From 2410574b64b48d2e2d7f29adc3fa536b74cb601f Mon Sep 17 00:00:00 2001
From: Zaripov Emil <zaripov@micord.ru>
Date: Mon, 23 Dec 2024 10:17:34 +0300
Subject: [PATCH 01/21] set version 1.9.3-SNAPSHOT

---
 backend/pom.xml      | 2 +-
 distribution/pom.xml | 2 +-
 frontend/pom.xml     | 2 +-
 pom.xml              | 2 +-
 resources/pom.xml    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/pom.xml b/backend/pom.xml
index 41971dc..e13cb41 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -5,7 +5,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.2</version>
+    <version>1.9.3-SNAPSHOT</version>
   </parent>
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
   <artifactId>backend</artifactId>
diff --git a/distribution/pom.xml b/distribution/pom.xml
index 7fac6f8..2a42d87 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.2</version>
+    <version>1.9.3-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
diff --git a/frontend/pom.xml b/frontend/pom.xml
index 101764d..2440862 100644
--- a/frontend/pom.xml
+++ b/frontend/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.2</version>
+    <version>1.9.3-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
diff --git a/pom.xml b/pom.xml
index 131490f..8738e22 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ru.micord.ervu.lkrp</groupId>
   <artifactId>fl</artifactId>
-  <version>1.9.2</version>
+  <version>1.9.3-SNAPSHOT</version>
   <packaging>pom</packaging>
   <modules>
     <module>backend</module>
diff --git a/resources/pom.xml b/resources/pom.xml
index e77f2c3..1516999 100644
--- a/resources/pom.xml
+++ b/resources/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.2</version>
+    <version>1.9.3-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>

From 1b98944498c73fa8eadd0d37e31315329b75549b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A5=D0=B0=D0=BB=D1=82=D0=BE=D0=B1=D0=B8=D0=BD=20=D0=95?=
 =?UTF-8?q?=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9?= <khaltobine@micord.ru>
Date: Mon, 23 Dec 2024 10:17:03 +0300
Subject: [PATCH 02/21] DEVOPS-1892: added cache settings moved from angie to
 nginx

---
 config/Dockerfile |   4 +-
 config/angie.conf |  84 -----------------------------
 config/nginx.conf | 134 +++++++++++++++++++++++++++-------------------
 3 files changed, 82 insertions(+), 140 deletions(-)
 delete mode 100644 config/angie.conf

diff --git a/config/Dockerfile b/config/Dockerfile
index 650380e..32531a5 100644
--- a/config/Dockerfile
+++ b/config/Dockerfile
@@ -1,6 +1,6 @@
 ARG BUILDER_IMAGE=registry.altlinux.org/basealt/altsp:c10f1
 ARG BACKEND_IMAGE=repo.micord.ru/alt/alt-tomcat:c10f1-9.0.59-20240903
-ARG FRONTEND_IMAGE=docker.angie.software/angie:latest
+ARG FRONTEND_IMAGE=nginx:1.24-alpine-slim
 
 FROM $BUILDER_IMAGE AS builder
 
@@ -45,5 +45,5 @@ COPY --from=builder /app/frontend/target/frontend*.war /var/lib/tomcat/webapps/R
 
 FROM $FRONTEND_IMAGE AS frontend
 
-COPY config/angie.conf /etc/angie/angie.conf
+COPY config/nginx.conf /etc/nginx/nginx.conf
 COPY --from=builder /app/frontend/dist /frontend
diff --git a/config/angie.conf b/config/angie.conf
deleted file mode 100644
index 18b7f40..0000000
--- a/config/angie.conf
+++ /dev/null
@@ -1,84 +0,0 @@
-include /etc/angie/modules-enabled.d/*.conf;
-
-worker_processes  10;
-
-error_log   /var/log/angie/error.log;
-
-events {
-        worker_connections  1024;
-}
-
-include /etc/angie/conf-enabled.d/*.conf;
-
-http {
-        include       /etc/angie/mime.types;
-	default_type  application/octet-stream;
-
-        sendfile  on;
-
-        gzip  on;
-
-        # text/html doesn't need to be defined there, it's compressed always
-        gzip_types text/plain text/css text/xml application/x-javascript application/atom+xml;
-
-        # gzip_comp_level 9;
-        include /etc/angie/sites-enabled.d/*.conf;
-
-        log_format angie_main
-          '$remote_addr - $remote_user [$time_local] $request '
-          '"$status" $body_bytes_sent "$http_referer" '
-          '"$http_user_agent" "$http_x_forwarded_for" '
-          '"$request_filename" "$gzip_ratio" $upstream_response_time server: $host : $document_root $fastcgi_script_name ';
-
-        server {
-    		listen 80 default;
-
-		access_log /var/log/angie/access.log angie_main;
-    		error_log /var/log/angie/error.log error;
-
-    		charset utf-8;
-
-    		client_max_body_size 32m;
-
-    		##
-    		# `gzip` Settings
-    		#
-    		#
-    		gzip on;
-    		gzip_disable "msie6";
-
-    		gzip_vary on;
-    		gzip_proxied any;
-    		gzip_comp_level 6;
-    		gzip_buffers 16 8k;
-    		gzip_http_version 1.1;
-    		gzip_min_length 256;
-    		gzip_types
-    		  application/atom+xml
-   		  application/geo+json
-   		  application/javascript
-    		  application/x-javascript
-    		  application/json
-    		  application/ld+json
-    		  application/manifest+json
-    		  application/rdf+xml
-    		  application/rss+xml
-    		  application/xhtml+xml
-    		  application/xml
-    		  font/eot
-    		  font/otf
-    		  font/ttf
-    		  image/svg+xml
-    		  text/css
-    		  text/javascript
-    		  text/plain
-    		  text/xml;
-
-    		location / {
-        	  root /frontend;
-        	  index index.html;
-        	  expires -1;
-        	  try_files $uri $uri/ $uri/index.html;
-    		}
-	}
-}
diff --git a/config/nginx.conf b/config/nginx.conf
index 4dd7864..93bb7ad 100644
--- a/config/nginx.conf
+++ b/config/nginx.conf
@@ -11,74 +11,100 @@ events {
 include /etc/nginx/conf-enabled.d/*.conf;
 
 http {
-        include       /etc/nginx/mime.types;
+    include       /etc/nginx/mime.types;
 	default_type  application/octet-stream;
 
-        sendfile  on;
+    sendfile  on;
 
-        gzip  on;
+    gzip  on;
 
-        # text/html doesn't need to be defined there, it's compressed always
-        gzip_types text/plain text/css text/xml application/x-javascript application/atom+xml;
+    # text/html doesn't need to be defined there, it's compressed always
+    gzip_types text/plain text/css text/xml application/x-javascript application/atom+xml;
 
-        # gzip_comp_level 9;
-        include /etc/nginx/sites-enabled.d/*.conf;
+    # gzip_comp_level 9;
+    include /etc/nginx/sites-enabled.d/*.conf;
 
-        log_format nginx_main
-          '$remote_addr - $remote_user [$time_local] $request '
-          '"$status" $body_bytes_sent "$http_referer" '
-          '"$http_user_agent" "$http_x_forwarded_for" '
-          '"$request_filename" "$gzip_ratio" $upstream_response_time server: $host : $document_root $fastcgi_script_name ';
+    log_format nginx_main
+        '$remote_addr - $remote_user [$time_local] $request '
+        '"$status" $body_bytes_sent "$http_referer" '
+        '"$http_user_agent" "$http_x_forwarded_for" '
+        '"$request_filename" "$gzip_ratio" $upstream_response_time server: $host : $document_root $fastcgi_script_name ';
 
-        server {
-    		listen 80 default;
+    server {
+        listen 80 default;
 
 		access_log /var/log/nginx/access.log nginx_main;
-    		error_log /var/log/nginx/error.log error;
+    	error_log /var/log/nginx/error.log error;
 
-    		charset utf-8;
+    	charset utf-8;
 
-    		client_max_body_size 32m;
+    	client_max_body_size 32m;
 
-    		##
-    		# `gzip` Settings
-    		#
-    		#
-    		gzip on;
-    		gzip_disable "msie6";
+    	##
+    	# `gzip` Settings
+    	#
+    	#
+    	gzip on;
+    	gzip_disable "msie6";
 
