check if valid token first

cthit · Jun 15, 2024 · c1c151a · c1c151a
1 parent 16c97f8
commit c1c151a
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 9 deletions.
diff --git a/app/src/main/java/it/chalmers/gamma/adapter/primary/web/ForgotPasswordController.java b/app/src/main/java/it/chalmers/gamma/adapter/primary/web/ForgotPasswordController.java
@@ -114,6 +114,18 @@ public ModelAndView createGetFinalizeForgotPassword(
   public ModelAndView getFinalizeForgotPassword(
       @RequestHeader(value = "HX-Request", required = false) boolean htmxRequest,
       @RequestParam(value = "token", required = true) String token) {
+    if (!this.userResetPasswordFacade.isValidToken(token)) {
+      ModelAndView mv = new ModelAndView();
+      if (htmxRequest) {
+        mv.setViewName("pages/password-reset-token-bad");
+      } else {
+        mv.setViewName("index");
+        mv.addObject("page", "pages/password-reset-token-bad");
+      }
+
+      return mv;
+    }
+
     FinalizeForgotPassword form = new FinalizeForgotPassword(token, "", "");
 
     return createGetFinalizeForgotPassword(htmxRequest, form, null);

diff --git a/app/src/main/java/it/chalmers/gamma/adapter/primary/web/RegisterAccountController.java b/app/src/main/java/it/chalmers/gamma/adapter/primary/web/RegisterAccountController.java
@@ -1,7 +1,5 @@
 package it.chalmers.gamma.adapter.primary.web;
 
-import static it.chalmers.gamma.adapter.primary.web.WebValidationHelper.validateObject;
-
 import it.chalmers.gamma.app.common.Email.EmailValidator;
 import it.chalmers.gamma.app.user.UserCreationFacade;
 import it.chalmers.gamma.app.user.activation.domain.UserActivationRepository;
@@ -11,7 +9,6 @@
 import it.chalmers.gamma.app.user.domain.LastName.LastNameValidator;
 import it.chalmers.gamma.app.user.domain.Nick.NickValidator;
 import it.chalmers.gamma.app.user.domain.UnencryptedPassword.UnencryptedPasswordValidator;
-import java.time.Year;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
@@ -23,6 +20,10 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;
 
+import java.time.Year;
+
+import static it.chalmers.gamma.adapter.primary.web.WebValidationHelper.validateObject;
+
 @Controller
 public class RegisterAccountController {
 
@@ -115,6 +116,18 @@ public ModelAndView createGetRegister(
   public ModelAndView getRegister(
       @RequestHeader(value = "HX-Request", required = false) boolean htmxRequest,
       @RequestParam(value = "token", required = true) String token) {
+    if (!this.userCreationFacade.isValidToken(token)) {
+      ModelAndView mv = new ModelAndView();
+      if (htmxRequest) {
+        mv.setViewName("pages/register-account-token-bad");
+      } else {
+        mv.setViewName("index");
+        mv.addObject("page", "pages/register-account-token-bad");
+      }
+
+      return mv;
+    }
+
     CreateAccountForm form =
         new CreateAccountForm(token, "", "", "", "", "", "", Year.now().getValue(), "SV", false);
 

diff --git a/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java b/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java
@@ -1,8 +1,5 @@
 package it.chalmers.gamma.app.user;
 
-import static it.chalmers.gamma.app.authentication.AccessGuard.isAdmin;
-import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn;
-
 import it.chalmers.gamma.app.Facade;
 import it.chalmers.gamma.app.authentication.AccessGuard;
 import it.chalmers.gamma.app.common.Email;
@@ -13,12 +10,16 @@
 import it.chalmers.gamma.app.user.allowlist.AllowListRepository;
 import it.chalmers.gamma.app.user.domain.*;
 import jakarta.transaction.Transactional;
-import java.util.UUID;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
+import java.util.UUID;
+
+import static it.chalmers.gamma.app.authentication.AccessGuard.isAdmin;
+import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn;
+
 @Service
 public class UserCreationFacade extends Facade {
 
@@ -135,6 +136,12 @@ private void sendEmail(Cid cid, UserActivationToken userActivationToken) {
     this.mailService.sendMail(to, "Gamma activation url", message);
   }
 
+  public boolean isValidToken(String token) {
+    this.accessGuard.require(isNotSignedIn());
+
+    return this.userActivationRepository.doesTokenExist(new UserActivationToken(token));
+  }
+
   public record NewUserByCode(
       String password,
       String nick,

diff --git a/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java b/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java
@@ -1,7 +1,5 @@
 package it.chalmers.gamma.app.user.passwordreset;
 
-import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn;
-
 import it.chalmers.gamma.app.Facade;
 import it.chalmers.gamma.app.authentication.AccessGuard;
 import it.chalmers.gamma.app.common.Email;
@@ -19,6 +17,8 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
+import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn;
+
 @Service
 public class UserResetPasswordFacade extends Facade {
 
@@ -99,6 +99,12 @@ private void sendPasswordResetTokenMail(Email email, PasswordResetToken token) {
     this.mailService.sendMail(email.value(), subject, message);
   }
 
+  public boolean isValidToken(String token) {
+    this.accessGuard.require(isNotSignedIn());
+
+    return this.passwordResetRepository.doesTokenExist(new PasswordResetToken(token));
+  }
+
   // Vague for security reasons
   public static class PasswordResetProcessException extends Exception {}
 }
diff --git a/app/src/main/resources/templates/pages/password-reset-token-bad.html b/app/src/main/resources/templates/pages/password-reset-token-bad.html
@@ -0,0 +1,17 @@
+<header th:replace="~{common/header-without-nav}"></header>
+<main>
+    <article>
+        <header>
+            Bad token
+        </header>
+        <p>
+            It seems like the reset password link has been expired.
+            Please request a new token.
+        </p>
+        <footer>
+            <a th:href="@{/forgot-password}" >
+                Forgot password
+            </a>
+        </footer>
+    </article>
+</main>
diff --git a/app/src/main/resources/templates/pages/register-account-token-bad.html b/app/src/main/resources/templates/pages/register-account-token-bad.html
@@ -0,0 +1,17 @@
+<header th:replace="~{common/header-without-nav}"></header>
+<main>
+    <article>
+        <header>
+            Bad token
+        </header>
+        <p>
+            It seems like the register account link has been expired.
+            Please request a new token.
+        </p>
+        <footer>
+            <a th:href="@{/activate-cid}" >
+                Register
+            </a>
+        </footer>
+    </article>
+</main>