feat(security): add session cookie configuration and global exception handling

OtavioXimarelli · OtavioXimarelli · commit aad0e941329e · 2025-08-20T09:27:05.000-03:00
diff --git a/src/main/java/com/otavio/aifoodapp/config/SessionCookieConfig.java b/src/main/java/com/otavio/aifoodapp/config/SessionCookieConfig.java
@@ -0,0 +1,71 @@
+package com.otavio.aifoodapp.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.servlet.server.CookieSameSiteSupplier;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.web.http.CookieSerializer;
+import org.springframework.session.web.http.DefaultCookieSerializer;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Configuration for session cookies
+ * This ensures cookies are properly set in production environment
+ */
+@Configuration
+@Slf4j
+public class SessionCookieConfig {
+
+    @Value("${COOKIE_SECURE:false}")
+    private boolean cookieSecure;
+    
+    @Value("${COOKIE_SAME_SITE:lax}")
+    private String cookieSameSite;
+    
+    @Value("${COOKIE_DOMAIN:}")
+    private String cookieDomain;
+
+    /**
+     * Configure cookie serializer for Spring Session
+     */
+    @Bean
+    public CookieSerializer cookieSerializer() {
+        DefaultCookieSerializer serializer = new DefaultCookieSerializer();
+        
+        log.info("Configuring session cookies with secure={}, sameSite={}, domain={}",
+                cookieSecure, cookieSameSite, cookieDomain.isEmpty() ? "default" : cookieDomain);
+        
+        // Set secure flag based on environment
+        serializer.setUseSecureCookie(cookieSecure);
+        
+        // Set cookie name
+        serializer.setCookieName("JSESSIONID");
+        
+        // Set domain if provided
+        if (!cookieDomain.isEmpty()) {
+            serializer.setDomainName(cookieDomain);
+            log.info("Setting cookie domain to: {}", cookieDomain);
+        }
+        
+        // Set cookie path to root to be accessible from all paths
+        serializer.setCookiePath("/");
+        
+        // Set SameSite attribute
+        // Note: DefaultCookieSerializer doesn't support SameSite directly in older Spring versions
+        serializer.setSameSite(cookieSameSite);
+        
+        // Configure session cookie for maximum browser compatibility
+        serializer.setUseHttpOnlyCookie(true);
+        
+        return serializer;
+    }
+    
+    /**
+     * Configure SameSite attribute for all cookies
+     */
+    @Bean
+    public CookieSameSiteSupplier applicationCookieSameSiteSupplier() {
+        return CookieSameSiteSupplier.ofLax();
+    }
+}
diff --git a/src/main/java/com/otavio/aifoodapp/controller/AuthController.java b/src/main/java/com/otavio/aifoodapp/controller/AuthController.java
@@ -50,6 +50,14 @@ public AuthController(FoodItemService foodItemService, TokenService tokenService
     
