From d4be216564d4508550955ab6013506697059d5e8 Mon Sep 17 00:00:00 2001 From: Nho Quy Dinh Date: Mon, 19 Jul 2021 08:37:42 +0200 Subject: [PATCH] Invalidate session cookie on password reset --- .../com/nonononoki/alovoa/rest/PasswordController.java | 5 +++-- .../com/nonononoki/alovoa/service/PasswordService.java | 6 ++++-- .../com/nonononoki/alovoa/service/PasswordServiceTest.java | 7 ++++++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/main/java/com/nonononoki/alovoa/rest/PasswordController.java b/src/main/java/com/nonononoki/alovoa/rest/PasswordController.java index bc12c934..3f6956bb 100644 --- a/src/main/java/com/nonononoki/alovoa/rest/PasswordController.java +++ b/src/main/java/com/nonononoki/alovoa/rest/PasswordController.java @@ -4,6 +4,7 @@ import java.security.NoSuchAlgorithmException; import javax.mail.MessagingException; +import javax.servlet.http.HttpSession; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PostMapping; @@ -30,7 +31,7 @@ public void resetPasword(@RequestBody PasswordResetDto dto) } @PostMapping(value = "/change", consumes = "application/json") - public void changePasword(@RequestBody PasswordChangeDto dto) throws AlovoaException { - passwordService.changePasword(dto); + public void changePasword(@RequestBody PasswordChangeDto dto, HttpSession session) throws AlovoaException { + passwordService.changePasword(dto, session); } } diff --git a/src/main/java/com/nonononoki/alovoa/service/PasswordService.java b/src/main/java/com/nonononoki/alovoa/service/PasswordService.java index 948be48d..039f14a2 100644 --- a/src/main/java/com/nonononoki/alovoa/service/PasswordService.java +++ b/src/main/java/com/nonononoki/alovoa/service/PasswordService.java @@ -5,6 +5,7 @@ import java.util.Date; import javax.mail.MessagingException; +import javax.servlet.http.HttpSession; import org.apache.commons.lang3.RandomStringUtils; import org.springframework.beans.factory.annotation.Autowired; @@ -59,7 +60,7 @@ public UserPasswordToken resetPasword(PasswordResetDto dto) if (u == null) { throw new DisabledException("user_not_found"); } - + if (u.isDisabled()) { throw new DisabledException("user_disabled"); } @@ -77,7 +78,7 @@ public UserPasswordToken resetPasword(PasswordResetDto dto) return u.getPasswordToken(); } - public void changePasword(PasswordChangeDto dto) throws AlovoaException { + public void changePasword(PasswordChangeDto dto, HttpSession session) throws AlovoaException { UserPasswordToken token = userPasswordTokenRepo.findByContent(dto.getToken()); if (token == null) { throw new AlovoaException("token_not_found"); @@ -98,5 +99,6 @@ public void changePasword(PasswordChangeDto dto) throws AlovoaException { } userRepo.saveAndFlush(user); + session.invalidate(); } } diff --git a/src/test/java/com/nonononoki/alovoa/service/PasswordServiceTest.java b/src/test/java/com/nonononoki/alovoa/service/PasswordServiceTest.java index 4ef86a06..c703bed6 100644 --- a/src/test/java/com/nonononoki/alovoa/service/PasswordServiceTest.java +++ b/src/test/java/com/nonononoki/alovoa/service/PasswordServiceTest.java @@ -1,9 +1,12 @@ package com.nonononoki.alovoa.service; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; import java.util.List; +import javax.servlet.http.HttpSession; + import org.junit.Assert; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; @@ -111,7 +114,9 @@ void test() throws Exception { passwordChangeDto.setEmail(user1.getEmail()); passwordChangeDto.setPassword(newPassword); passwordChangeDto.setToken(userPasswordToken.getContent()); - passwordService.changePasword(passwordChangeDto); + + HttpSession session = mock(HttpSession.class); + passwordService.changePasword(passwordChangeDto, session); user1 = userRepo.findById(user1.getId()).get();