The-pack-family/APIv3
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix flow issue in POST /users/:id/changePassword

Browse Source
This commit is contained in:
Colin McDonald 2016-07-25 15:49:38 -04:00
parent 02f79731a9
commit df938dcd0a
2 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/net/frozenorb/apiv3/model/User.java
View File

@ -447,7 +447,7 @@ public final class User {
.hashString(input + "$" + id.toString(), Charsets.UTF_8) .hashString(input + "$" + id.toString(), Charsets.UTF_8)
.toString(); .toString();
return password != null && hashed.equals(password); return password != null && input != null && hashed.equals(password);
} }
public void requiresTotpAuthorization(String ip, SingleResultCallback<RequiresTotpResult> callback) { public void requiresTotpAuthorization(String ip, SingleResultCallback<RequiresTotpResult> callback) {

33
src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java
View File

@ -28,14 +28,17 @@ public final class POSTUsersIdChangePassword implements Handler<RoutingContext>
JsonObject requestBody = ctx.getBodyAsJson(); JsonObject requestBody = ctx.getBodyAsJson();
if (user.getPassword() == null) { if (requestBody.containsKey("currentPassword")) {
ErrorUtils.respondInvalidInput(ctx, "User provided does not have password set."); if (user.getPassword() == null) {
return; ErrorUtils.respondInvalidInput(ctx, "User provided does not have password set.");
} return;
}
boolean authorized = false; if (!user.checkPassword(requestBody.getString("currentPassword"))) {
ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
return;
}
if (user.checkPassword(requestBody.getString("currentPassword"))) {
RequiresTotpResult requiresTotp = SyncUtils.runBlocking(v -> user.requiresTotpAuthorization(null, v)); RequiresTotpResult requiresTotp = SyncUtils.runBlocking(v -> user.requiresTotpAuthorization(null, v));
if (requiresTotp == RequiresTotpResult.REQUIRED_NO_EXEMPTIONS) { if (requiresTotp == RequiresTotpResult.REQUIRED_NO_EXEMPTIONS) {
@ -47,18 +50,22 @@ public final class POSTUsersIdChangePassword implements Handler<RoutingContext>
return; return;
} }
} }
} else if (requestBody.containsKey("passwordResetToken")) {
if (user.getPasswordResetToken() == null) {
ErrorUtils.respondInvalidInput(ctx, "User provided does not have password reset token set.");
return;
}
if (!user.getPasswordResetToken().equals(requestBody.getString("passwordResetToken"))) {
ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
return;
}
authorized = true;
} else if (user.getPasswordResetToken() != null && user.getPasswordResetToken().equals(requestBody.getString("passwordResetToken"))) {
if ((System.currentTimeMillis() - user.getPasswordResetTokenSetAt().toEpochMilli()) > TimeUnit.DAYS.toMillis(2)) { if ((System.currentTimeMillis() - user.getPasswordResetTokenSetAt().toEpochMilli()) > TimeUnit.DAYS.toMillis(2)) {
ErrorUtils.respondOther(ctx, 409, "Password reset token is expired.", "passwordTokenExpired", ImmutableMap.of()); ErrorUtils.respondOther(ctx, 409, "Password reset token is expired.", "passwordTokenExpired", ImmutableMap.of());
return; return;
} }
} else {
authorized = true;
}
if (!authorized) {
ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change."); ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
return; return;
} }