From 860fae779d34beb98b3664cc5f757b17c42e7ff5 Mon Sep 17 00:00:00 2001 From: Claudio Maggioni Date: Thu, 5 Mar 2020 17:07:29 +0100 Subject: [PATCH] Added support for password reset (still needs testing) --- .../smarthut/config/WebSecurityConfig.java | 3 +- .../controller/UserAccountController.java | 110 ++++++++++++++---- .../dto/InitPasswordResetRequest.java | 25 ++++ .../smarthut/dto/PasswordResetRequest.java | 34 ++++++ .../smarthut/models/ConfirmationToken.java | 14 ++- src/main/resources/application.properties | 10 +- 6 files changed, 171 insertions(+), 25 deletions(-) create mode 100644 src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/InitPasswordResetRequest.java create mode 100644 src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/PasswordResetRequest.java diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/config/WebSecurityConfig.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/config/WebSecurityConfig.java index e38d0df..253998d 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/config/WebSecurityConfig.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/config/WebSecurityConfig.java @@ -52,10 +52,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .authorizeRequests() .antMatchers( "/auth/login", - "/auth/register", "/swagger-ui.html", "/register", "/register/confirm-account", + "/register/init-reset-password", + "/register/reset-password", "/v2/api-docs", "/webjars/**", "/swagger-resources/**", diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/UserAccountController.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/UserAccountController.java index e238f16..4959e79 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/UserAccountController.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/UserAccountController.java @@ -1,9 +1,12 @@ package ch.usi.inf.sa4.sanmarinoes.smarthut.controller; +import ch.usi.inf.sa4.sanmarinoes.smarthut.dto.InitPasswordResetRequest; import ch.usi.inf.sa4.sanmarinoes.smarthut.dto.OkResponse; +import ch.usi.inf.sa4.sanmarinoes.smarthut.dto.PasswordResetRequest; import ch.usi.inf.sa4.sanmarinoes.smarthut.dto.UserRegistrationRequest; import ch.usi.inf.sa4.sanmarinoes.smarthut.error.DuplicateRegistrationException; import ch.usi.inf.sa4.sanmarinoes.smarthut.error.EmailTokenNotFoundException; +import ch.usi.inf.sa4.sanmarinoes.smarthut.error.UserNotFoundException; import ch.usi.inf.sa4.sanmarinoes.smarthut.models.ConfirmationToken; import ch.usi.inf.sa4.sanmarinoes.smarthut.models.ConfirmationTokenRepository; import ch.usi.inf.sa4.sanmarinoes.smarthut.models.User; @@ -12,15 +15,11 @@ import ch.usi.inf.sa4.sanmarinoes.smarthut.service.EmailSenderService; import javax.validation.Valid; import javax.validation.constraints.NotNull; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.mail.SimpleMailMessage; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; -import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.PostMapping; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RestController; +import org.springframework.web.bind.annotation.*; @RestController @EnableAutoConfiguration @@ -35,6 +34,36 @@ public class UserAccountController { @Autowired private BCryptPasswordEncoder encoder; + @Value("email.registrationsubject") + private String emailRegistrationSubject; + + @Value("email.resetpasswordsubject") + private String resetPasswordSubject; + + @Value("email.registration") + private String emailRegistrationText; + + @Value("email.resetpassword") + private String resetPasswordText; + + @Value("email.serverhost") + private String serverHost; + + private void sendEmail(String email, ConfirmationToken token, boolean isRegistration) { + SimpleMailMessage mailMessage = new SimpleMailMessage(); + mailMessage.setTo(email); + mailMessage.setSubject(isRegistration ? emailRegistrationSubject : resetPasswordSubject); + mailMessage.setFrom("smarthut.sm@gmail.com"); + mailMessage.setText( + (isRegistration ? emailRegistrationText : resetPasswordText) + + " " + + serverHost + + "/register/confirm-account?token=" + + token.getConfirmationToken()); + + emailSenderService.sendEmail(mailMessage); + } + @PostMapping public OkResponse registerUser(@Valid @RequestBody UserRegistrationRequest registrationData) throws DuplicateRegistrationException { @@ -60,35 +89,72 @@ public class UserAccountController { toSave.setEmail(registrationData.getEmail()); userRepository.save(toSave); - ConfirmationToken confirmationToken = new ConfirmationToken(toSave); + ConfirmationToken token; + do { + token = new ConfirmationToken(toSave); + } while (confirmationTokenRepository.findByConfirmationToken( + token.getConfirmationToken()) + != null); - confirmationTokenRepository.save(confirmationToken); + confirmationTokenRepository.save(token); - SimpleMailMessage mailMessage = new SimpleMailMessage(); - mailMessage.setTo(registrationData.getEmail()); - mailMessage.setSubject("Complete Registration!"); - mailMessage.setFrom("smarthut.sm@gmail.com"); - mailMessage.setText( - "To confirm your account, please click here : " - + "http://localhost:8080/register/confirm-account?token=" - + confirmationToken.getConfirmationToken()); - - emailSenderService.sendEmail(mailMessage); + sendEmail(toSave.getEmail(), token, true); return new OkResponse(); } } + @PostMapping("/init-reset-password") + public OkResponse initResetPassword(@Valid @RequestBody InitPasswordResetRequest resetRequest) + throws UserNotFoundException { + final User toReset = userRepository.findByEmailIgnoreCase(resetRequest.getEmail()); + + // Check if an User with the same email already exists + if (toReset == null) { + throw new UserNotFoundException(); + } + + ConfirmationToken token; + do { + token = new