     @GetMapping("/status")
     public ResponseEntity<?> authStatus(HttpServletRequest request) {
+        log.info("=== AUTH STATUS CHECK ===");
+        log.info("Request URI: {}, Method: {}", request.getRequestURI(), request.getMethod());
+        log.info("Remote IP: {}, User-Agent: {}", request.getRemoteAddr(), request.getHeader("User-Agent"));
+        log.info("Host: {}, Origin: {}, Referer: {}", 
+                request.getHeader("Host"), 
+                request.getHeader("Origin"), 
+                request.getHeader("Referer"));
+
         // Obter ID da sessão ou IP se não houver sessão
         HttpSession session = request.getSession(false);
         String sessionId = session != null ? session.getId() : request.getRemoteAddr();
diff --git a/src/main/java/com/otavio/aifoodapp/controller/GlobalExceptionHandler.java b/src/main/java/com/otavio/aifoodapp/controller/GlobalExceptionHandler.java
@@ -0,0 +1,59 @@
+package com.otavio.aifoodapp.controller;
+
+import java.util.Map;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.context.request.WebRequest;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Global exception handler for all API endpoints
+ */
+@ControllerAdvice
+@Slf4j
+public class GlobalExceptionHandler extends ResponseEntityExceptionHandler {
+
+    /**
+     * Handle all uncaught exceptions
+     */
+    @ExceptionHandler(Exception.class)
+    public ResponseEntity<?> handleAllExceptions(Exception ex, WebRequest request) {
+        log.error("Unhandled exception: {}", ex.getMessage(), ex);
+        
+        return ResponseEntity
+                .status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of(
+                    "error", "internal_server_error",
+                    "message", "An unexpected error occurred",
+                    "path", request.getDescription(false).replace("uri=", ""),
+                    "status", 500
+                ));
+    }
+    
+    /**
+     * Handle security-related exceptions
+     */
+    @ExceptionHandler({
+        org.springframework.security.access.AccessDeniedException.class,
+        org.springframework.security.authentication.AuthenticationCredentialsNotFoundException.class,
+        org.springframework.security.authentication.BadCredentialsException.class,
+        org.springframework.security.core.AuthenticationException.class
+    })
+    public ResponseEntity<?> handleSecurityExceptions(Exception ex, WebRequest request) {
+        log.warn("Security exception: {}", ex.getMessage(), ex);
+        
+        return ResponseEntity
+                .status(HttpStatus.UNAUTHORIZED)
+                .body(Map.of(
+                    "error", "unauthorized",
+                    "message", "Authentication required",
+                    "path", request.getDescription(false).replace("uri=", ""),
+                    "status", 401
+                ));
+    }
+}
diff --git a/src/main/java/com/otavio/aifoodapp/controller/HealthController.java b/src/main/java/com/otavio/aifoodapp/controller/HealthController.java
@@ -0,0 +1,28 @@
+package com.otavio.aifoodapp.controller;
+
+import java.util.Map;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * Simple health check controller
+ * Use this to check if the application is running correctly
+ */
+@RestController
+public class HealthController {
+
+    /**
+     * Basic health check endpoint
+     * This endpoint is publicly accessible and doesn't require authentication
+     */
+    @GetMapping("/health")
+    public ResponseEntity<?> healthCheck() {
+        return ResponseEntity.ok(Map.of(
+            "status", "UP",
+            "service", "AiFoodApp",
+            "timestamp", System.currentTimeMillis()
+        ));
+    }
+}
diff --git a/src/main/java/com/otavio/aifoodapp/controller/UserInfoController.java b/src/main/java/com/otavio/aifoodapp/controller/UserInfoController.java
@@ -1,7 +1,7 @@
 package com.otavio.aifoodapp.controller;
 
-import java.util.Map;
 import java.util.HashMap;
+import java.util.Map;
 
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
@@ -37,6 +37,8 @@ public UserInfoController(UserService userService) {
     public ResponseEntity<?> getUserInfo() {
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
         
+        log.info("GET /api/auth - Authentication: {}", auth != null ? auth.getName() : "null");
+        
         if (auth != null && auth.isAuthenticated() && !"anonymousUser".equals(auth.getPrincipal())) {
             log.debug("Fornecendo informações para usuário autenticado: {}", auth.getName());
             
@@ -72,9 +74,12 @@ public ResponseEntity<?> getUserInfo() {
             }
         }
         
-        log.debug("Tentativa de acesso a /api/auth sem autenticação");
-        return ResponseEntity.status(401).body(Map.of(
-            "error", "unauthorized",
+        log.info("Tentativa de acesso a /api/auth sem autenticação (auth: {})", 
+                auth != null ? auth.getClass().getSimpleName() : "null");
+                
+        // Return 200 with authenticated: false instead of 401 to avoid browser issues
+        return ResponseEntity.ok(Map.of(
+            "error", "not_authenticated",
             "authenticated", false,
             "message", "Usuário não autenticado"
         ));
diff --git a/src/main/java/com/otavio/aifoodapp/security/SecurityConfig.java b/src/main/java/com/otavio/aifoodapp/security/SecurityConfig.java
@@ -77,6 +77,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, @Qualifier("co
                         // Allow error endpoint
                         .requestMatchers("/error").permitAll()
                         
+                        // Allow health check endpoint
+                        .requestMatchers("/health").permitAll()
+                        
                         // Allow test authentication endpoints for debugging
                         .requestMatchers("/api/foods/test-auth").permitAll()
                         