-    		gzip_vary on;
-    		gzip_proxied any;
-    		gzip_comp_level 6;
-    		gzip_buffers 16 8k;
-    		gzip_http_version 1.1;
-    		gzip_min_length 256;
-    		gzip_types
-    		  application/atom+xml
+    	gzip_vary on;
+    	gzip_proxied any;
+    	gzip_comp_level 6;
+    	gzip_buffers 16 8k;
+    	gzip_http_version 1.1;
+    	gzip_min_length 256;
+    	gzip_types
+    	  application/atom+xml
    		  application/geo+json
    		  application/javascript
-    		  application/x-javascript
-    		  application/json
-    		  application/ld+json
-    		  application/manifest+json
-    		  application/rdf+xml
-    		  application/rss+xml
-    		  application/xhtml+xml
-    		  application/xml
-    		  font/eot
-    		  font/otf
-    		  font/ttf
-    		  image/svg+xml
-    		  text/css
-    		  text/javascript
-    		  text/plain
-    		  text/xml;
+    	  application/x-javascript
+    	  application/json
+    	  application/ld+json
+    	  application/manifest+json
+    	  application/rdf+xml
+    	  application/rss+xml
+    	  application/xhtml+xml
+    	  application/xml
+    	  font/eot
+    	  font/otf
+    	  font/ttf
+    	  image/svg+xml
+    	  text/css
+    	  text/javascript
+    	  text/plain
+    	  text/xml;
 
-    		location / {
-        	  root /frontend;
-        	  index index.html;
-        	  expires -1;
-        	  try_files $uri $uri/ $uri/index.html;
-    		}
-	}
+    	location / {
+          	root /frontend;
+         	index index.html;
+          	try_files $uri @index;
+
+			# Media: images, icons, video, audio, HTC
+			location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|mp3|ogg|ogv|webm|htc|woff2|woff|ttf)$ {
+    			expires 1M;
+    			access_log off;
+    			# max-age must be in seconds
+    			add_header Cache-Control "max-age=2629746, public";
+			}
+			# CSS and Javascript
+			location ~* \.(?:css|js)$ {
+    			expires 1y;
+    			access_log off;
+    			add_header Cache-Control "max-age=31556952, public";
+			}
+    	}
+
+		location @index {
+			root /frontend;
+    		add_header Cache-Control no-cache;
+    		expires 0;
+    		try_files /index.html =404;
+		}
+
+		location = /health {
+          	access_log off;
+          	add_header 'Content-Type' 'application/json';
+          	return 200 '{"status":"UP"}';
+	    }
+    }
 }

From b8c5b75f2b2500145e8849f3717d46ca09b4a16c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A0=D0=B0=D1=83=D1=84=20=D0=9B=D0=B0=D1=82=D1=8B=D0=BF?=
 =?UTF-8?q?=D0=BE=D0=B2?= <latypov@micord.ru>
Date: Thu, 19 Dec 2024 23:47:39 +0300
Subject: [PATCH 03/21] SUPPORT-8796: add data into response dto

---
 .../ru/micord/ervu/converter/SummonsResponseDataConverter.java  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/src/main/java/ru/micord/ervu/converter/SummonsResponseDataConverter.java b/backend/src/main/java/ru/micord/ervu/converter/SummonsResponseDataConverter.java
index 63c3e4d..54d2623 100644
--- a/backend/src/main/java/ru/micord/ervu/converter/SummonsResponseDataConverter.java
+++ b/backend/src/main/java/ru/micord/ervu/converter/SummonsResponseDataConverter.java
@@ -39,9 +39,11 @@ public class SummonsResponseDataConverter {
         .issueDate(responseData.getIssueDate())
         .issueOrg(responseData.getIssueOrg())
         .issueIdCode(responseData.getIssueIdCode())
+        .militaryCommissariatName(responseData.getRecruitmentInfo().getMilitaryCommissariatName())
         .residenceAddress(getAddressByCode(responseData.getAddressesList(), RESIDENCE_ADDRESS_CODE))
         .stayAddress(getAddressByCode(responseData.getAddressesList(), STAY_ADDRESS_CODE))
         .actualAddress(getAddressByCode(responseData.getAddressesList(), ACTUAL_ADDRESS_CODE));
+
     Optional<SummonsInfo> summonsInfoOpt = responseData.getSummonsInfosList().stream()
         // get last subpoena
         .max(Comparator.comparing(

From 65872ef7dab90d8a27f533d9923cbaf95bbb55ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A5=D0=B0=D0=BB=D1=82=D0=BE=D0=B1=D0=B8=D0=BD=20=D0=95?=
 =?UTF-8?q?=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9?= <khaltobine@micord.ru>
Date: Tue, 24 Dec 2024 14:28:30 +0300
Subject: [PATCH 04/21] DEVOPS-1892: added cache settings

---
 config/nginx.conf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/config/nginx.conf b/config/nginx.conf
index 93bb7ad..b55fbde 100644
--- a/config/nginx.conf
+++ b/config/nginx.conf
@@ -78,7 +78,12 @@ http {
           	root /frontend;
          	index index.html;
           	try_files $uri @index;
-
+			
+			#Application config
+			location = /src/resources/app-config.json {
+    			add_header Cache-Control "no-cache";
+    			expires 0;
+			}
 			# Media: images, icons, video, audio, HTC
 			location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|mp3|ogg|ogv|webm|htc|woff2|woff|ttf)$ {
     			expires 1M;
@@ -96,7 +101,7 @@ http {
 
 		location @index {
 			root /frontend;
-    		add_header Cache-Control no-cache;
+    		add_header Cache-Control "no-cache";
     		expires 0;
     		try_files /index.html =404;
 		}

From f86a8afd2f5c06da85d8a18340433534d053c6f4 Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Tue, 24 Dec 2024 20:11:53 +0300
Subject: [PATCH 05/21] SUPPORT-8755: Fix

---
 .../micord/ervu/security/esia/token/TokensStore.java  | 11 ++++++++++-
 .../webbpm/jwt/filter/JwtAuthenticationFilter.java    |  2 ++
 .../security/webbpm/jwt/service/JwtTokenService.java  |  8 --------
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
index 9804b80..f202cb3 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
@@ -3,6 +3,8 @@ package ru.micord.ervu.security.esia.token;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+import org.springframework.security.authentication.CredentialsExpiredException;
+
 /**
  * @author Eduard Tihomirov
  */
@@ -18,7 +20,14 @@ public class TokensStore {
   }
 
   public static String getAccessToken(String prnOid) {
-    return accessTokensMap.get(prnOid).getAccessToken();
+    ExpiringToken token = accessTokensMap.get(prnOid);
+    if (token == null) {
+      throw new CredentialsExpiredException("No access token for prnOid: " + prnOid);
+    }
+    else if (token.isExpired()) {
+      throw new CredentialsExpiredException("Access token expired for prnOid: " + prnOid);
+    }
+    return token.getAccessToken();
   }
 
   public static void removeExpiredAccessToken() {
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
index c4f60f7..eedbebe 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@@ -16,6 +16,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import ru.micord.ervu.security.esia.token.TokensStore;
 import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
 import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
@@ -64,6 +65,7 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
         if (ids.length != 2) {
           throw new CredentialsExpiredException("Invalid token. User has no ervuId");
         }
+        TokensStore.getAccessToken(token.getUserAccountId());
       }
     }
     catch (CredentialsExpiredException e) {
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
index 5478da2..8b8c5d9 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
@@ -34,9 +34,6 @@ public class JwtTokenService {
           ResourceMetadataUtils.PROJECT_GROUP_ID + "." + ResourceMetadataUtils.PROJECT_ARTIFACT_ID;
   private final SecretKey SIGNING_KEY;
 
-  @Autowired
-  private HttpServletRequest request;
-
   @Autowired
   public JwtTokenService(@Value("${webbpm.security.token.secret.key:ZjE5ZjMxNmYtODViZC00ZTQ5LWIxZmYtOGEzYzE3Yjc1MDVk}")
                              String secretKey) {
@@ -79,11 +76,6 @@ public class JwtTokenService {
     return new Token(claims.getSubject(), claims.getIssuer(), claims.getExpiration(), token);
   }
 
-  public String getErvuId() {
-    String extractAuthToken = extractAuthToken(request);
-    return getToken(extractAuthToken).getUserAccountId().split(":")[1];
-  }
-
   public String getAccessToken(HttpServletRequest request) {
     return TokensStore.getAccessToken(getUserAccountId(request));
   }

From 1a1ca85a63545523997037aefd7079a76866be3e Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Tue, 24 Dec 2024 20:26:17 +0300
Subject: [PATCH 06/21] SUPPORT-8755: Fix

