From 0ec7ee42fd43a6b0e5ee6c4a05cd45593a77c5f8 Mon Sep 17 00:00:00 2001
From: Paul James <pauljamespj2001@gmail.com>
Date: Mon, 23 Oct 2023 00:55:52 -0400
Subject: [PATCH] Feat(AUTH-CPC-740):  User Can Logout (#576)

JIRA: link to jira ticket:
https://champlainsaintlambert.atlassian.net/browse/CPC-740
## Context:
The logout functionality was incorrectly implemented, and it failed to
remove the user account cookie upon logout.
## Changes
Implemented a functional logout feature that clears the user account
session cookie and removes associated local storage keys (e.g., email,
roles, username, UUID).
- Added logout methods in ApiGateway to facilitate logouts.
- Enhanced the Frontend logout function to include the removal of the
Bearer account session cookie.
- Developed three comprehensive test cases to ensure the reliability of
the new logout functionality.

## Before and After UI (Required for UI-impacting PRs)
### Before

![Logout_Cookie](https://github.com/cgerard321/champlain_petclinic/assets/77691550/0886d925-5232-43e3-b42c-aeef46ec7b65)

![logout_UnremovedCookie](https://github.com/cgerard321/champlain_petclinic/assets/77691550/c1a86078-da75-4abc-924a-6ba946fa9b73)

### After

![Logout_Cookie](https://github.com/cgerard321/champlain_petclinic/assets/77691550/8d324ca3-25f5-4ff5-bef7-5f76a9324f6c)

![Logout_Success](https://github.com/cgerard321/champlain_petclinic/assets/77691550/78e3ffa4-da0f-4828-81a1-f4edcdd14132)

![Logout_CookieRemoved](https://github.com/cgerard321/champlain_petclinic/assets/77691550/cd1ede7d-0eba-4138-8b77-a8e50874e595)

![logout_localStorage](https://github.com/cgerard321/champlain_petclinic/assets/77691550/155c2048-e2e5-426b-8572-0ef9c05b4cdc)

## Dev notes (Optional)
None
## Linked pull requests (Optional)
None

---------

Co-authored-by: Dylan Brassard <71225455+DylanBrass@users.noreply.github.com>
---
 .../domainclientlayer/AuthServiceClient.java  | 24 +++++++++++++
 .../BFFApiGatewayController.java              |  8 +++++
 .../static/scripts/fragments/nav.html         | 29 ++++++++++++----
 .../AuthServiceClientIntegrationTest.java     | 28 +++++++++++++++
 .../ApiGatewayControllerTest.java             | 34 +++++++++++++++++++
 5 files changed, 116 insertions(+), 7 deletions(-)

diff --git a/api-gateway/src/main/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClient.java b/api-gateway/src/main/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClient.java
index f01bac7b71..3046d212ca 100644
--- a/api-gateway/src/main/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClient.java
+++ b/api-gateway/src/main/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClient.java
@@ -11,12 +11,16 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.*;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.stereotype.Component;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.reactive.function.client.WebClient;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
+import java.time.Duration;
+import java.util.List;
 import java.util.UUID;
 
 import static org.springframework.http.HttpStatus.BAD_REQUEST;
@@ -242,6 +246,26 @@ public  Mono<ResponseEntity<UserPasswordLessDTO>> login(final Mono<Login> login)
         }
     }
 
+    public Mono<ResponseEntity<Void>> logout(ServerHttpRequest request, ServerHttpResponse response) {
+        log.info("Entered AuthServiceClient logout method");
+        List<HttpCookie> cookies = request.getCookies().get("Bearer");
+        if (cookies != null && !cookies.isEmpty()) {
+            ResponseCookie cookie = ResponseCookie.from("Bearer", "")
+                    .httpOnly(true)
+                    .secure(true)
+                    .path("/api/gateway")
+                    .domain("localhost")
+                    .maxAge(Duration.ofSeconds(0))
+                    .sameSite("Lax").build();
+            response.addCookie(cookie);
+            log.info("Logout Success: Account session ended");
+            return Mono.just(ResponseEntity.noContent().build());
+        } else {
+            log.warn("Logout Error: Problem removing account cookies, Session may have expired, redirecting to login page");
+            return Mono.just(ResponseEntity.status(HttpStatus.UNAUTHORIZED).build());
+        }
+    }
+
 
