From c1c151a2a3a8727b9f3fb314c07b80ad802034e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20Angerg=C3=A5rd?= Date: Sun, 16 Jun 2024 01:38:11 +0200 Subject: [PATCH] check if valid token first --- .../primary/web/ForgotPasswordController.java | 12 ++++++++++++ .../web/RegisterAccountController.java | 19 ++++++++++++++++--- .../gamma/app/user/UserCreationFacade.java | 15 +++++++++++---- .../UserResetPasswordFacade.java | 10 ++++++++-- .../pages/password-reset-token-bad.html | 17 +++++++++++++++++ .../pages/register-account-token-bad.html | 17 +++++++++++++++++ 6 files changed, 81 insertions(+), 9 deletions(-) create mode 100644 app/src/main/resources/templates/pages/password-reset-token-bad.html create mode 100644 app/src/main/resources/templates/pages/register-account-token-bad.html diff --git a/app/src/main/java/it/chalmers/gamma/adapter/primary/web/ForgotPasswordController.java b/app/src/main/java/it/chalmers/gamma/adapter/primary/web/ForgotPasswordController.java index 3621e0efb..753630f66 100644 --- a/app/src/main/java/it/chalmers/gamma/adapter/primary/web/ForgotPasswordController.java +++ b/app/src/main/java/it/chalmers/gamma/adapter/primary/web/ForgotPasswordController.java @@ -114,6 +114,18 @@ public ModelAndView createGetFinalizeForgotPassword( public ModelAndView getFinalizeForgotPassword( @RequestHeader(value = "HX-Request", required = false) boolean htmxRequest, @RequestParam(value = "token", required = true) String token) { + if (!this.userResetPasswordFacade.isValidToken(token)) { + ModelAndView mv = new ModelAndView(); + if (htmxRequest) { + mv.setViewName("pages/password-reset-token-bad"); + } else { + mv.setViewName("index"); + mv.addObject("page", "pages/password-reset-token-bad"); + } + + return mv; + } + FinalizeForgotPassword form = new FinalizeForgotPassword(token, "", ""); return createGetFinalizeForgotPassword(htmxRequest, form, null); diff --git a/app/src/main/java/it/chalmers/gamma/adapter/primary/web/RegisterAccountController.java b/app/src/main/java/it/chalmers/gamma/adapter/primary/web/RegisterAccountController.java index 53cd7cb29..47800e15c 100644 --- a/app/src/main/java/it/chalmers/gamma/adapter/primary/web/RegisterAccountController.java +++ b/app/src/main/java/it/chalmers/gamma/adapter/primary/web/RegisterAccountController.java @@ -1,7 +1,5 @@ package it.chalmers.gamma.adapter.primary.web; -import static it.chalmers.gamma.adapter.primary.web.WebValidationHelper.validateObject; - import it.chalmers.gamma.app.common.Email.EmailValidator; import it.chalmers.gamma.app.user.UserCreationFacade; import it.chalmers.gamma.app.user.activation.domain.UserActivationRepository; @@ -11,7 +9,6 @@ import it.chalmers.gamma.app.user.domain.LastName.LastNameValidator; import it.chalmers.gamma.app.user.domain.Nick.NickValidator; import it.chalmers.gamma.app.user.domain.UnencryptedPassword.UnencryptedPasswordValidator; -import java.time.Year; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Controller; @@ -23,6 +20,10 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; +import java.time.Year; + +import static it.chalmers.gamma.adapter.primary.web.WebValidationHelper.validateObject; + @Controller public class RegisterAccountController { @@ -115,6 +116,18 @@ public ModelAndView createGetRegister( public ModelAndView getRegister( @RequestHeader(value = "HX-Request", required = false) boolean htmxRequest, @RequestParam(value = "token", required = true) String token) { + if (!this.userCreationFacade.isValidToken(token)) { + ModelAndView mv = new ModelAndView(); + if (htmxRequest) { + mv.setViewName("pages/register-account-token-bad"); + } else { + mv.setViewName("index"); + mv.addObject("page", "pages/register-account-token-bad"); + } + + return mv; + } + CreateAccountForm form = new CreateAccountForm(token, "", "", "", "", "", "", Year.now().getValue(), "SV", false); diff --git a/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java b/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java index 9a39e50da..9047e4e5e 100644 --- a/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java +++ b/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java @@ -1,8 +1,5 @@ package it.chalmers.gamma.app.user; -import static it.chalmers.gamma.app.authentication.AccessGuard.isAdmin; -import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn; - import it.chalmers.gamma.app.Facade; import it.chalmers.gamma.app.authentication.AccessGuard; import it.chalmers.gamma.app.common.Email; @@ -13,12 +10,16 @@ import it.chalmers.gamma.app.user.allowlist.AllowListRepository; import it.chalmers.gamma.app.user.domain.*; import jakarta.transaction.Transactional; -import java.util.UUID; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Service; +import java.util.UUID; + +import static it.chalmers.gamma.app.authentication.AccessGuard.isAdmin; +import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn; + @Service public class UserCreationFacade extends Facade { @@ -135,6 +136,12 @@ private void sendEmail(Cid cid, UserActivationToken userActivationToken) { this.mailService.sendMail(to, "Gamma activation url", message); } + public boolean isValidToken(String token) { + this.accessGuard.require(isNotSignedIn()); + + return this.userActivationRepository.doesTokenExist(new UserActivationToken(token)); + } + public record NewUserByCode( String password, String nick, diff --git a/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java b/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java index 1f85956c0..d96ef660e 100644 --- a/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java +++ b/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java @@ -1,7 +1,5 @@ package it.chalmers.gamma.app.user.passwordreset; -import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn; - import it.chalmers.gamma.app.Facade; import it.chalmers.gamma.app.authentication.AccessGuard; import it.chalmers.gamma.app.common.Email; @@ -19,6 +17,8 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Service; +import static it.chalmers.gamma.app.authentication.AccessGuard.isNotSignedIn; + @Service public class UserResetPasswordFacade extends Facade { @@ -99,6 +99,12 @@ private void sendPasswordResetTokenMail(Email email, PasswordResetToken token) { this.mailService.sendMail(email.value(), subject, message); } + public boolean isValidToken(String token) { + this.accessGuard.require(isNotSignedIn()); + + return this.passwordResetRepository.doesTokenExist(new PasswordResetToken(token)); + } + // Vague for security reasons public static class PasswordResetProcessException extends Exception {} } diff --git a/app/src/main/resources/templates/pages/password-reset-token-bad.html b/app/src/main/resources/templates/pages/password-reset-token-bad.html new file mode 100644 index 000000000..6fe20604a --- /dev/null +++ b/app/src/main/resources/templates/pages/password-reset-token-bad.html @@ -0,0 +1,17 @@ +
+
+
+
+ Bad token +
+

+ It seems like the reset password link has been expired. + Please request a new token. +

+ +
+
\ No newline at end of file diff --git a/app/src/main/resources/templates/pages/register-account-token-bad.html b/app/src/main/resources/templates/pages/register-account-token-bad.html new file mode 100644 index 000000000..71342f256 --- /dev/null +++ b/app/src/main/resources/templates/pages/register-account-token-bad.html @@ -0,0 +1,17 @@ +
+
+
+
+ Bad token +
+

+ It seems like the register account link has been expired. + Please request a new token. +

+ +
+
\ No newline at end of file