I usually post about Security on Twitter - you can follow me there:
1. Overview
In the earlier parts of this case study, we set up a simple app and an OAuth authentication process with the Reddit API.
Let’s now build something useful with Reddit – support for scheduling Posts for latter.
2. The User and the Post
First, let’s create the 2 main entities – the User and the Post. The User will keep track of the username plus some additional Oauth info:
@Entity
public class User {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
@Column(nullable = false)
private String username;
private String accessToken;
private String refreshToken;
private Date tokenExpiration;
private boolean needCaptcha;
// standard setters and getters
}
Next – the Post entity – holding the information necessary for submitting a link to Reddit: title, URL, subreddit, … etc.
@Entity
public class Post {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
@Column(nullable = false) private String title;
@Column(nullable = false) private String subreddit;
@Column(nullable = false) private String url;
private boolean sendReplies;
@Column(nullable = false) private Date submissionDate;
private boolean isSent;
private String submissionResponse;
@ManyToOne
@JoinColumn(name = "user_id", nullable = false)
private User user;
// standard setters and getters }
3. The Persistence Layer
We’re going to use Spring Data JPA for persistence, so there’s not a whole lot to look at here, other than the well-known interface definitions for our repositories:
- UserRepository:
public interface UserRepository extends JpaRepository<User, Long> {
User findByUsername(String username);
User findByAccessToken(String token);
}
- PostRepository:
public interface PostRepository extends JpaRepository<Post, Long> {
List<Post> findBySubmissionDateBeforeAndIsSent(Date date, boolean isSent);
List<Post> findByUser(User user);
}
4. A Scheduler
For the scheduling aspects of the app, we’re also going to make good use of the out-of-the-box Spring support.
We’re defining a task to run every minute; this will simply look for Posts that are due to be submitted to Reddit:
public class ScheduledTasks {
private final Logger logger = LoggerFactory.getLogger(getClass());
private OAuth2RestTemplate redditRestTemplate;
@Autowired
private PostRepository postReopsitory;
@Scheduled(fixedRate = 1 * 60 * 1000)
public void reportCurrentTime() {
List<Post> posts =
postReopsitory.findBySubmissionDateBeforeAndIsSent(new Date(), false);
for (Post post : posts) {
submitPost(post);
}
}
private void submitPost(Post post) {
try {
User user = post.getUser();
DefaultOAuth2AccessToken token =
new DefaultOAuth2AccessToken(user.getAccessToken());
token.setRefreshToken(new DefaultOAuth2RefreshToken((user.getRefreshToken())));
token.setExpiration(user.getTokenExpiration());
redditRestTemplate.getOAuth2ClientContext().setAccessToken(token);
UsernamePasswordAuthenticationToken userAuthToken =
new UsernamePasswordAuthenticationToken(
user.getUsername(), token.getValue(),
Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")));
SecurityContextHolder.getContext().setAuthentication(userAuthToken);
MultiValueMap<String, String> param = new LinkedMultiValueMap<String, String>();
param.add("api_type", "json");
param.add("kind", "link");
param.add("resubmit", "true");
param.add("then", "comments");
param.add("title", post.getTitle());
param.add("sr", post.getSubreddit());
param.add("url", post.getUrl());
if (post.isSendReplies()) {
param.add(RedditApiConstants.SENDREPLIES, "true");
}
JsonNode node = redditRestTemplate.postForObject(
"https://oauth.reddit.com/api/submit", param, JsonNode.class);
JsonNode errorNode = node.get("json").get("errors").get(0);
if (errorNode == null) {
post.setSent(true);
post.setSubmissionResponse("Successfully sent");
postReopsitory.save(post);
} else {
post.setSubmissionResponse(errorNode.toString());
postReopsitory.save(post);
}
} catch (Exception e) {
logger.error("Error occurred", e);
}
}
}
Note that, in case of anything going wrong, the Post will not be marked as sent – so the next cycle will try to submit it again after one minute.
5. The Login Process
With the new User entity, holding some security specific information, we’ll need to modify our simple login process to store that information:
@RequestMapping("/login")
public String redditLogin() {
JsonNode node = redditRestTemplate.getForObject(
"https://oauth.reddit.com/api/v1/me", JsonNode.class);
loadAuthentication(node.get("name").asText(), redditRestTemplate.getAccessToken());
return "redirect:home.html";
}
And loadAuthentication():
private void loadAuthentication(String name, OAuth2AccessToken token) {
User user = userReopsitory.findByUsername(name);
if (user == null) {
user = new User();
user.setUsername(name);
}
if (needsCaptcha().equalsIgnoreCase("true")) {
user.setNeedCaptcha(true);
} else {
user.setNeedCaptcha(false);
}
user.setAccessToken(token.getValue());
user.setRefreshToken(token.getRefreshToken().getValue());
user.setTokenExpiration(token.getExpiration());
userReopsitory.save(user);
UsernamePasswordAuthenticationToken auth =
new UsernamePasswordAuthenticationToken(user, token.getValue(),
Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")));
SecurityContextHolder.getContext().setAuthentication(auth);
}
Note how the user is automatically created if it doesn’t already exist. This makes the “Login with Reddit” process create a local user in the system on the first login.
