From 90b496be724a7b86d9119c0a064ee9b37a6496db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marten=20Prie=C3=9F?= Date: Fri, 21 Sep 2018 12:45:31 +0200 Subject: [PATCH] don't throw unauthorized in case of passwordChange with invalid currentPassword --- .../commons/dto/validation/PasswordErrorCodes.java | 2 +- .../controller/AuthenticationController.java | 14 +++++++++++--- .../controller/AuthenticationControllerTest.java | 9 +++++++-- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/commons-auth-api/src/main/java/io/rocketbase/commons/dto/validation/PasswordErrorCodes.java b/commons-auth-api/src/main/java/io/rocketbase/commons/dto/validation/PasswordErrorCodes.java index d6822265..f120bfff 100644 --- a/commons-auth-api/src/main/java/io/rocketbase/commons/dto/validation/PasswordErrorCodes.java +++ b/commons-auth-api/src/main/java/io/rocketbase/commons/dto/validation/PasswordErrorCodes.java @@ -1,5 +1,5 @@ package io.rocketbase.commons.dto.validation; public enum PasswordErrorCodes { - TOO_SHORT, TOO_LONG, INSUFFICIENT_LOWERCASE, INSUFFICIENT_UPPERCASE, INSUFFICIENT_DIGIT, INSUFFICIENT_SPECIAL; + TOO_SHORT, TOO_LONG, INSUFFICIENT_LOWERCASE, INSUFFICIENT_UPPERCASE, INSUFFICIENT_DIGIT, INSUFFICIENT_SPECIAL, INVALID_CURRENT_PASSWORD; } diff --git a/commons-auth-core/src/main/java/io/rocketbase/commons/controller/AuthenticationController.java b/commons-auth-core/src/main/java/io/rocketbase/commons/controller/AuthenticationController.java index df187cc1..ad702c4e 100644 --- a/commons-auth-core/src/main/java/io/rocketbase/commons/controller/AuthenticationController.java +++ b/commons-auth-core/src/main/java/io/rocketbase/commons/controller/AuthenticationController.java @@ -1,14 +1,17 @@ package io.rocketbase.commons.controller; +import com.google.common.collect.Sets; import io.rocketbase.commons.converter.AppUserConverter; import io.rocketbase.commons.dto.appuser.AppUserRead; import io.rocketbase.commons.dto.authentication.JwtTokenBundle; import io.rocketbase.commons.dto.authentication.LoginRequest; import io.rocketbase.commons.dto.authentication.PasswordChangeRequest; import io.rocketbase.commons.dto.authentication.UpdateProfileRequest; +import io.rocketbase.commons.dto.validation.PasswordErrorCodes; import io.rocketbase.commons.event.ChangePasswordEvent; import io.rocketbase.commons.event.LoginEvent; import io.rocketbase.commons.event.UpdateProfileEvent; +import io.rocketbase.commons.exception.PasswordValidationException; import io.rocketbase.commons.model.AppUser; import io.rocketbase.commons.security.JwtTokenService; import io.rocketbase.commons.service.AppUserService; @@ -19,6 +22,7 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; @@ -83,9 +87,13 @@ public ResponseEntity changePassword(@RequestBody @NotNull @Validated Pass String username = ((UserDetails) authentication.getPrincipal()).getUsername(); // check old password otherwise it throws errors - authenticationManager.authenticate( - new UsernamePasswordAuthenticationToken(username, passwordChange.getCurrentPassword()) - ); + try { + authenticationManager.authenticate( + new UsernamePasswordAuthenticationToken(username, passwordChange.getCurrentPassword()) + ); + } catch (AuthenticationException e) { + throw new PasswordValidationException(Sets.newHashSet(PasswordErrorCodes.INVALID_CURRENT_PASSWORD)); + } appUserService.updatePassword(username, passwordChange.getNewPassword()); diff --git a/commons-auth-core/src/test/java/io/rocketbase/commons/controller/AuthenticationControllerTest.java b/commons-auth-core/src/test/java/io/rocketbase/commons/controller/AuthenticationControllerTest.java index 7ec2b171..c465b8ed 100644 --- a/commons-auth-core/src/test/java/io/rocketbase/commons/controller/AuthenticationControllerTest.java +++ b/commons-auth-core/src/test/java/io/rocketbase/commons/controller/AuthenticationControllerTest.java @@ -8,6 +8,7 @@ import io.rocketbase.commons.dto.authentication.LoginRequest; import io.rocketbase.commons.dto.authentication.PasswordChangeRequest; import io.rocketbase.commons.dto.authentication.UpdateProfileRequest; +import io.rocketbase.commons.exception.BadRequestException; import io.rocketbase.commons.model.AppUser; import io.rocketbase.commons.resource.AuthenticationResource; import io.rocketbase.commons.test.AppUserPersistenceTestService; @@ -199,8 +200,12 @@ public void changePasswordFailure() { .newPassword("r0cketB@ase") .build()); // then - Assert.fail("should have thrown UNAUTHORIZED"); - } catch (HttpClientErrorException e) { + Assert.fail("should have thrown PasswordValidationException"); + } catch (BadRequestException e) { + assertThat(e.getErrorResponse(), notNullValue()); + assertThat(e.getErrorResponse().getFields(), notNullValue()); + assertThat(e.getErrorResponse().getFields().containsKey("password"), equalTo(true)); + assertThat(e.getErrorResponse().getFields().get("password"), equalTo("INVALID_CURRENT_PASSWORD")); } }