ConfirmationToken(toReset); + token.setResetPassword(true); + } while (confirmationTokenRepository.findByConfirmationToken(token.getConfirmationToken()) + != null); + + confirmationTokenRepository.save(token); + + sendEmail(toReset.getEmail(), token, false); + + return new OkResponse(); + } + + @PutMapping("/reset-password") + public OkResponse resetPassword(@Valid @RequestBody PasswordResetRequest resetRequest) + throws EmailTokenNotFoundException { + final ConfirmationToken token = + confirmationTokenRepository.findByConfirmationToken( + resetRequest.getConfirmationToken()); + + if (token == null || token.getResetPassword()) { + throw new EmailTokenNotFoundException(); + } + + final User user = token.getUser(); + user.setPassword(encoder.encode(resetRequest.getPassword())); + userRepository.save(user); + + return new OkResponse(); + } + @GetMapping(value = "/confirm-account") public OkResponse confirmUserAccount(@RequestParam("token") @NotNull String confirmationToken) throws EmailTokenNotFoundException { final ConfirmationToken token = confirmationTokenRepository.findByConfirmationToken(confirmationToken); - if (token != null) { - final User user = userRepository.findByEmailIgnoreCase(token.getUser().getEmail()); - user.setEnabled(true); - userRepository.save(user); + if (token != null && !token.getResetPassword()) { + token.getUser().setEnabled(true); + userRepository.save(token.getUser()); // TODO: redirect to frontend return new OkResponse(); } else { diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/InitPasswordResetRequest.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/InitPasswordResetRequest.java new file mode 100644 index 0000000..d82c4f0 --- /dev/null +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/InitPasswordResetRequest.java @@ -0,0 +1,25 @@ +package ch.usi.inf.sa4.sanmarinoes.smarthut.dto; + +import javax.validation.constraints.Email; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Pattern; + +/** DTO for password reset request */ +public class InitPasswordResetRequest { + /** + * The user's email (validated according to criteria used in >input type="email"<> + * , technically not RFC 5322 compliant + */ + @NotEmpty(message = "Please provide an email") + @Email(message = "Please provide a valid email address") + @Pattern(regexp = ".+@.+\\..+", message = "Please provide a valid email address") + private String email; + + public String getEmail() { + return email; + } + + public void setEmail(String email) { + this.email = email; + } +} diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/PasswordResetRequest.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/PasswordResetRequest.java new file mode 100644 index 0000000..bf5bccf --- /dev/null +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/dto/PasswordResetRequest.java @@ -0,0 +1,34 @@ +package ch.usi.inf.sa4.sanmarinoes.smarthut.dto; + +import javax.validation.constraints.*; + +/** DTO for password reset request */ +public class PasswordResetRequest { + + @NotNull private String confirmationToken; + + /** A properly salted way to store the password */ + @NotNull + @NotEmpty(message = "Please provide a password") + @Size( + min = 6, + max = 255, + message = "Your password should be at least 6 characters long and up to 255 chars long") + private String password; + + public String getConfirmationToken() { + return confirmationToken; + } + + public void setConfirmationToken(String confirmationToken) { + this.confirmationToken = confirmationToken; + } + + public String getPassword() { + return password; + } + + public void setPassword(String password) { + this.password = password; + } +} diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/ConfirmationToken.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/ConfirmationToken.java index f6c86a0..d324724 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/ConfirmationToken.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/ConfirmationToken.java @@ -21,7 +21,7 @@ public class ConfirmationToken { @Column(name = "id", updatable = false, nullable = false) private Long id; - @Column(name = "confirmation_token") + @Column(name = "confirmation_token", unique = true) private String confirmationToken; @Temporal(TemporalType.TIMESTAMP) @@ -31,10 +31,14 @@ public class ConfirmationToken { @JoinColumn(nullable = false, name = "user_id") private User user; + @Column(nullable = false) + private Boolean resetPassword; + public ConfirmationToken(User user) { this.user = user; createdDate = new Date(); confirmationToken = UUID.randomUUID().toString(); + resetPassword = false; } /** Constructor for hibernate reflective stuff things whatever */ @@ -71,4 +75,12 @@ public class ConfirmationToken { public void setUser(User user) { this.user = user; } + + public Boolean getResetPassword() { + return resetPassword; + } + + public void setResetPassword(Boolean resetPassword) { + this.resetPassword = resetPassword; + } } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 9bfe2a7..26d5e8e 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -22,4 +22,12 @@ spring.mail.properties.mail.smtp.starttls.required=true spring.mail.properties.mail.smtp.auth=true spring.mail.properties.mail.smtp.connectiontimeout=5000 spring.mail.properties.mail.smtp.timeout=5000 -spring.mail.properties.mail.smtp.writetimeout=5000 \ No newline at end of file +spring.mail.properties.mail.smtp.writetimeout=5000 + +email.registrationsubject=Complete your SmartHut.sm registration +email.registration=To confirm your registration, please click here: + +email.resetpasswordsubject=SmartHut.sm password reset +email.resetpassword=To reset your password, please click here: + +email.serverhost=http://localhost:8080/ \ No newline at end of file