     public Mono<ResponseEntity<Void>> sendForgottenEmail(Mono<UserEmailRequestDTO> emailRequestDTOMono) {
 
diff --git a/api-gateway/src/main/java/com/petclinic/bffapigateway/presentationlayer/BFFApiGatewayController.java b/api-gateway/src/main/java/com/petclinic/bffapigateway/presentationlayer/BFFApiGatewayController.java
index ca371a4c55..e79c9942f2 100644
--- a/api-gateway/src/main/java/com/petclinic/bffapigateway/presentationlayer/BFFApiGatewayController.java
+++ b/api-gateway/src/main/java/com/petclinic/bffapigateway/presentationlayer/BFFApiGatewayController.java
@@ -24,6 +24,8 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.io.Resource;
 import org.springframework.http.*;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import reactor.core.publisher.Flux;
@@ -777,6 +779,12 @@ public Mono<ResponseEntity<UserPasswordLessDTO>> login(@RequestBody Mono<Login>
 
     }
 
+    @SecuredEndpoint(allowedRoles = {Roles.ANONYMOUS})
+    @PostMapping("/users/logout")
+    public Mono<ResponseEntity<Void>> logout(ServerHttpRequest request, ServerHttpResponse response) {
+        return authServiceClient.logout(request, response);
+    }
+
 
     @SecuredEndpoint(allowedRoles = {Roles.ANONYMOUS})
     @PostMapping(value = "/users/forgot_password")
diff --git a/api-gateway/src/main/resources/static/scripts/fragments/nav.html b/api-gateway/src/main/resources/static/scripts/fragments/nav.html
index 829e169130..bed3466466 100644
--- a/api-gateway/src/main/resources/static/scripts/fragments/nav.html
+++ b/api-gateway/src/main/resources/static/scripts/fragments/nav.html
@@ -1,10 +1,25 @@
 <script>
-    function purgeUser() {
-        localStorage.removeItem("username")
-        localStorage.removeItem("email")
-        localStorage.removeItem("UUID")
-        localStorage.removeItem("roles")
-}
+    function logoutUser() {
+        logoutUser.$inject = ['$http'];
+        var $http = angular.injector(['ng']).get('$http');
+        $http({
+            method: 'POST',
+            url: '/api/gateway/users/logout'
+        }).then(function successCallback(response) {
+            alert("Logout successful")
+            localStorage.removeItem("username")
+            localStorage.removeItem("email")
+            localStorage.removeItem("UUID")
+            localStorage.removeItem("roles")
+            window.location.href = '/#!/login';
+        }, function errorCallback(response) {
+            alert("Logout Error: Session may have expired. Redirecting to login page")
+            localStorage.removeItem("username")
+            localStorage.removeItem("email")
+            localStorage.removeItem("UUID")
+            localStorage.removeItem("roles")
+            window.location.href = '/#!/login';
+        });    }
 </script>
 
 <nav class="navbar navbar-expand-lg navbar-light bg-light">
@@ -49,7 +64,7 @@
                     <a class="nav-link" ui-sref="AdminPanel" >Admin-Panel</a>
                 </li>
                 <li class="nav-item">
-                    <a class="nav-link" onclick="purgeUser()" style="cursor:pointer" ui-sref="login">Logout</a>
+                    <a class="nav-link" onclick="logoutUser()" style="cursor:pointer">Logout</a>
                 </li>
             </ul>
         <ul class="navbar-nav mr-auto justify-content-end" ng-if="!isLoggedIn">
diff --git a/api-gateway/src/test/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClientIntegrationTest.java b/api-gateway/src/test/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClientIntegrationTest.java
index 1bf93868c6..1468a79696 100644
--- a/api-gateway/src/test/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClientIntegrationTest.java
+++ b/api-gateway/src/test/java/com/petclinic/bffapigateway/domainclientlayer/AuthServiceClientIntegrationTest.java
@@ -16,10 +16,12 @@
 import org.junit.jupiter.api.*;
 import org.mockito.Mockito;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.HttpCookie;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
 import org.springframework.web.reactive.function.client.WebClient;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
@@ -331,7 +333,33 @@ void ShouldLoginUser_ShouldReturnOk() throws Exception {
                 .verifyComplete();
         }
 
