Invalidate session cookie on password reset

Alovoa · Jul 19, 2021 · d4be216 · d4be216
1 parent a64d732
commit d4be216
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/src/main/java/com/nonononoki/alovoa/rest/PasswordController.java b/src/main/java/com/nonononoki/alovoa/rest/PasswordController.java
@@ -4,6 +4,7 @@
 import java.security.NoSuchAlgorithmException;
 
 import javax.mail.MessagingException;
+import javax.servlet.http.HttpSession;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -30,7 +31,7 @@ public void resetPasword(@RequestBody PasswordResetDto dto)
 	}
 
 	@PostMapping(value = "/change", consumes = "application/json")
-	public void changePasword(@RequestBody PasswordChangeDto dto) throws AlovoaException {
-		passwordService.changePasword(dto);
+	public void changePasword(@RequestBody PasswordChangeDto dto, HttpSession session) throws AlovoaException {
+		passwordService.changePasword(dto, session);
 	}
 }
diff --git a/src/main/java/com/nonononoki/alovoa/service/PasswordService.java b/src/main/java/com/nonononoki/alovoa/service/PasswordService.java
@@ -5,6 +5,7 @@
 import java.util.Date;
 
 import javax.mail.MessagingException;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.lang3.RandomStringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -59,7 +60,7 @@ public UserPasswordToken resetPasword(PasswordResetDto dto)
 			if (u == null) {
 				throw new DisabledException("user_not_found");
 			}
-			
+
 			if (u.isDisabled()) {
 				throw new DisabledException("user_disabled");
 			}
@@ -77,7 +78,7 @@ public UserPasswordToken resetPasword(PasswordResetDto dto)
 		return u.getPasswordToken();
 	}
 
-	public void changePasword(PasswordChangeDto dto) throws AlovoaException {
+	public void changePasword(PasswordChangeDto dto, HttpSession session) throws AlovoaException {
 		UserPasswordToken token = userPasswordTokenRepo.findByContent(dto.getToken());
 		if (token == null) {
 			throw new AlovoaException("token_not_found");
@@ -98,5 +99,6 @@ public void changePasword(PasswordChangeDto dto) throws AlovoaException {
 		}
 
 		userRepo.saveAndFlush(user);
+		session.invalidate();
 	}
 }
diff --git a/src/test/java/com/nonononoki/alovoa/service/PasswordServiceTest.java b/src/test/java/com/nonononoki/alovoa/service/PasswordServiceTest.java
@@ -1,9 +1,12 @@
 package com.nonononoki.alovoa.service;
 
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
 
 import java.util.List;
 
+import javax.servlet.http.HttpSession;
+
 import org.junit.Assert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -111,7 +114,9 @@ void test() throws Exception {
 		passwordChangeDto.setEmail(user1.getEmail());
 		passwordChangeDto.setPassword(newPassword);
 		passwordChangeDto.setToken(userPasswordToken.getContent());
-		passwordService.changePasword(passwordChangeDto);
+
+		HttpSession session = mock(HttpSession.class);
+		passwordService.changePasword(passwordChangeDto, session);
 
 		user1 = userRepo.findById(user1.getId()).get();