---
 .../micord/ervu/security/esia/token/TokensStore.java   | 10 +++++++---
 .../webbpm/jwt/filter/JwtAuthenticationFilter.java     |  5 ++++-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
index f202cb3..9dd98e1 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
@@ -20,14 +20,18 @@ public class TokensStore {
   }
 
   public static String getAccessToken(String prnOid) {
+    return accessTokensMap.get(prnOid).getAccessToken();
+  }
+
+  public static boolean validateAccessToken(String prnOid) {
     ExpiringToken token = accessTokensMap.get(prnOid);
     if (token == null) {
-      throw new CredentialsExpiredException("No access token for prnOid: " + prnOid);
+      throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid);
     }
     else if (token.isExpired()) {
-      throw new CredentialsExpiredException("Access token expired for prnOid: " + prnOid);
+      throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid);
     }
-    return token.getAccessToken();
+    return token.getAccessToken() != null;
   }
 
   public static void removeExpiredAccessToken() {
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
index eedbebe..c9e91b8 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@@ -65,7 +65,10 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
         if (ids.length != 2) {
           throw new CredentialsExpiredException("Invalid token. User has no ervuId");
         }
-        TokensStore.getAccessToken(token.getUserAccountId());
+        boolean hasEsiaAccessToken = TokensStore.validateAccessToken(token.getUserAccountId());
+        if (!hasEsiaAccessToken) {
+          throw new CredentialsExpiredException("ESIA access token is null");
+        }
       }
     }
     catch (CredentialsExpiredException e) {

From 1f6595b9549aea22f854bf7c1a9af6413019ea4b Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Tue, 24 Dec 2024 20:28:52 +0300
Subject: [PATCH 07/21] SUPPORT-8755: Fix

---
 .../security/webbpm/jwt/filter/JwtAuthenticationFilter.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
index c9e91b8..6a722ce 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@@ -65,8 +65,8 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
         if (ids.length != 2) {
           throw new CredentialsExpiredException("Invalid token. User has no ervuId");
         }
-        boolean hasEsiaAccessToken = TokensStore.validateAccessToken(token.getUserAccountId());
-        if (!hasEsiaAccessToken) {
+        boolean esiaAccessTokenIsValid = TokensStore.validateAccessToken(token.getUserAccountId());
+        if (!esiaAccessTokenIsValid) {
           throw new CredentialsExpiredException("ESIA access token is null");
         }
       }

From 44bcba2faf50fed348a73bdb0ca96d4a90bf04b5 Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Tue, 24 Dec 2024 20:45:19 +0300
Subject: [PATCH 08/21] SUPPORT-8755: Fix

---
 .../security/esia/service/EsiaAuthService.java     | 14 +++++++-------
 .../{TokensStore.java => EsiaTokensStore.java}     |  7 +++----
 .../esia/token/TokensClearShedulerService.java     |  4 ++--
 .../webbpm/jwt/filter/JwtAuthenticationFilter.java |  7 ++-----
 .../webbpm/jwt/service/JwtTokenService.java        |  6 +++---
 5 files changed, 17 insertions(+), 21 deletions(-)
 rename backend/src/main/java/ru/micord/ervu/security/esia/token/{TokensStore.java => EsiaTokensStore.java} (93%)

diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
index 08c9f82..f8ae592 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@@ -27,7 +27,7 @@ import ru.micord.ervu.kafka.model.Document;
 import ru.micord.ervu.kafka.model.Person;
 import ru.micord.ervu.kafka.model.Response;
 import ru.micord.ervu.kafka.service.ReplyingKafkaService;
-import ru.micord.ervu.security.esia.token.TokensStore;
+import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.esia.config.EsiaConfig;
 import ru.micord.ervu.security.esia.model.FormUrlencoded;
 import ru.micord.ervu.security.esia.model.EsiaAccessToken;
@@ -199,8 +199,8 @@ public class EsiaAuthService {
       EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr);
       String prnOid = esiaAccessToken.getSbj_id();
       Long expiresIn = tokenResponse.getExpires_in();
-      TokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
-      TokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn);
+      EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
+      EsiaTokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn);
       Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
       Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
       int expiry = tokenResponse.getExpires_in().intValue();
@@ -276,8 +276,8 @@ public class EsiaAuthService {
       EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr);
       String prnOid = esiaAccessToken.getSbj_id();
       Long expiresIn = tokenResponse.getExpires_in();
-      TokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
-      TokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn);
+      EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
+      EsiaTokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn);
       Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
       Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
       int expiry = tokenResponse.getExpires_in().intValue();
@@ -335,8 +335,8 @@ public class EsiaAuthService {
     try {
       securityHelper.clearAccessCookies(response);
       String userId = jwtTokenService.getUserAccountId(request);
-      TokensStore.removeAccessToken(userId);
-      TokensStore.removeRefreshToken(userId);
+      EsiaTokensStore.removeAccessToken(userId);
+      EsiaTokensStore.removeRefreshToken(userId);
       String logoutUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaLogoutUrl();
       String redirectUrl = esiaConfig.getRedirectUrl();
       URL url = new URL(logoutUrl);
diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
similarity index 93%
rename from backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
rename to backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
index 9dd98e1..40b0d8f 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
@@ -8,7 +8,7 @@ import org.springframework.security.authentication.CredentialsExpiredException;
 /**
  * @author Eduard Tihomirov
  */
-public class TokensStore {
+public class EsiaTokensStore {
   private static final Map<String, ExpiringToken> accessTokensMap = new ConcurrentHashMap<>();
   private static final Map<String, ExpiringToken> refreshTokensMap = new ConcurrentHashMap<>();
 
@@ -23,15 +23,14 @@ public class TokensStore {
     return accessTokensMap.get(prnOid).getAccessToken();
   }
 
-  public static boolean validateAccessToken(String prnOid) {
+  public static void validateAccessToken(String prnOid) {
     ExpiringToken token = accessTokensMap.get(prnOid);
-    if (token == null) {
+    if (token == null || token.getAccessToken() == null) {
       throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid);
     }
     else if (token.isExpired()) {
       throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid);
     }
-    return token.getAccessToken() != null;
   }
 
   public static void removeExpiredAccessToken() {
diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java
index 4665295..89c9db4 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java
@@ -14,7 +14,7 @@ public class TokensClearShedulerService {
   @SchedulerLock(name = "clearToken")
   @Transactional
   public void load() {
-    TokensStore.removeExpiredRefreshToken();
-    TokensStore.removeExpiredAccessToken();
+    EsiaTokensStore.removeExpiredRefreshToken();
+    EsiaTokensStore.removeExpiredAccessToken();
   }
 }
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
index 6a722ce..eea559e 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@@ -16,7 +16,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-import ru.micord.ervu.security.esia.token.TokensStore;
+import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
 import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
@@ -65,10 +65,7 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
         if (ids.length != 2) {
           throw new CredentialsExpiredException("Invalid token. User has no ervuId");
         }
-        boolean esiaAccessTokenIsValid = TokensStore.validateAccessToken(token.getUserAccountId());
-        if (!esiaAccessTokenIsValid) {
-          throw new CredentialsExpiredException("ESIA access token is null");
-        }
+        EsiaTokensStore.validateAccessToken(token.getUserAccountId());
       }
     }
     catch (CredentialsExpiredException e) {
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
index 8b8c5d9..328fffd 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
@@ -14,7 +14,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
-import ru.micord.ervu.security.esia.token.TokensStore;
+import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
 
 import ru.cg.webbpm.modules.resources.api.ResourceMetadataUtils;
@@ -77,11 +77,11 @@ public class JwtTokenService {
   }
 
   public String getAccessToken(HttpServletRequest request) {
-    return TokensStore.getAccessToken(getUserAccountId(request));
+    return EsiaTokensStore.getAccessToken(getUserAccountId(request));
   }
 
   public String getRefreshToken(HttpServletRequest request) {
-    return TokensStore.getRefreshToken(getUserAccountId(request));
+    return EsiaTokensStore.getRefreshToken(getUserAccountId(request));
   }
 
   public String getUserAccountId(HttpServletRequest request) {

From 69f1094bbfe991536eac07c968efb672b23d4172 Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Wed, 25 Dec 2024 11:06:49 +0300
Subject: [PATCH 09/21] SUPPORT-8755: Fix