6. The Schedule Page
Next – let’s take a look at the page that allows scheduling of new Posts:
@RequestMapping("/postSchedule")
public String showSchedulePostForm(Model model) {
boolean isCaptchaNeeded = getCurrentUser().isCaptchaNeeded();
if (isCaptchaNeeded) {
model.addAttribute("msg", "Sorry, You do not have enought karma");
return "submissionResponse";
}
return "schedulePostForm";
}
private User getCurrentUser() {
return (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
schedulePostForm.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<form action="schedule" method="post">
<input name="title" />
<input name="url" />
<input name="sr" />
<input type="checkbox" name="sendreplies" value="true"/>
<input name="date">
<button type="submit">Post</button>
</form>
</body>
</html>
Note how we need to check the Captcha. This is because – if the user has less than 10 karma – they can’t schedule a post without filling in the Captch.
7. The POST
When the Schedule Form is submitted (POSTed), the information is stored in the database to be submitted later:
@RequestMapping("/schedule")
public String schedule(Model model, @RequestParam Map<String, String> formParams)
throws ParseException {
User user = getCurrentUser();
Post post = new Post();
post.setUser(user);
post.setSent(false);
post.setTitle(formParams.get("title"));
post.setSubreddit(formParams.get("sr"));
post.setUrl(formParams.get("url"));
if (formParams.containsKey("sendreplies")) {
post.setSendReplies(true);
}
post.setSubmissionDate(dateFormat.parse(formParams.get("date")));
if (post.getSubmissionDate().before(new Date())) {
model.addAttribute("msg", "Invalid date");
return "submissionResponse";
}
postReopsitory.save(post);
List<Post> posts = postReopsitory.findByUser(user);
model.addAttribute("posts", posts);
return "postListView";
}
8. The List of Scheduled
We can check the scheduled posts status using a simple posts view – as follows:
@RequestMapping("/posts")
public String getScheduledPosts(Model model) {
User user = getCurrentUser();
List<Post> posts = postReopsitory.findByUser(user);
model.addAttribute("posts", posts);
return "postListView";
}
postListView.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<html>
<body>
<table>
<c:forEach var="post" items="${posts}" >
<tr>
<td><c:out value="${post.getTitle()}"/></td>
<td><fmt:formatDate type="both"
dateStyle="long" timeStyle="long" value="${post.getSubmissionDate()}" /> </td>
<td><c:out value="${post.getSubmissionResponse()}"/></td>
<td>
<a href="editPost/${post.getId()}">Edit</a>
<a href="#" onclick="confirmDelete(${post.getId()})">Delete</a>
</td>
</tr>
</c:forEach>
</table>
</body>
</html>
9. Edit a Scheduled Post
Now – let’s see how we can edit a scheduled post.
We’ll use showEditPostForm() to show the editPostForm.jsp – as follows:
@RequestMapping(value = "/editPost/{id}", method = RequestMethod.GET)
public String showEditPostForm(Model model, @PathVariable Long id) {
Post post = postReopsitory.findOne(id);
model.addAttribute("post", post);
model.addAttribute("dateValue", dateFormat.format(post.getSubmissionDate()));
return "editPostForm";
}
And the editPostForm.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<form action="<c:url value="/updatePost/${post.getId()}" />" method="post">
<input type="hidden" name="id" value="${post.getId()}" />
<input name="title" value="${post.getTitle()}" />
<input name="url" value="${post.getUrl()}" />
<input name="sr" value="${post.getSubreddit()}" />
<input type="checkbox" name="sendreplies" value="true"
<c:if test="${post.isSendReplies()=='true'}"> checked </c:if> />
<input name="date" value="${dateValue}">
<button type="submit">Save Changes</button>
</form>
</body>
</html>
When this for is POSTed – we just save the chances:
@RequestMapping(value = "/updatePost/{id}", method = RequestMethod.POST)
public String updatePost(
Model model, @PathVariable("id") Long id, @RequestParam Map<String, String> formParams)
throws ParseException {
Post post = postReopsitory.findOne(id);
post.setTitle(formParams.get("title"));
post.setSubreddit(formParams.get("sr"));
post.setUrl(formParams.get("url"));
if (formParams.containsKey("sendreplies")) {
post.setSendReplies(true);
} else {
post.setSendReplies(false);
}
post.setSubmissionDate(dateFormat.parse(formParams.get("date")));
if (post.getSubmissionDate().before(new Date())) {
model.addAttribute("msg", "Invalid date");
return "submissionResponse";
}
postReopsitory.save(post);
return "redirect:/posts";
}
10. Unschedule/Delete a Post
We’ll also provide a simple delete operation for any of the scheduled Posts:
@RequestMapping(value = "/deletePost/{id}", method = RequestMethod.DELETE)
@ResponseStatus(HttpStatus.OK)
public void deletePost(@PathVariable("id") Long id) {
postReopsitory.delete(id);
}
Here’s how we call it from client side:
<a href="#" onclick="confirmDelete(${post.getId()})">Delete</a>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script>
function confirmDelete(id) {
if (confirm("Do you really want to delete this post?") == true) {
deletePost(id);
}
}
function deletePost(id){
$.ajax({
url: 'deletePost/'+id,
type: 'DELETE',
success: function(result) {
window.location.href="posts"
}
});
}
</script>
11. Conclusion
In this part of our Reddit case-study, we built the first non-trivial bit of functionality using the Reddit API – scheduling Posts.
This is a super-useful feature for a serious Reddit user, especially considering how time-sensitive Reddit submissions are.
Next – we’ll build out an even more helpful functionality to help with getting content upvoted on Reddit – machine learning suggestions.
The full implementation of this tutorial can be found in the github project – this is an Eclipse based project, so it should be easy to import and run as it is.
I usually post about Security on Twitter - you can follow me there: