/**
* Gets a session's info. This end point requires authentication and can only be accessed by
* ROLE_ADMIN users and the owner of the session being browsed.
*
* @param sessionHeader The authentication header. Feed into UserSession.resume().
* @param username The username from the URL.
* @param sessionId The unique session identifier.
* @return 200 OK.
*/
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("{sessionId}")
public Response getSession(
@HeaderParam(UserSession.HEADER) String sessionHeader,
@PathParam("username") String username,
@PathParam("sessionId") String sessionId)
throws ApiException {
SQLConnection sql = SQLConnection.connectDefault();
UserSession session = null;
UserSession desired = null;
try {
session = UserSession.resume(sql, sessionHeader);
desired = UserSession.resume(sql, username, sessionId);
OMUtil.adminOrOwnerCheck(session.getUser(), desired.getUser());
} finally {
sql.close();
}
UserSessionResponse response = desired.toResponse(ApiStatus.OK);
return Response.ok(response.serialize()).build();
}
/**
* Deletes all of a user's sessions. Requires authentication by the session owner or a ROLE_ADMIN
* user.
*
* @param sessionHeader The authentication information of the caller.
* @param username The username of the session owner.
* @return 200 OK.
*/
@DELETE
@Produces(MediaType.APPLICATION_JSON)
public Response deleteAllSessions(
@HeaderParam(UserSession.HEADER) String sessionHeader, @PathParam("username") String username)
throws ApiException {
SQLConnection sql = SQLConnection.connectDefault();
try {
UserSession session = UserSession.resume(sql, sessionHeader);
if (!session.getUser().getUsername().equals(username)
&& !session.getUser().isRole("ROLE_ADMIN")) {
throw new ApiException(ApiStatus.ACCESS_DENIED);
}
UserSession.endAll(sql, username);
} finally {
sql.close();
}
// TODO: we should probably return the sessions that were killed.
ApiResponse response = new ApiResponse(ApiStatus.OK);
return Response.ok(response.serialize()).build();
}