---
 .../micord/ervu/security/SecurityConfig.java  |  6 ++--
 .../security/esia/token/EsiaTokensStore.java  | 14 ++++++---
 .../webbpm/jwt/JwtAuthenticationProvider.java | 30 ++++++++++++++-----
 .../jwt/filter/JwtAuthenticationFilter.java   | 18 ++---------
 .../webbpm/jwt/service/JwtTokenService.java   |  2 +-
 5 files changed, 38 insertions(+), 32 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java b/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
index 5f088ea..e497c26 100644
--- a/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
+++ b/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
@@ -25,7 +25,6 @@ import ru.micord.ervu.security.webbpm.jwt.JwtMatcher;
 import ru.micord.ervu.security.webbpm.jwt.UnauthorizedEntryPoint;
 import ru.micord.ervu.security.webbpm.jwt.filter.JwtAuthenticationFilter;
 import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
-import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
 
 import static ru.micord.ervu.security.SecurityConstants.ESIA_LOGOUT;
 
@@ -105,10 +104,9 @@ public class SecurityConfig {
 
   @Bean
   public JwtAuthenticationFilter jwtAuthenticationFilter(SecurityHelper securityHelper,
-                                                         AuthenticationManager manager,
-                                                         JwtTokenService jwtTokenService) {
+                                                         AuthenticationManager manager) {
     JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter(
-        new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper, jwtTokenService);
+        new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper);
     jwtAuthenticationFilter.setAuthenticationManager(manager);
     return jwtAuthenticationFilter;
   }
diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
index 40b0d8f..7f56cc4 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
@@ -1,14 +1,17 @@
 package ru.micord.ervu.security.esia.token;
 
+import java.lang.invoke.MethodHandles;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.springframework.security.authentication.CredentialsExpiredException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * @author Eduard Tihomirov
  */
 public class EsiaTokensStore {
+  private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   private static final Map<String, ExpiringToken> accessTokensMap = new ConcurrentHashMap<>();
   private static final Map<String, ExpiringToken> refreshTokensMap = new ConcurrentHashMap<>();
 
@@ -23,14 +26,17 @@ public class EsiaTokensStore {
     return accessTokensMap.get(prnOid).getAccessToken();
   }
 
-  public static void validateAccessToken(String prnOid) {
+  public static boolean validateAccessToken(String prnOid) {
     ExpiringToken token = accessTokensMap.get(prnOid);
     if (token == null || token.getAccessToken() == null) {
-      throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid);
+      LOGGER.error("No ESIA access token for prnOid: " + prnOid);
+      return false;
     }
     else if (token.isExpired()) {
-      throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid);
+      LOGGER.error("ESIA access token expired for prnOid: " + prnOid);
+      return false;
     }
+    return true;
   }
 
   public static void removeExpiredAccessToken() {
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
index f709679..122cd60 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
@@ -2,6 +2,8 @@ package ru.micord.ervu.security.webbpm.jwt;
 
 import java.util.Collections;
 
+import javax.servlet.http.HttpServletRequest;
+
 import io.jsonwebtoken.ExpiredJwtException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -11,9 +13,13 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
 import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
 
+import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
+
 @Component
 public class JwtAuthenticationProvider implements AuthenticationProvider {
 
@@ -42,16 +48,24 @@ public class JwtAuthenticationProvider implements AuthenticationProvider {
       throw new BadCredentialsException("Authentication Failed.", e);
     }
 
-    if (!jwtTokenService.isValid(token)) {
-      throw new BadCredentialsException("Auth token is not valid for user " + token.getUserAccountId());
+    if (jwtTokenService.isValid(token)) {
+      RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+      HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
+          REFERENCE_REQUEST);
+      String[] ids = token.getUserAccountId().split(":");
+      if (request != null && (request.getRequestURI()
+              .endsWith("esia/logout") || ids.length == 2)) {
+        UsernamePasswordAuthenticationToken pwdToken =
+            UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null,
+                Collections.emptyList()
+            );
+
+        return new JwtAuthentication(pwdToken, token.getUserAccountId(), token.getValue());
+      }
     }
 
-    UsernamePasswordAuthenticationToken pwdToken =
-        UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null,
-            Collections.emptyList()
-        );
-
-    return new JwtAuthentication(pwdToken, token.getUserAccountId(), token.getValue());
+    throw new BadCredentialsException(
+        "Auth token is not valid for user " + token.getUserAccountId());
   }
 
   @Override
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
index eea559e..5ea0c82 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@@ -36,16 +36,12 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
 
   private final SecurityHelper securityHelper;
 
-  private final JwtTokenService jwtTokenService;
-
   public JwtAuthenticationFilter(RequestMatcher requestMatcher,
                                  AuthenticationEntryPoint entryPoint,
-                                 SecurityHelper securityHelper,
-                                 JwtTokenService jwtTokenService) {
+                                 SecurityHelper securityHelper) {
     super(requestMatcher);
     this.entryPoint = entryPoint;
     this.securityHelper = securityHelper;
-    this.jwtTokenService = jwtTokenService;
   }
 
   @Override
@@ -59,19 +55,11 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
     }
     try {
       authentication = getAuthenticationManager().authenticate(authentication);
-      if (!httpServletRequest.getRequestURI().endsWith("esia/logout")) {
-        Token token = jwtTokenService.getToken(tokenStr);
-        String[] ids = token.getUserAccountId().split(":");
-        if (ids.length != 2) {
-          throw new CredentialsExpiredException("Invalid token. User has no ervuId");
-        }
-        EsiaTokensStore.validateAccessToken(token.getUserAccountId());
-      }
     }
-    catch (CredentialsExpiredException e) {
+    catch (AuthenticationException e) {
+      LOGGER.warn(e.getMessage());
       securityHelper.clearAccessCookies(httpServletResponse);
       httpServletResponse.setStatus(401);
-      LOGGER.warn(e.getMessage());
       return null;
     }
     return authentication;
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
index 328fffd..579d72f 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
@@ -64,7 +64,7 @@ public class JwtTokenService {
       LOGGER.info("Token {} is expired ", token.getValue());
       return false;
     }
-    return true;
+    return EsiaTokensStore.validateAccessToken(token.getUserAccountId());
   }
 
   public Token getToken(String token) {

From 3f0a7fa5c1056f48c2bf0d2302c613be5d4cfffa Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Wed, 25 Dec 2024 12:46:10 +0300
Subject: [PATCH 10/21] SUPPORT-8755: Fix

---
 .../ervu/security/webbpm/jwt/JwtAuthenticationProvider.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
index 122cd60..05fb495 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
@@ -53,8 +53,10 @@ public class JwtAuthenticationProvider implements AuthenticationProvider {
       HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
           REFERENCE_REQUEST);
       String[] ids = token.getUserAccountId().split(":");
-      if (request != null && (request.getRequestURI()
-              .endsWith("esia/logout") || ids.length == 2)) {
+      if (request == null) {
+        throw new IllegalStateException("No request found in request attributes");
+      }
+      if (request.getRequestURI().endsWith("esia/logout") || ids.length == 2) {
         UsernamePasswordAuthenticationToken pwdToken =
             UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null,
                 Collections.emptyList()

From 14ac67f822a7f7f712f48b4a4d5c4c831d4684d0 Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Wed, 25 Dec 2024 16:49:31 +0300
Subject: [PATCH 11/21] fix

---
 .../ervu/security/webbpm/jwt/service/JwtTokenService.java      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
index 579d72f..aab89b6 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
@@ -64,7 +64,8 @@ public class JwtTokenService {
       LOGGER.info("Token {} is expired ", token.getValue());
       return false;
     }
-    return EsiaTokensStore.validateAccessToken(token.getUserAccountId());
+    String[] ids = token.getUserAccountId().split(":");
+    return EsiaTokensStore.validateAccessToken(ids[0]);
   }
 
   public Token getToken(String token) {

From 2bd86a79934296816cb8b3e8cbf3e5d9cfab3171 Mon Sep 17 00:00:00 2001
From: Zaripov Emil <zaripov@micord.ru>
Date: Thu, 26 Dec 2024 16:11:58 +0300
Subject: [PATCH 12/21] set version 1.9.4-SNAPSHOT

