Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)

* better check on host and port for password reset and make context roots more flexible

* spotless applied

* removed hardcoded /WebGoat from js

* removed hardcoded /WebGoat from js

* fix spotless

* fix scoreboard

* upgrade WebWolf bootstrap version and icons and templates - part 1

* fixed more bootstrap 5 style issues and context path issues

* organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed)

* spotless applied

* added mock bean

* requires updates to properties - commented for now

* requires updates to properties - commented for now

* oauth secrets through env values

* user creation after oauth login

* integration test against non default context paths

* adjusted StartupMessage

* add global model element username

* conditionally show login oauth links

* fixed WebWolf login

---------

Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>

src/main/resources/webgoat/static/js/goatApp/model/FlagsCollection.js

@@ -7,7 +7,7 @@ define(['jquery',
 		Backbone,
 		FlagModel) {
 	return Backbone.Collection.extend({
-		url:'/WebGoat/scoreboard-data',
+		url:'scoreboard-data',
 		model:FlagModel
 	});
 });

src/main/resources/webgoat/static/js/goatApp/model/MenuData.js

@@ -3,7 +3,7 @@
 define(['jquery','underscore','backbone'], function($,_,Backbone) {
 
 var menuData = Backbone.Model.extend({
-		urlRoot:'/webgoat/service/lessonmenu.mvc',
+		urlRoot:'service/lessonmenu.mvc',
 		defaults: {
 			items:null,
 			selectedItem:null

src/main/resources/webgoat/static/js/goatApp/scoreboardApp.js

@@ -1,17 +1,16 @@
-define(['jquery',
-        'underscore',
-        'backbone',
+define(['underscore',
         'goatApp/support/goatAsyncErrorHandler',
         'goatApp/view/ScoreboardView'],
-    function ($,
+    function (
          _,
-         Backbone,
          asyncErrorHandler,
          ScoreboardView) {
         'use strict'
-        return {
-            initApp: function () {
-                scoreboard = new ScoreboardView();
+        class ScoreboardApp {
+            initApp() {
+                asyncErrorHandler.init();
+                this.scoreboard = new ScoreboardView();
             }
-        };
+        }
+        return new ScoreboardApp();
     });

src/main/resources/webgoat/static/js/goatApp/view/GoatRouter.js

@@ -5,7 +5,7 @@
  */
 
 define(['jquery',
-	'libs/jquery-vuln',
+	'jqueryvuln',
 	'jqueryuivuln',
     'underscore',
     'backbone',
@@ -66,7 +66,7 @@ define(['jquery',
                 console.log('phoneHome invoked');
                 webgoat.customjs.jquery.ajax({
                     method: "POST",
-                    url: "/WebGoat/CrossSiteScripting/phone-home-xss",
+                    url: "CrossSiteScripting/phone-home-xss",
                     data: {param1: 42, param2: 24},
                     headers: {
                         "webgoat-requested-by": "dom-xss-vuln"

src/main/resources/webgoat/static/js/goatApp/view/HintView.js

@@ -53,7 +53,7 @@ function($,
 		},
 
         /**
-		 * Select the hints, we get '/WebGoat/HttpBasics/attack1' in the json (nav) we need to select all the hints
+		 * Select the hints, we get 'HttpBasics/attack1' in the json (nav) we need to select all the hints
 		 * from the model where the assignment name is contained in the assignmentPath. We do this not to mess
 		 * with contextRoots etc and try to select the name from the url.
 		 *

src/main/resources/webgoat/static/js/goatApp/view/PaginationControlView.js

@@ -57,8 +57,8 @@ define(['jquery',
 
                 isAttackSolved = function (path) {
                     //strip
-                    var newPath = path.replace(/^\/WebGoat/,'');
-                    var newPath = newPath.replace(/\//g,'');
+                    //var newPath = path.replace(/^\/WebGoat/,'');
+                    var newPath = path.replace(/\//g,'');
                     if (typeof solvedMap[newPath] !== 'undefined') {
                         return true;
                     }
@@ -82,9 +82,9 @@ define(['jquery',
                         for (var i=0; i< $assignmentForms.length; i++) {
                             //normalize path
                             var action = $assignmentForms.attr('action');
-                            if (action.endsWith("/WebGoat/WebWolf/mail/")) {
+                            if (action.endsWith("WebWolf/mail/")) {
                             	//fix for now. the find does not seem to work properly and gets confused with two /mail
-                            	action = "/WebGoat/WebWolf/mail/send";                            	
+                            	action = "WebWolf/mail/send";                            	
                             } 
                             if (action.indexOf("?")>-1) {     
                             	//used to also mark forms like JWT assignment 8 complete

src/main/resources/webgoat/static/js/libs/jquery-base.js

@@ -1,9 +0,0 @@
-// AMD (Asynchronous Module Definition) wrapper for jQuery 1.8
-define([
-    // Load the jQuery source file
-    '/WebGoat/js/libs/jquery.min.js'
-    ],
-    function(){
-        // Tell Require.js that this module returns a reference to jQuery
-        return $; // Return the global scope object
-});

src/main/resources/webgoat/static/js/libs/jquery-ui-1.10.4.js

@@ -1,4 +1,4 @@
-var jQuery = require('libs/jquery-vuln');
+var jQuery = require('jqueryvuln');
 
