String accessToken, String refreshToken) {
        Cookie accessTokenCookie = new Cookie("accessToken", accessToken);
        accessTokenCookie.setHttpOnly(true);
        accessTokenCookie.setSecure(false); // Set to true in production (HTTPS)
        accessTokenCookie.setPath("/api");
        accessTokenCookie.setMaxAge(3600);
        accessTokenCookie.setAttribute("SameSite", "Strict");

        Cookie refreshTokenCookie = new Cookie("refreshToken", refreshToken);
        refreshTokenCookie.setHttpOnly(true);
        refreshTokenCookie.setSecure(false); // Set to true in production (HTTPS)
        refreshTokenCookie.setPath("/api");
        refreshTokenCookie.setMaxAge(604800);
        refreshTokenCookie.setAttribute("SameSite", "Strict");

        response.addCookie(accessTokenCookie);
        response.addCookie(refreshTokenCookie);
    }
    
@PostMapping("/login")
    public ResponseEntity<LoginResponse> login(@RequestBody LoginRequest request, HttpServletResponse response) {
        LoginResponse loginResponse = authCasePort.executeLogin(request);
        cookieService.setAuthCookies(response, loginResponse.getAccessToken(), loginResponse.getRefreshToken());
        return ResponseEntity.ok(loginResponse);
    }
@Override
    public void setAuthCookies(HttpServletResponse response, String accessToken, String refreshToken) {
        Cookie accessTokenCookie = new Cookie("accessToken", accessToken);
        accessTokenCookie.setHttpOnly(true);
        accessTokenCookie.setSecure(false); // Set to true in production (HTTPS)
        accessTokenCookie.setPath("/api");
        accessTokenCookie.setMaxAge(3600);
        accessTokenCookie.setAttribute("SameSite", "Strict");

        Cookie refreshTokenCookie = new Cookie("refreshToken", refreshToken);
        refreshTokenCookie.setHttpOnly(true);
        refreshTokenCookie.setSecure(false); // Set to true in production (HTTPS)
        refreshTokenCookie.setPath("/api");
        refreshTokenCookie.setMaxAge(604800);
        refreshTokenCookie.setAttribute("SameSite", "Strict");

        response.addCookie(accessTokenCookie);
        response.addCookie(refreshTokenCookie);
    }
Smth like this
dan1st
dan1st6mo ago
Services shouldn't depend on things like HTTP/requests
L4yoos
L4yoosOP6mo ago
I see, so how can I improve the cookie system?
dan1st
dan1st6mo ago
password checking, retrieving the user etc should be done in a service or with Spring security things but if you need a login endpoint (which you might not need with Spring Security), you can do the HTTP stuff in the controller
L4yoos
L4yoosOP6mo ago
i know it, but to me it's about the cookie system, you as an experienced senior (I think) as if you would go to such a thing as a cookie system?
dan1st
dan1st6mo ago
Are you using Spring Security?
L4yoos
L4yoosOP6mo ago
Yep maybe i'm stupid and don't understand something hahah
dan1st
dan1st6mo ago
What do you need from the request? parameters I guess?
L4yoos
L4yoosOP6mo ago
u asking about LoginRequest?
dan1st
dan1st6mo ago
yes
L4yoos
L4yoosOP6mo ago
so only email and password right now
dan1st
dan1st6mo ago
Can you show LoginRequest? The setAuthCookies should be in the controller layer
L4yoos
L4yoosOP6mo ago
package com.example.auth.application.dto;

public record LoginRequest(String email, String password) {}
package com.example.auth.application.dto;

public record LoginRequest(String email, String password) {}
okey so i shouldn't build a cookie service and just build private methods in controller, yep?
dan1st
dan1st6mo ago
you can still use a class for it if applicable but not in the service layer because it's dependent on HTTP/cookies and not business logic
L4yoos
L4yoosOP6mo ago
okey i get it thanks!
JavaBot
JavaBot6mo ago
If you are finished with your post, please close it. If you are not, please ignore this message. Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
JavaBot
JavaBot6mo ago
Post Closed
This post has been closed by <@414343997562290177>.

Did you find this page helpful?