---
 backend/pom.xml      | 2 +-
 distribution/pom.xml | 2 +-
 frontend/pom.xml     | 2 +-
 pom.xml              | 2 +-
 resources/pom.xml    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/pom.xml b/backend/pom.xml
index e13cb41..299288a 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -5,7 +5,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.3-SNAPSHOT</version>
+    <version>1.9.4-SNAPSHOT</version>
   </parent>
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
   <artifactId>backend</artifactId>
diff --git a/distribution/pom.xml b/distribution/pom.xml
index 2a42d87..06b5df1 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.3-SNAPSHOT</version>
+    <version>1.9.4-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
diff --git a/frontend/pom.xml b/frontend/pom.xml
index 2440862..183b3c5 100644
--- a/frontend/pom.xml
+++ b/frontend/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.3-SNAPSHOT</version>
+    <version>1.9.4-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
diff --git a/pom.xml b/pom.xml
index 8738e22..a62223b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ru.micord.ervu.lkrp</groupId>
   <artifactId>fl</artifactId>
-  <version>1.9.3-SNAPSHOT</version>
+  <version>1.9.4-SNAPSHOT</version>
   <packaging>pom</packaging>
   <modules>
     <module>backend</module>
diff --git a/resources/pom.xml b/resources/pom.xml
index 1516999..94913d8 100644
--- a/resources/pom.xml
+++ b/resources/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.3-SNAPSHOT</version>
+    <version>1.9.4-SNAPSHOT</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>

From 2747452b88390a879b40938ff036e2275dee9553 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 09:16:13 +0300
Subject: [PATCH 13/21] SUPPORT-8830 first fixes

---
 .../ervu/security/LogoutSuccessHandler.java   |  4 +-
 .../esia/service/EsiaAuthService.java         | 11 +--
 .../webbpm/jwt/helper/SecurityHelper.java     | 90 ++++++++++++++-----
 .../webbpm/jwt/util/SecurityUtil.java         | 18 ----
 frontend/index.webpack.html                   |  5 ++
 .../template/app/component/log_out.html       |  8 +-
 6 files changed, 82 insertions(+), 54 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/LogoutSuccessHandler.java b/backend/src/main/java/ru/micord/ervu/security/LogoutSuccessHandler.java
index 9993b23..3867b41 100644
--- a/backend/src/main/java/ru/micord/ervu/security/LogoutSuccessHandler.java
+++ b/backend/src/main/java/ru/micord/ervu/security/LogoutSuccessHandler.java
@@ -25,9 +25,7 @@ public class LogoutSuccessHandler
   public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                               Authentication authentication) throws IOException {
     String url = esiaAuthService.logout(request, response);
-    response.setStatus(HttpServletResponse.SC_OK);
-    response.getWriter().write(url);
-    response.getWriter().flush();
+    response.sendRedirect(url);
     CsrfToken csrfToken = this.csrfTokenRepository.generateToken(request);
     this.csrfTokenRepository.saveToken(csrfToken, request, response);
   }
diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
index f8ae592..671029d 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@@ -13,7 +13,6 @@ import java.time.format.DateTimeFormatter;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.UUID;
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -204,8 +203,7 @@ public class EsiaAuthService {
       Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
       Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
       int expiry = tokenResponse.getExpires_in().intValue();
-      Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiry);
-      response.addCookie(accessCookie);
+      securityHelper.addAccessCookies(response, token.getValue(), expiry);
       UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
           new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
       SecurityContext context = SecurityContextHolder.createEmptyContext();
@@ -214,8 +212,6 @@ public class EsiaAuthService {
       authenticationManager.authenticate(jwtAuthentication);
       context.setAuthentication(jwtAuthentication);
       SecurityContextHolder.setContext(context);
-      Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiry);
-      response.addCookie(authMarkerCookie);
       return ResponseEntity.ok("Authentication successful");
     }
     catch (Exception e) {
@@ -281,8 +277,7 @@ public class EsiaAuthService {
       Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
       Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
       int expiry = tokenResponse.getExpires_in().intValue();
-      Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiry);
-      response.addCookie(accessCookie);
+      securityHelper.addAccessCookies(response, token.getValue(), expiry);
       UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
           new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
       SecurityContext context = SecurityContextHolder.createEmptyContext();
@@ -291,8 +286,6 @@ public class EsiaAuthService {
       authenticationManager.authenticate(jwtAuthentication);
       context.setAuthentication(jwtAuthentication);
       SecurityContextHolder.setContext(context);
-      Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiry);
-      response.addCookie(authMarkerCookie);
     }
     catch (Exception e) {
       throw new RuntimeException(e);
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java
index 0a222c7..9c966f6 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java
@@ -1,43 +1,89 @@
 package ru.micord.ervu.security.webbpm.jwt.helper;
 
-import javax.servlet.http.Cookie;
+import java.net.IDN;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.beans.factory.annotation.Value;
-import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseCookie;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
 
+import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
 import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_MARKER;
 import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_TOKEN;
-import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.createCookie;
 
 public final class SecurityHelper {
   @Value("${cookie.path:#{null}}")
   private String accessCookiePath;
+  @Value("${cookie.domain:#{null}}")
+  private String accessCookieDomain;
+  @Value("${cookie.secure:false}")
+  private boolean accessCookieSecure;
+  @Value("${cookie.same.site:Lax}")
+  private String accessCookieSameSite;
+
+  @PostConstruct
+  private void init() {
+
+    if (accessCookieDomain != null) {
+      accessCookieDomain = IDN.toASCII(accessCookieDomain);
+    }
+  }
 
   public void clearAccessCookies(HttpServletResponse response) {
-    Cookie tokenCookie = createCookie(AUTH_TOKEN, null, null);
-    tokenCookie.setMaxAge(0);
-    tokenCookie.setPath(accessCookiePath);
-    tokenCookie.setHttpOnly(true);
-    response.addCookie(tokenCookie);
+    ResponseCookie emptyAuthToken = createCookie(AUTH_TOKEN, null, accessCookiePath)
+        .maxAge(0).build();
+    addResponseCookie(response, emptyAuthToken);
 
-    Cookie markerCookie = createCookie(AUTH_MARKER, null, null);
-    markerCookie.setMaxAge(0);
-    markerCookie.setPath("/");
-    response.addCookie(markerCookie);
+    ResponseCookie emptyAuthMarker = createCookie(AUTH_MARKER, null, "/")
+        .maxAge(0)
+        .secure(false)
+        .httpOnly(false)
+        .build();
+    addResponseCookie(response, emptyAuthMarker);
   }
 
-  public Cookie createAccessCookie(String cookieValue, int expiry) {
-    Cookie authToken = createCookie(SecurityUtil.AUTH_TOKEN, cookieValue, accessCookiePath);
-    authToken.setPath(accessCookiePath);
-    authToken.setMaxAge(expiry);
-    return authToken;
+  private void addResponseCookie(HttpServletResponse response, ResponseCookie cookie) {
+    response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
   }
 
-  public Cookie createAuthMarkerCookie(String cookieValue, int expiry) {
-    Cookie marker = createCookie(AUTH_MARKER, cookieValue, "/");
-    marker.setMaxAge(expiry);
-    marker.setHttpOnly(false);
-    return marker;
+  public void addAccessCookies(HttpServletResponse response, String cookieValue, int expiry) {
+    ResponseCookie authTokenCookie = createCookie(AUTH_TOKEN, cookieValue, accessCookiePath)
+        .maxAge(expiry)
+        .build();
+    addResponseCookie(response, authTokenCookie);
+
+    ResponseCookie authMarker = createCookie(AUTH_MARKER, "true", "/")
+        .maxAge(expiry)
+        .secure(false)
+        .httpOnly(false)
+        .build();
+    addResponseCookie(response, authMarker);
+  }
+
+  public ResponseCookie.ResponseCookieBuilder createCookie(String name, String value, String path) {
+    RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+
+    if (requestAttributes == null) {
+      throw new IllegalStateException("Must be called only in request context");
+    }
+    HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
+        REFERENCE_REQUEST);
+
+    if (request == null) {
+      throw new IllegalStateException("Must be called only in request context");
+    }
+    String cookieValue = value != null ? URLEncoder.encode(value, StandardCharsets.UTF_8) : "";
+    return ResponseCookie.from(name, cookieValue)
+        .path(path != null ? path : request.getContextPath())
+        .httpOnly(true)
+        .domain(accessCookieDomain)
+        .secure(accessCookieSecure)
+        .sameSite(accessCookieSameSite);
   }
 }
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
index 69019f1..9dbc11a 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
@@ -23,24 +23,6 @@ public final class SecurityUtil {
     //empty
   }
 
