From e6d1a1f4eb0f907f1efd73fef523c0887353f9a8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 12 Nov 2019 08:00:49 +0100
Subject: [PATCH 1/3] Enable salaries again as rest controller

---
 .../org/owasp/webgoat/client_side_filtering/Salaries.java  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
index f0ad580a91..bd2221caa6 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
@@ -22,12 +22,12 @@
 
 package org.owasp.webgoat.client_side_filtering;
 
-import lombok.SneakyThrows;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.util.FileCopyUtils;
-import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
@@ -47,6 +47,7 @@
 import java.util.List;
 import java.util.Map;
 
+@RestController
 public class Salaries { // {extends Endpoint {
 
     @Value("${webgoat.user.directory}")
@@ -66,7 +67,7 @@ public void copyFiles() {
         }
     }
 
-    @RequestMapping(produces = {"application/json"})
+    @GetMapping("clientSideFiltering/salaries")
     @ResponseBody
     public List<Map<String, Object>> invoke() throws ServletException, IOException {
         NodeList nodes = null;

From 92e0b2e93ef75b085476c226816b12d37c2f7fc6 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 12 Nov 2019 08:01:32 +0100
Subject: [PATCH 2/3] Rename endpoint in JavaScript as backend call uses
 different endpoint

---
 webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js b/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js
index 994ef7d3a4..55f95b8a0a 100644
--- a/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js
+++ b/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js
@@ -76,7 +76,7 @@ function vote(title) {
     } else {
         $.ajax({
             type: 'POST',
-            url: 'JWT/votings/vote/' + title
+            url: 'JWT/votings/' + title
         }).then(
             function () {
                 getVotings();

From 084cdc360ca837804a2a335d097d22bbd7b057bf Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 12 Nov 2019 08:02:07 +0100
Subject: [PATCH 3/3] Add JavaScript to assignment otherwise you will not be
 able to see the flow of the endpoint

---
 .../main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java    | 2 +-
 webgoat-lessons/jwt/src/main/resources/html/JWT.html           | 1 +
 webgoat-lessons/sol.MD                                         | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
index 537bf12539..9ea88894ab 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
@@ -58,7 +58,7 @@ public ResponseEntity follow(@RequestBody(required = false) Map<String, Object>
         String user = (String) json.get("user");
         String password = (String) json.get("password");
 
-        if ("Jerry".equals(user) && PASSWORD.equals(password)) {
+        if ("Jerry".equalsIgnoreCase(user) && PASSWORD.equals(password)) {
             return ok(createNewTokens(user));
         }
         return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
diff --git a/webgoat-lessons/jwt/src/main/resources/html/JWT.html b/webgoat-lessons/jwt/src/main/resources/html/JWT.html
index 71775a15b2..9c1a6889f5 100644
--- a/webgoat-lessons/jwt/src/main/resources/html/JWT.html
+++ b/webgoat-lessons/jwt/src/main/resources/html/JWT.html
@@ -122,6 +122,7 @@ <h3>Vote for your favorite</h3>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
     <script th:src="@{/lesson_js/jwt-buy.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-refresh.js}" language="JavaScript"></script>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
diff --git a/webgoat-lessons/sol.MD b/webgoat-lessons/sol.MD
index b7dc5043ac..042f488e69 100644
--- a/webgoat-lessons/sol.MD
+++ b/webgoat-lessons/sol.MD
@@ -1,3 +1,6 @@
+https://github.com/WebGoat/WebGoat/wiki/(Almost)-Fully-Documented-Solution-(en)
+
+
 ### SQLi ###  
 
 Basic