don't throw unauthorized in case of passwordChange with invalid curre…

…ntPassword

commons-auth-api/src/main/java/io/rocketbase/commons/dto/validation/PasswordErrorCodes.java

@@ -1,5 +1,5 @@
 package io.rocketbase.commons.dto.validation;
 
 public enum PasswordErrorCodes {
-    TOO_SHORT, TOO_LONG, INSUFFICIENT_LOWERCASE, INSUFFICIENT_UPPERCASE, INSUFFICIENT_DIGIT, INSUFFICIENT_SPECIAL;
+    TOO_SHORT, TOO_LONG, INSUFFICIENT_LOWERCASE, INSUFFICIENT_UPPERCASE, INSUFFICIENT_DIGIT, INSUFFICIENT_SPECIAL, INVALID_CURRENT_PASSWORD;
 }

commons-auth-core/src/main/java/io/rocketbase/commons/controller/AuthenticationController.java

@@ -1,14 +1,17 @@
 package io.rocketbase.commons.controller;
 
+import com.google.common.collect.Sets;
 import io.rocketbase.commons.converter.AppUserConverter;
 import io.rocketbase.commons.dto.appuser.AppUserRead;
 import io.rocketbase.commons.dto.authentication.JwtTokenBundle;
 import io.rocketbase.commons.dto.authentication.LoginRequest;
 import io.rocketbase.commons.dto.authentication.PasswordChangeRequest;
 import io.rocketbase.commons.dto.authentication.UpdateProfileRequest;
+import io.rocketbase.commons.dto.validation.PasswordErrorCodes;
 import io.rocketbase.commons.event.ChangePasswordEvent;
 import io.rocketbase.commons.event.LoginEvent;
 import io.rocketbase.commons.event.UpdateProfileEvent;
+import io.rocketbase.commons.exception.PasswordValidationException;
 import io.rocketbase.commons.model.AppUser;
 import io.rocketbase.commons.security.JwtTokenService;
 import io.rocketbase.commons.service.AppUserService;
@@ -19,6 +22,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -83,9 +87,13 @@ public ResponseEntity<Void> changePassword(@RequestBody @NotNull @Validated Pass
 
         String username = ((UserDetails) authentication.getPrincipal()).getUsername();
         // check old password otherwise it throws errors
-        authenticationManager.authenticate(
-                new UsernamePasswordAuthenticationToken(username, passwordChange.getCurrentPassword())
-        );
+        try {
+            authenticationManager.authenticate(
+                    new UsernamePasswordAuthenticationToken(username, passwordChange.getCurrentPassword())
+            );
+        } catch (AuthenticationException e) {
+            throw new PasswordValidationException(Sets.newHashSet(PasswordErrorCodes.INVALID_CURRENT_PASSWORD));
+        }
 
         appUserService.updatePassword(username, passwordChange.getNewPassword());
 

commons-auth-core/src/test/java/io/rocketbase/commons/controller/AuthenticationControllerTest.java

@@ -8,6 +8,7 @@
 import io.rocketbase.commons.dto.authentication.LoginRequest;
 import io.rocketbase.commons.dto.authentication.PasswordChangeRequest;
 import io.rocketbase.commons.dto.authentication.UpdateProfileRequest;
+import io.rocketbase.commons.exception.BadRequestException;
 import io.rocketbase.commons.model.AppUser;
 import io.rocketbase.commons.resource.AuthenticationResource;
 import io.rocketbase.commons.test.AppUserPersistenceTestService;
@@ -199,8 +200,12 @@ public void changePasswordFailure() {
                     .newPassword("r0cketB@ase")
                     .build());
             // then
-            Assert.fail("should have thrown UNAUTHORIZED");
-        } catch (HttpClientErrorException e) {
+            Assert.fail("should have thrown PasswordValidationException");
+        } catch (BadRequestException e) {
+            assertThat(e.getErrorResponse(), notNullValue());
+            assertThat(e.getErrorResponse().getFields(), notNullValue());
+            assertThat(e.getErrorResponse().getFields().containsKey("password"), equalTo(true));
+            assertThat(e.getErrorResponse().getFields().get("password"), equalTo("INVALID_CURRENT_PASSWORD"));
         }
     }