-  public static Cookie createCookie(String name, String value, String path) {
-    String cookieValue = value != null ? URLEncoder.encode(value, StandardCharsets.UTF_8) : null;
-    Cookie cookie = new Cookie(name, cookieValue);
-    RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
-    HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
-        REFERENCE_REQUEST);
-
-    if (path != null) {
-      cookie.setPath(path);
-    }
-    else {
-      cookie.setPath(request.getContextPath());
-    }
-    cookie.setHttpOnly(true);
-
-    return cookie;
-  }
-
   public static String extractAuthToken(HttpServletRequest httpRequest) {
     Cookie cookie = WebUtils.getCookie(httpRequest, AUTH_TOKEN);
     return cookie != null ? cookie.getValue() : null;
diff --git a/frontend/index.webpack.html b/frontend/index.webpack.html
index 871a82c..8aac9d4 100644
--- a/frontend/index.webpack.html
+++ b/frontend/index.webpack.html
@@ -4,6 +4,11 @@
     <title>Личный кабинет физ.лица</title>
     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
+<!--    <meta http-equiv="Content-Security-Policy"-->
+<!--          content="default-src 'self' 'unsafe-inline'; img-src https://* 'self' data:;">-->
+    <meta http-equiv="Content-Security-Policy"
+          content="frame-ancestors 'none'; default-src 'self'; style-src 'self'; script-src 'self';"/>
+    <meta name="referrer" content="strict-origin-when-cross-origin"/>
     <link rel="icon" type="image/png" href="src/resources/img/logo.png"/>
 </head>
 <body webbpm class="webbpm ervu_lkrp_fl">
diff --git a/frontend/src/resources/template/app/component/log_out.html b/frontend/src/resources/template/app/component/log_out.html
index f488796..a691d3f 100644
--- a/frontend/src/resources/template/app/component/log_out.html
+++ b/frontend/src/resources/template/app/component/log_out.html
@@ -1,6 +1,10 @@
 <button class="user-info" ngbDropdownToggle *ngIf="getIsAuth()">{{getUserFullname()}}</button>
 <div ngbDropdownMenu *ngIf="getIsAuth()">
     <a routerLink="/mydata" class="data">Мои данные</a>
-    <button ngbDropdownItem class="exit" (click)="logout()">Выйти</button>
+    <form ngbDropdownItem method="post" action="/esia/logout">
+        <button class="exit" type="submit">Выйти</button>
+    </form>
 </div>
-<button class="exit" *ngIf="!getIsAuth()" (click)="logout()">Выйти</button>
\ No newline at end of file
+<form method="post" action="/esia/logout">
+    <button class="exit" type="submit">Выйти</button>
+</form>

From f77c95b1cd927a047bbb9fe5a71666bf346a9f65 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 12:42:08 +0300
Subject: [PATCH 14/21] SUPPORT-8830 fix logout

---
 .../template/app/component/log_out.html       | 11 +++--
 .../modules/app/component/logout.component.ts | 40 ++++++++++++++-----
 2 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/frontend/src/resources/template/app/component/log_out.html b/frontend/src/resources/template/app/component/log_out.html
index a691d3f..7d81200 100644
--- a/frontend/src/resources/template/app/component/log_out.html
+++ b/frontend/src/resources/template/app/component/log_out.html
@@ -1,10 +1,9 @@
+<form #logoutForm method="post" [action]="formAction" hidden style="display: none">
+    <input type="hidden" name="_csrf" [value]="csrfValue"/>
+</form>
 <button class="user-info" ngbDropdownToggle *ngIf="getIsAuth()">{{getUserFullname()}}</button>
 <div ngbDropdownMenu *ngIf="getIsAuth()">
     <a routerLink="/mydata" class="data">Мои данные</a>
-    <form ngbDropdownItem method="post" action="/esia/logout">
-        <button class="exit" type="submit">Выйти</button>
-    </form>
+    <button ngbDropdownItem class="exit" (click)="logoutForm.submit()">Выйти</button>
 </div>
-<form method="post" action="/esia/logout">
-    <button class="exit" type="submit">Выйти</button>
-</form>
+<button class="exit" *ngIf="!getIsAuth()" (click)="logoutForm.submit()">Выйти</button>
diff --git a/frontend/src/ts/modules/app/component/logout.component.ts b/frontend/src/ts/modules/app/component/logout.component.ts
index c6674d4..5d5d319 100644
--- a/frontend/src/ts/modules/app/component/logout.component.ts
+++ b/frontend/src/ts/modules/app/component/logout.component.ts
@@ -1,21 +1,45 @@
-import {ChangeDetectorRef, Component, OnInit} from "@angular/core";
-import {HttpClient} from "@angular/common/http";
+import {ChangeDetectorRef, Component, DoCheck, OnInit} from "@angular/core";
+import {HttpClient, HttpXsrfTokenExtractor} from "@angular/common/http";
 import {CookieService} from "ngx-cookie";
+import {AppConfigService} from "@webbpm/base-package";
 
 @Component({
   moduleId: module.id,
   selector: "[log-out]",
   templateUrl: "../../../../../src/resources/template/app/component/log_out.html"
 })
-export class LogOutComponent implements OnInit{
+export class LogOutComponent implements OnInit, DoCheck{
+  private static readonly BACKEND_URL: string = "backend.url";
+  private static readonly BACKEND_CONTEXT: string = "backend.context";
+  private static readonly LOGOUT_URL_POSTFIX: string = "/esia/logout";
 
   private userFullname: string;
+  csrfValue: any;
+  formAction: any;
 
   constructor(private httpClient: HttpClient,
-                    private cookieService: CookieService, private cd: ChangeDetectorRef) {
+              private cookieService: CookieService,
+              private appConfigService: AppConfigService,
+              private tokenExtractor: HttpXsrfTokenExtractor,
+              private cd: ChangeDetectorRef) {
+    let backendUrl = this.appConfigService.getParamValue(LogOutComponent.BACKEND_URL);
+    let backendContext = this.appConfigService.getParamValue(
+        LogOutComponent.BACKEND_CONTEXT);
+
+    if (backendUrl) {
+      this.formAction = `${backendUrl}${LogOutComponent.LOGOUT_URL_POSTFIX}`;
+    }
+    else if (backendContext) {
+      this.formAction = `/${backendContext}${LogOutComponent.LOGOUT_URL_POSTFIX}`;
+    }
+  }
+
+  ngDoCheck(): void {
+    this.csrfValue = this.tokenExtractor.getToken();
   }
 
   ngOnInit(): void {
+    this.csrfValue = this.tokenExtractor.getToken();
     let isAuth = this.getIsAuth();
     if (isAuth) {
       Promise.all([
@@ -27,12 +51,6 @@ export class LogOutComponent implements OnInit{
     }
   }
 
-  logout(): Promise<any> {
-    return this.httpClient.post<string>('esia/logout', {}, { responseType: 'text' as 'json' }).toPromise().then(url => {
-      window.open(url, "_self");
-    });
-  }
-
   public getUserFullname(): string {
     return this.userFullname;
   }
@@ -40,4 +58,4 @@ export class LogOutComponent implements OnInit{
   public getIsAuth(): boolean {
     return this.cookieService.get("webbpm.ervu-lkrp-fl") != null;
   }
-}
\ No newline at end of file
+}

From 9c061148caeeea47b445b613e1f23f5415b6faae Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 12:52:39 +0300
Subject: [PATCH 15/21] SUPPORT-8830 fix logout

---
 .../ru/micord/ervu/security/esia/config/EsiaConfig.java  | 7 +++++++
 .../ervu/security/esia/service/EsiaAuthService.java      | 9 +++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java
index 61799a5..4fc0cfc 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java
@@ -23,6 +23,9 @@ public class EsiaConfig {
   @Value("${esia.redirect.url}")
   private String redirectUrl;
 
+  @Value("${esia.logout.redirect.url}")
+  private String logoutRedirectUrl;
+
   @Value("${sign.url}")
   private String signUrl;
 
@@ -86,4 +89,8 @@ public class EsiaConfig {
   public String getEsiaTokenUrl() {
     return esiaTokenUrl;
   }
+
+  public String getLogoutRedirectUrl() {
+    return logoutRedirectUrl;
+  }
 }
diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
index 671029d..4fb22ae 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@@ -110,7 +110,7 @@ public class EsiaAuthService {
           "redirect_uri", redirectUrlEncoded,
           "client_certificate_hash", esiaConfig.getClientCertHash());
 
-      return makeRequest(url, params);
+      return buildUrl(url, params);
     }
     catch (Exception e) {
       throw new RuntimeException(e);
@@ -133,12 +133,13 @@ public class EsiaAuthService {
         .replace("+", "%20");
   }
 