+    @Test
+    @DisplayName("Should logout a user")
+    void shouldLogoutUser_shouldReturnNoContent() throws Exception {
+        final MockResponse loginMockResponse = new MockResponse()
+                .setHeader("Content-Type", "application/json")
+                .setResponseCode(200);
+        server.enqueue(loginMockResponse);
+        ServerHttpRequest loginRequest = MockServerHttpRequest.post("/users/login").build();
+        Login login = Login.builder()
+                .email("email")
+                .password("password")
+                .build();
+        final Mono<ResponseEntity<UserPasswordLessDTO>> validatedTokenResponse = authServiceClient.login(Mono.just(login));
+        ServerHttpRequest logoutRequest = MockServerHttpRequest.post("/users/logout")
+                .cookie(new HttpCookie("Bearer", "some_valid_token"))
+                .build();
+        MockServerHttpResponse logoutMockResponse = new MockServerHttpResponse();
 
+        final Mono<ResponseEntity<Void>> logoutResponse = authServiceClient.logout(logoutRequest, logoutMockResponse);
+
+        StepVerifier.create(logoutResponse)
+                .consumeNextWith(responseEntity -> {
+                    // Verify the HTTP status code directly
+                    assertEquals(HttpStatus.NO_CONTENT, responseEntity.getStatusCode());
+                })
+                .verifyComplete();
+    }
 
     @Test
     @DisplayName("Should send a forgotten email")
diff --git a/api-gateway/src/test/java/com/petclinic/bffapigateway/presentationlayer/ApiGatewayControllerTest.java b/api-gateway/src/test/java/com/petclinic/bffapigateway/presentationlayer/ApiGatewayControllerTest.java
index 8ca5343baa..3e7162f0fd 100755
--- a/api-gateway/src/test/java/com/petclinic/bffapigateway/presentationlayer/ApiGatewayControllerTest.java
+++ b/api-gateway/src/test/java/com/petclinic/bffapigateway/presentationlayer/ApiGatewayControllerTest.java
@@ -42,6 +42,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.http.*;
 import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringRunner;
@@ -60,6 +61,7 @@
 import javax.print.attribute.standard.Media;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.*;
@@ -2926,6 +2928,35 @@ void login_invalid() throws Exception {
     }
 
 
+    @Test
+    @DisplayName("Should Logout with a Valid Session, Clearing Bearer Cookie, and Returning 204")
+    void logout_shouldClearBearerCookie() {
+        MultiValueMap<String, String> headers = new LinkedMultiValueMap<>();
+        headers.add(HttpHeaders.COOKIE, "Bearer=some.token.value; Path=/; HttpOnly; SameSite=Lax");
+        when(authServiceClient.logout(any(ServerHttpRequest.class), any(ServerHttpResponse.class)))
+                .thenReturn(Mono.just(ResponseEntity.noContent().build()));
+        client.post()
+                .uri("/api/gateway/users/logout")
+                .headers(httpHeaders -> httpHeaders.putAll(headers))
+                .exchange()
+                .expectStatus().isNoContent()
+                .expectHeader().doesNotExist(HttpHeaders.SET_COOKIE);
+    }
+
+    @Test
+    @DisplayName("Given Expired Session, Logout Should Return 401")
+    void logout_shouldReturnUnauthorizedForExpiredSession() {
+        MultiValueMap<String, String> headers = new LinkedMultiValueMap<>();
+        when(authServiceClient.logout(any(ServerHttpRequest.class), any(ServerHttpResponse.class)))
+                .thenReturn(Mono.just(ResponseEntity.status(HttpStatus.UNAUTHORIZED).build()));
+        client.post()
+                .uri("/api/gateway/users/logout")
+                .headers(httpHeaders -> httpHeaders.putAll(headers))
+                .exchange()
+                .expectStatus().isUnauthorized()
+                .expectHeader().doesNotExist(HttpHeaders.SET_COOKIE);
+    }
+
 
 private InventoryResponseDTO buildInventoryDTO(){
         return InventoryResponseDTO.builder()
@@ -3306,6 +3337,9 @@ void testAddProductToInventory_InvalidInventoryId_ShouldReturnNotFoundException(
 
 
 
+
+
+
     private ProductResponseDTO buildProductDTO(){
         return ProductResponseDTO.builder()
                 .id("1")