 /*! jQuery UI - v1.10.3 - 2013-05-03
 * http://jqueryui.com

src/main/resources/webgoat/static/js/libs/jquery-vuln.js

@@ -1,9 +0,0 @@
-// AMD (Asynchronous Module Definition) wrapper for jQuery 1.8
-define([
-    // Load the jQuery source file
-    '/WebGoat/js/libs/jquery-2.1.4.min.js'
-    ],
-    function(){
-        // Tell Require.js that this module returns a reference to jQuery
-        return $.noConflict(true); // Return the global scope object
-});

src/main/resources/webgoat/static/js/main.js

@@ -25,6 +25,7 @@ require.config({
   baseUrl: "js/",
   paths: {
     jquery: 'libs/jquery.min',
+    jqueryvuln: 'libs/jquery-2.1.4.min',
     jqueryuivuln: 'libs/jquery-ui-1.10.4',
     jqueryui: 'libs/jquery-ui.min',
     underscore: 'libs/underscore-min',
@@ -35,16 +36,10 @@ require.config({
     polyglot: 'libs/polyglot.min'
   },
 
-  map: {
-	    'libs/jquery-base' : {'jquery':'libs/jquery.min'},
-	    'libs/jquery-vuln' : {'jquery':'libs/jquery-2.1.4.min'}
-  },
-
-
   shim: {
 	"jqueryui": {
 	  exports:"$",
-	  deps: ['libs/jquery-base']
+	  deps: ['jquery']
 	},
     underscore: {
       exports: "_"
@@ -65,12 +60,11 @@ require.config({
  */
 require([
 	'jquery',
-	'libs/jquery-base',
-	'libs/jquery-vuln',
+	'jqueryvuln',
 	'jqueryui', 
 	'underscore',
 	'backbone',
 	'bootstrap',
-	'goatApp/goatApp'], function($,jqueryBase,jqueryVuln,jqueryui,_,Backbone,Bootstrap,Goat){
+	'goatApp/goatApp'], function($,jqueryVuln,jqueryui,_,Backbone,Bootstrap,Goat){
     Goat.initApp();
 });

src/main/resources/webgoat/static/js/quiz.js

@@ -12,7 +12,7 @@ $(function () {
     var json = "";
     var client = new XMLHttpRequest();
     var quiz_id = document.getElementById("quiz_id").getAttribute("data-quiz_id");
-    client.open('GET', '/WebGoat/lesson_js/questions_' + quiz_id + '.json');
+    client.open('GET', 'lesson_js/questions_' + quiz_id + '.json');
     client.onreadystatechange = function() {
         if (this.readyState == 4 && this.status == 200) {
             json += client.responseText;

src/main/resources/webgoat/static/js/scoreboard.js

@@ -14,6 +14,7 @@ require.config({
   baseUrl: "js/",
   paths: {
     jquery: 'libs/jquery.min',
+    jqueryvuln: 'libs/jquery-2.1.4.min',
     jqueryuivuln: 'libs/jquery-ui-1.10.4',
     jqueryui: 'libs/jquery-ui.min',
     underscore: 'libs/underscore-min',
@@ -23,11 +24,6 @@ require.config({
     polyglot: 'libs/polyglot.min'
   },
 
-  map: {
-    'libs/jquery-base' : {'jquery':'libs/jquery.min'},
-    'libs/jquery-vuln' : {'jquery':'libs/jquery-2.1.4.min'}
-  },
-
   shim: {
 	"jqueryui": {
 	  exports:"$",
@@ -43,6 +39,6 @@ require.config({
   }
 });
 
-require(['jquery','libs/jquery-base','libs/jquery-vuln','jqueryui', 'underscore','backbone','goatApp/scoreboardApp'], function($,jqueryBase,jqueryVuln,jqueryui,_,Backbone,ScoreboardApp){
+require(['underscore','backbone','goatApp/scoreboardApp'], function(_,Backbone,ScoreboardApp){
     ScoreboardApp.initApp();
 });

src/main/resources/webgoat/templates/login.html

@@ -43,6 +43,12 @@
                 <div class="text-center"><a th:href="@{/registration}" th:text="#{register.new}"></a></div>
             </form>
             <br/><br/>
+            <div th:if="${oauth}">
+            <h3 class="form-signin-heading">Login with OAuth 2.0</h3>
+                <table class="table table-striped">
+                    <tr><td></tr><a href="oauth2/authorization/github">GitHub</a></td></tr>
+                </table>
+            </div>
         </section>
     </section>
 </section>

src/main/resources/webgoat/templates/scoreboard.html

@@ -8,7 +8,7 @@
     <meta http-equiv="Cache-Control" CONTENT="no-store"/>
 
     <!--  CSS -->
-    <link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
+    <link rel="shortcut icon" th:href="@{/css/img/favicon.ico}" type="image/x-icon"/>
 
     <!-- Require.js used to load js asynchronously -->
     <script src="js/libs/require.min.js" data-main="js/scoreboard.js"></script>