-  private static String makeRequest(URL url, Map<String, String> params) {
+  private static String buildUrl(URL url, Map<String, String> params) {
     StringBuilder uriBuilder = new StringBuilder(url.toString());
     uriBuilder.append('?');
     for (Map.Entry<String, String> node : params.entrySet()) {
       uriBuilder.append(node.getKey()).append('=').append(node.getValue()).append("&");
     }
+    uriBuilder.deleteCharAt(uriBuilder.length() - 1);
     return uriBuilder.toString();
   }
 
@@ -331,12 +332,12 @@ public class EsiaAuthService {
       EsiaTokensStore.removeAccessToken(userId);
       EsiaTokensStore.removeRefreshToken(userId);
       String logoutUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaLogoutUrl();
-      String redirectUrl = esiaConfig.getRedirectUrl();
+      String redirectUrl = esiaConfig.getLogoutRedirectUrl();
       URL url = new URL(logoutUrl);
       Map<String, String> params = mapOf(
           "client_id", esiaConfig.getClientId(),
           "redirect_url", redirectUrl);
-      return makeRequest(url, params);
+      return buildUrl(url, params);
     }
     catch (Exception e) {
       throw new RuntimeException(e);

From b1d7de489768730ce633b7738c879c33ff01b6c6 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 13:01:16 +0300
Subject: [PATCH 16/21] SUPPORT-8830 temporary remove csp conf

---
 frontend/index.webpack.html | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/frontend/index.webpack.html b/frontend/index.webpack.html
index 8aac9d4..aba7036 100644
--- a/frontend/index.webpack.html
+++ b/frontend/index.webpack.html
@@ -4,10 +4,6 @@
     <title>Личный кабинет физ.лица</title>
     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
-<!--    <meta http-equiv="Content-Security-Policy"-->
-<!--          content="default-src 'self' 'unsafe-inline'; img-src https://* 'self' data:;">-->
-    <meta http-equiv="Content-Security-Policy"
-          content="frame-ancestors 'none'; default-src 'self'; style-src 'self'; script-src 'self';"/>
     <meta name="referrer" content="strict-origin-when-cross-origin"/>
     <link rel="icon" type="image/png" href="src/resources/img/logo.png"/>
 </head>

From 2d2a07bb0c3d848025bfe6a0fc773a46a61ccb37 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 13:05:33 +0300
Subject: [PATCH 17/21] SUPPORT-8830 fix logout

---
 config.md         | 4 ++++
 config/micord.env | 1 +
 2 files changed, 5 insertions(+)

diff --git a/config.md b/config.md
index e708a29..0920c80 100644
--- a/config.md
+++ b/config.md
@@ -760,6 +760,10 @@ JBPM использует 3 корневых категории логирова
   Важно: `ESIA_REDIRECT_URL` должна содержать полный адрес вплоть до последнего слэша:
 > - https://lkul.ervu.loc/ - правильное значение параметра
 > - https://lkul.ervu.loc - неправильное значение параметра
+- `ESIA_LOGOUT_REDIRECT_URL` - ссылка, по которой должен быть направлен пользователь после logout-a
+  Важно: `ESIA_LOGOUT_REDIRECT_URL` должна содержать полный адрес вплоть до последнего слэша:
+> - https://lkul.ervu.loc/home.html - правильное значение параметра
+> - https://lkul.ervu.loc - неправильное значение параметра
 
 - `SIGN_URL` - url для подписания с помощью КриптоПро секрета клиента, необходимого для аутентификации через ЕСИА
 - `ESIA_CLIENT_CERT_HASH` - параметр, содержащий хэш сертификата (fingerprint сертификата) системы-клиента в hex–формате
diff --git a/config/micord.env b/config/micord.env
index 4a44124..4d9a355 100644
--- a/config/micord.env
+++ b/config/micord.env
@@ -12,6 +12,7 @@ ESIA_BASE_URI=https://esia-portal1.test.gosuslugi.ru/
 ESIA_CLIENT_ID=MNSV89
 ESIA_CLIENT_CERT_HASH=04508B4B0B58776A954A0E15F574B4E58799D74C61EE020B3330716C203E3BDD
 ESIA_REDIRECT_URL=https://lkrp-dev.micord.ru/fl/
+ESIA_LOGOUT_REDIRECT_URL=https://lkrp-dev.micord.ru/fl/home.html
 
 SIGN_URL=https://ervu-sign-dev.k8s.micord.ru/sign
 

From 84683a4e2db9717cbc09398a46fa299684d84d66 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 15:55:36 +0300
Subject: [PATCH 18/21] SUPPORT-8830 remove sensitive data from args 3.2

---
 .../ervu/controller/ErvuDataController.java   | 53 ++++---------------
 .../micord/ervu/service/SubpoenaService.java  | 51 ++++++++++++++++++
 .../ervu/service/rpc/LoadFormRpcService.java  | 12 ++++-
 .../ts/ervu/component/container/LoadForm.ts   | 13 +----
 4 files changed, 72 insertions(+), 57 deletions(-)
 create mode 100644 backend/src/main/java/ru/micord/ervu/service/SubpoenaService.java

diff --git a/backend/src/main/java/ru/micord/ervu/controller/ErvuDataController.java b/backend/src/main/java/ru/micord/ervu/controller/ErvuDataController.java
index d45293c..bcd0d8d 100644
--- a/backend/src/main/java/ru/micord/ervu/controller/ErvuDataController.java
+++ b/backend/src/main/java/ru/micord/ervu/controller/ErvuDataController.java
@@ -1,18 +1,11 @@
 package ru.micord.ervu.controller;
 
-import com.google.protobuf.InvalidProtocolBufferException;
-import org.apache.kafka.common.utils.Bytes;
-import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.web.bind.annotation.GetMapping;
-import ru.micord.ervu.converter.SummonsResponseDataConverter;
-import ru.micord.ervu.dto.SubpoenaRequestDto;
-import ru.micord.ervu.dto.SubpoenaResponseDto;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
-import proto.ervu.rp.summons.SummonsResponseData;
-import ru.micord.ervu.kafka.service.ReplyingKafkaService;
-import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil;
+import ru.micord.ervu.dto.SubpoenaResponseDto;
+import ru.micord.ervu.service.SubpoenaService;
 
 /**
  * @author gulnaz
@@ -20,41 +13,15 @@ import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil;
 @RestController
 public class ErvuDataController {
 
-  private final ReplyingKafkaService<Object, Bytes> replyingKafkaService;
-  private final SummonsResponseDataConverter converter;
+  private final SubpoenaService subpoenaService;
 
-  @Value("${ervu.kafka.recruit.request.topic}")
-  private String recruitRequestTopic;
-  @Value("${ervu.kafka.recruit.reply.topic}")
-  private String recruitReplyTopic;
-
-  public ErvuDataController(
-      @Qualifier("recruit") ReplyingKafkaService<Object, Bytes> replyingKafkaService,
-      SummonsResponseDataConverter converter) {
-    this.replyingKafkaService = replyingKafkaService;
-    this.converter = converter;
+  @Autowired
+  public ErvuDataController(SubpoenaService subpoenaService) {
+    this.subpoenaService = subpoenaService;
   }
 
