From 7d2d1d971ab91ec469fadcf2cd7972e97ec9cf17 Mon Sep 17 00:00:00 2001
From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com>
Date: Tue, 11 Apr 2023 18:04:18 +0200
Subject: [PATCH] Feature/deprecate get auth endpoint (#1851)

* Deprecate GET auth endpoint

* Update documentation

* Update changelog
---
 CHANGELOG.md                             |  6 ++++++
 README.md                                |  4 +++-
 apps/api/src/app/auth/auth.controller.ts | 21 +++++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d788c7c..a49129fc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Changed
+
+- Deprecated the `auth` endpoint of the login with _Security Token_ (`GET`)
+
 ## 1.252.1 - 2023-04-10
 
 ### Changed
diff --git a/README.md b/README.md
index 142051c8..e5bff2e4 100644
--- a/README.md
+++ b/README.md
@@ -200,7 +200,9 @@ Set the header for each request as follows:
 "Authorization": "Bearer eyJh..."
 ```
 
-You can get the _Bearer Token_ via `GET http://localhost:3333/api/v1/auth/anonymous/<INSERT_SECURITY_TOKEN_OF_ACCOUNT>` or `curl -s http://localhost:3333/api/v1/auth/anonymous/<INSERT_SECURITY_TOKEN_OF_ACCOUNT>`.
+You can get the _Bearer Token_ via `POST http://localhost:3333/api/v1/auth/anonymous` (Body: `{ accessToken: <INSERT_SECURITY_TOKEN_OF_ACCOUNT> }`)
+
+Deprecated: `GET http://localhost:3333/api/v1/auth/anonymous/<INSERT_SECURITY_TOKEN_OF_ACCOUNT>` or `curl -s http://localhost:3333/api/v1/auth/anonymous/<INSERT_SECURITY_TOKEN_OF_ACCOUNT>`.
 
 ### Import Activities
 
diff --git a/apps/api/src/app/auth/auth.controller.ts b/apps/api/src/app/auth/auth.controller.ts
index 715c284f..1050fe5b 100644
--- a/apps/api/src/app/auth/auth.controller.ts
+++ b/apps/api/src/app/auth/auth.controller.ts
@@ -7,6 +7,7 @@ import {
   Controller,
   Get,
   HttpException,
+  Param,
   Post,
   Req,
   Res,
@@ -32,6 +33,26 @@ export class AuthController {
     private readonly webAuthService: WebAuthService
   ) {}
 
+  /**
+   * @deprecated
+   */
+  @Get('anonymous/:accessToken')
+  public async accessTokenLoginGet(
+    @Param('accessToken') accessToken: string
+  ): Promise<OAuthResponse> {
+    try {
+      const authToken = await this.authService.validateAnonymousLogin(
+        accessToken
+      );
+      return { authToken };
+    } catch {
+      throw new HttpException(
+        getReasonPhrase(StatusCodes.FORBIDDEN),
+        StatusCodes.FORBIDDEN
+      );
+    }
+  }
+
   @Post('anonymous')
   public async accessTokenLogin(
     @Body() body: { accessToken: string }