From df36c583e9a8a8dd3faf8eacec73aa008fb44974 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20=C5=A0pan=C4=9Bl?=
 <OndrejSpanel@users.noreply.github.com>
Date: Thu, 31 Oct 2019 16:21:18 +0100
Subject: [PATCH] Avoid cookie parameters (unreliable for Scala.js). Fix some
 session id issues.

---
 .../com/github/opengrabeso/mixtio/requests/UdashApp.scala    | 2 +-
 .../com/github/opengrabeso/mixtio/rest/RestAPIServer.scala   | 5 +++--
 .../mixtio/frontend/services/UserContextService.scala        | 4 ++--
 .../scala/com/github/opengrabeso/mixtio/rest/RestAPI.scala   | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/scala/com/github/opengrabeso/mixtio/requests/UdashApp.scala b/backend/src/main/scala/com/github/opengrabeso/mixtio/requests/UdashApp.scala
index 60e2e62d..c12ea775 100644
--- a/backend/src/main/scala/com/github/opengrabeso/mixtio/requests/UdashApp.scala
+++ b/backend/src/main/scala/com/github/opengrabeso/mixtio/requests/UdashApp.scala
@@ -20,7 +20,7 @@ object UdashApp  extends DefineRequest("/app") {
         <script> // no secrets should be inserted here, this is readable by any end-user
           var currentUserId = '{auth.userId}';
           var currentAuthCode = getCookie('authCode');
-          var sessionId = `app-session-{System.currentTimeMillis().toString}`; // time when the session was created on the server
+          var sessionId = `{auth.sessionId}`; // time when the session was created on the server
           var mapBoxToken = `{auth.mapboxToken}`;
           appMain()
         </script>
diff --git a/backend/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPIServer.scala b/backend/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPIServer.scala
index e8424b53..1c39f317 100644
--- a/backend/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPIServer.scala
+++ b/backend/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPIServer.scala
@@ -36,11 +36,12 @@ object RestAPIServer extends RestAPI with RestAPIUtils {
   }
 
   def userAPI(userId: String, authCode: String, session: String): UserRestAPI = {
-    println(s"Try userAPI for user $userId, session $session")
+    val logging = false
+    if (logging) println(s"Try userAPI for user $userId, session $session")
     val auth = Storage.load[StravaAuthResult](sessionFileName(session, userId, "auth"))
     auth.map { a =>
       if (a.code == authCode) {
-        println(s"Get userAPI for user $userId, session $session, auth.session ${a.sessionId}")
+        if (logging) println(s"Get userAPI for user $userId, session $session, auth.session ${a.sessionId}")
         new UserRestAPIServer(a)
       } else {
         throw HttpErrorException(401, "Provided auth code '$authCode' does not match the one stored on the server")
diff --git a/frontend/src/main/scala/com/github/opengrabeso/mixtio/frontend/services/UserContextService.scala b/frontend/src/main/scala/com/github/opengrabeso/mixtio/frontend/services/UserContextService.scala
index 2ca46315..cd73a96a 100644
--- a/frontend/src/main/scala/com/github/opengrabeso/mixtio/frontend/services/UserContextService.scala
+++ b/frontend/src/main/scala/com/github/opengrabeso/mixtio/frontend/services/UserContextService.scala
@@ -56,7 +56,7 @@ class UserContextService(rpc: rest.RestAPI)(implicit ec: ExecutionContext) {
   private var userData: Option[UserContextData] = None
 
   def login(userId: String, authCode: String): UserContext = {
-    val sessionId = "api-session-" + System.currentTimeMillis().toString
+    val sessionId = facade.UdashApp.sessionId
     println(s"Login user $userId session $sessionId")
     val ctx = new UserContextData(userId, sessionId, authCode, rpc)
     userData = Some(ctx)
@@ -76,7 +76,7 @@ class UserContextService(rpc: rest.RestAPI)(implicit ec: ExecutionContext) {
   }
 
   def api: Option[rest.UserRestAPI] = userData.map { data =>
-    println(s"Call userAPI user ${data.context.userId} session ${data.sessionId}")
+    //println(s"Call userAPI user ${data.context.userId} session ${data.sessionId}")
     rpc.userAPI(data.context.userId, data.context.authCode, data.sessionId)
   }
 }
diff --git a/shared-js/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPI.scala b/shared-js/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPI.scala
index bd312a22..22679c68 100644
--- a/shared-js/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPI.scala
+++ b/shared-js/src/main/scala/com/github/opengrabeso/mixtio/rest/RestAPI.scala
@@ -13,7 +13,7 @@ trait RestAPI {
   def identity(@Path in: String): Future[String]
 
   @Prefix("user")
-  def userAPI(@Path userId: String, @Cookie authCode: String, @Cookie sessionId: String): UserRestAPI
+  def userAPI(@Path userId: String, @Path authCode: String, @Path sessionId: String): UserRestAPI
 
   @GET
   def now: Future[ZonedDateTime]