-  @GetMapping(
-      value = "/recruit",
-      produces = MediaType.APPLICATION_JSON_VALUE
-  )
+  @GetMapping(value = "/recruit", produces = MediaType.APPLICATION_JSON_VALUE)
   public SubpoenaResponseDto getData() {
-    String ervuId = SecurityUtil.getErvuId();
-
-    if (ervuId == null) {
-      return new SubpoenaResponseDto.Builder().build();
-    }
-    SubpoenaRequestDto subpoenaRequestDto = new SubpoenaRequestDto(ervuId);
-    byte[] reply = replyingKafkaService.sendMessageAndGetReply(recruitRequestTopic,
-        recruitReplyTopic, subpoenaRequestDto).get();
-
-    try {
-      SummonsResponseData responseData = SummonsResponseData.parseFrom(reply);
-      return converter.convert(responseData);
-    }
-    catch (InvalidProtocolBufferException e) {
-      throw new RuntimeException("Failed to parse data", e);
-    }
+    return subpoenaService.getSubpoenaData();
   }
 }
diff --git a/backend/src/main/java/ru/micord/ervu/service/SubpoenaService.java b/backend/src/main/java/ru/micord/ervu/service/SubpoenaService.java
new file mode 100644
index 0000000..438338d
--- /dev/null
+++ b/backend/src/main/java/ru/micord/ervu/service/SubpoenaService.java
@@ -0,0 +1,51 @@
+package ru.micord.ervu.service;
+
+import com.google.protobuf.InvalidProtocolBufferException;
+import org.apache.kafka.common.utils.Bytes;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Service;
+import proto.ervu.rp.summons.SummonsResponseData;
+import ru.micord.ervu.converter.SummonsResponseDataConverter;
+import ru.micord.ervu.dto.SubpoenaRequestDto;
+import ru.micord.ervu.dto.SubpoenaResponseDto;
+import ru.micord.ervu.kafka.service.ReplyingKafkaService;
+import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil;
+
+@Service
+public class SubpoenaService {
+
+  private final ReplyingKafkaService<Object, Bytes> replyingKafkaService;
+  private final SummonsResponseDataConverter converter;
+
+  @Value("${ervu.kafka.recruit.request.topic}")
+  private String recruitRequestTopic;
+  @Value("${ervu.kafka.recruit.reply.topic}")
+  private String recruitReplyTopic;
+
+  public SubpoenaService(
+      @Qualifier("recruit") ReplyingKafkaService<Object, Bytes> replyingKafkaService,
+      SummonsResponseDataConverter converter) {
+    this.replyingKafkaService = replyingKafkaService;
+    this.converter = converter;
+  }
+
+  public SubpoenaResponseDto getSubpoenaData() {
+    String ervuId = SecurityUtil.getErvuId();
+
+    if (ervuId == null) {
+      return new SubpoenaResponseDto.Builder().build();
+    }
+    SubpoenaRequestDto subpoenaRequestDto = new SubpoenaRequestDto(ervuId);
+    byte[] reply = replyingKafkaService.sendMessageAndGetReply(recruitRequestTopic,
+        recruitReplyTopic, subpoenaRequestDto).get();
+
+    try {
+      SummonsResponseData responseData = SummonsResponseData.parseFrom(reply);
+      return converter.convert(responseData);
+    }
+    catch (InvalidProtocolBufferException e) {
+      throw new RuntimeException("Failed to parse data", e);
+    }
+  }
+}
diff --git a/backend/src/main/java/ru/micord/ervu/service/rpc/LoadFormRpcService.java b/backend/src/main/java/ru/micord/ervu/service/rpc/LoadFormRpcService.java
index 36e4c86..58a97f3 100644
--- a/backend/src/main/java/ru/micord/ervu/service/rpc/LoadFormRpcService.java
+++ b/backend/src/main/java/ru/micord/ervu/service/rpc/LoadFormRpcService.java
@@ -3,6 +3,9 @@ package ru.micord.ervu.service.rpc;
 import java.util.List;
 
 import model.FieldData;
+import org.springframework.beans.factory.annotation.Autowired;
+import ru.micord.ervu.dto.SubpoenaResponseDto;
+import ru.micord.ervu.service.SubpoenaService;
 import service.container.FormService;
 
 import ru.cg.webbpm.modules.standard_annotations.validation.NotNull;
@@ -19,8 +22,13 @@ public class LoadFormRpcService extends Behavior {
   @NotNull
   public FormService formService;
 
+  //todo: Remove this shit
+  @Autowired
+  public SubpoenaService subpoenaService;
+
   @RpcCall
-  public List<FieldData> loadData(Object dto) {
-    return formService.loadData(dto);
+  public List<FieldData> loadData() {
+    SubpoenaResponseDto subpoenaData = subpoenaService.getSubpoenaData();
+    return formService.loadData(subpoenaData);
   }
 }
diff --git a/frontend/src/ts/ervu/component/container/LoadForm.ts b/frontend/src/ts/ervu/component/container/LoadForm.ts
index 4a785b8..06f3018 100644
--- a/frontend/src/ts/ervu/component/container/LoadForm.ts
+++ b/frontend/src/ts/ervu/component/container/LoadForm.ts
@@ -1,7 +1,6 @@
 import {Form} from "@webbpm/base-package";
 import {ChangeDetectionStrategy, Component} from "@angular/core";
 import {ErvuDataService} from "../../../modules/app/service/ervu-data.service";
-import {Subscription} from "rxjs";
 import {LoadFormRpcService} from "../../../generated/ru/micord/ervu/service/rpc/LoadFormRpcService";
 
 @Component({
@@ -14,25 +13,16 @@ export class LoadForm extends Form {
 
   private formRpcService: LoadFormRpcService;
   private ervuDataService: ErvuDataService;
-  private subscription: Subscription;
-
-  private valuesData: string;
 
   initialize() {
     super.initialize();
     this.formRpcService = this.getScript(LoadFormRpcService);
     this.ervuDataService = this.injector.get(ErvuDataService);
-    this.subscription = this.ervuDataService.message.subscribe(value => {
-      if (value) {
-        this.valuesData = value;
-        this.loadData();
-      }
-    });
   }
 
   loadData(): Promise<any> {
     return this.formRpcService
-        .loadData(this.valuesData)
+        .loadData()
         .then(fieldDataList => this.setData(fieldDataList))
         .catch(reason => {
           throw new Error(reason);
@@ -49,6 +39,5 @@ export class LoadForm extends Form {
 
   ngOnDestroy() {
     super.ngOnDestroy();
-    this.subscription.unsubscribe();
   }
 }

From 7d9928e4784c9c239e255368abdddbc58727b108 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 16:26:01 +0300
Subject: [PATCH 19/21] SUPPORT-8830 3.5 partially

---
 frontend/index.webpack.html | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/frontend/index.webpack.html b/frontend/index.webpack.html
index aba7036..0a55a7e 100644
--- a/frontend/index.webpack.html
+++ b/frontend/index.webpack.html
@@ -4,6 +4,8 @@
     <title>Личный кабинет физ.лица</title>
     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta http-equiv="Content-Security-Policy"
+          content="default-src 'self'; script-src 'self'; style-src 'unsafe-inline' 'self' data:; font-src 'self' data:; img-src 'self' data:"/>
     <meta name="referrer" content="strict-origin-when-cross-origin"/>
     <link rel="icon" type="image/png" href="src/resources/img/logo.png"/>
 </head>

From ed9e9a3ce8105143b1422ccde192686032def6f7 Mon Sep 17 00:00:00 2001
From: kochetkov <s.kochetkov@micord.ru>
Date: Fri, 27 Dec 2024 16:36:35 +0300
Subject: [PATCH 20/21] SUPPORT-8830 fix imports

---
 .../micord/ervu/security/webbpm/jwt/util/SecurityUtil.java  | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
index 9dbc11a..15c3c7a 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
@@ -1,19 +1,13 @@
 package ru.micord.ervu.security.webbpm.jwt.util;
 
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
 import java.util.Optional;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.web.context.request.RequestAttributes;
-import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.util.WebUtils;
 import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
 
-import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
-
 public final class SecurityUtil {
   public static final String AUTH_TOKEN = "auth_token";
 

From ba07e5f3f64604b02e9bb6528e4c33f2d7a2f67a Mon Sep 17 00:00:00 2001
From: Zaripov Emil <zaripov@micord.ru>
Date: Wed, 8 Jan 2025 16:32:58 +0300
Subject: [PATCH 21/21] set version 1.9.4

---
 backend/pom.xml      | 2 +-
 distribution/pom.xml | 2 +-
 frontend/pom.xml     | 2 +-
 pom.xml              | 2 +-
 resources/pom.xml    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/pom.xml b/backend/pom.xml
index 299288a..294889f 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -5,7 +5,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.4-SNAPSHOT</version>
+    <version>1.9.4</version>
   </parent>
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
   <artifactId>backend</artifactId>
diff --git a/distribution/pom.xml b/distribution/pom.xml
index 06b5df1..551d698 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.4-SNAPSHOT</version>
+    <version>1.9.4</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
diff --git a/frontend/pom.xml b/frontend/pom.xml
index 183b3c5..c26ba98 100644
--- a/frontend/pom.xml
+++ b/frontend/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.4-SNAPSHOT</version>
+    <version>1.9.4</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>
diff --git a/pom.xml b/pom.xml
index a62223b..114f521 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ru.micord.ervu.lkrp</groupId>
   <artifactId>fl</artifactId>
-  <version>1.9.4-SNAPSHOT</version>
+  <version>1.9.4</version>
   <packaging>pom</packaging>
   <modules>
     <module>backend</module>
diff --git a/resources/pom.xml b/resources/pom.xml
index 94913d8..dcc702a 100644
--- a/resources/pom.xml
+++ b/resources/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu.lkrp</groupId>
     <artifactId>fl</artifactId>
-    <version>1.9.4-SNAPSHOT</version>
+    <version>1.9.4</version>
   </parent>
 
   <groupId>ru.micord.ervu.lkrp.fl</groupId>