Make password reset link GET not POST

Fixes #160
FAForever · Jan 19, 2018 · 34cc549 · 34cc549
1 parent b70daf6
commit 34cc549
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 8 deletions.
diff --git a/src/inttest/java/com/faforever/api/user/UserControllerTest.java b/src/inttest/java/com/faforever/api/user/UserControllerTest.java
@@ -254,12 +254,8 @@ public void confirmPasswordReset() throws Exception {
       ImmutableMap.of(UserService.KEY_USER_ID, String.valueOf(1),
         UserService.KEY_PASSWORD, NEW_PASSWORD));
 
-    MultiValueMap<String, String> params = new HttpHeaders();
-    params.add("token", token);
-
     mockMvc.perform(
-      post("/users/confirmPasswordReset")
-        .params(params))
+      get("/users/confirmPasswordReset/{token}", token))
       .andExpect(status().isFound())
       .andExpect(redirectedUrl("http://localhost/password_resetted"));
   }

diff --git a/src/main/java/com/faforever/api/config/MvcConfig.java b/src/main/java/com/faforever/api/config/MvcConfig.java
@@ -3,6 +3,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@@ -24,4 +25,9 @@ public void addResourceHandlers(ResourceHandlerRegistry registry) {
     registry.addResourceHandler("/favicon.ico").addResourceLocations("/");
     registry.addResourceHandler("/robots.txt").addResourceLocations("/");
   }
+
+  @Override
+  public void configurePathMatch(PathMatchConfigurer configurer) {
+    configurer.setUseRegisteredSuffixPatternMatch(true);
+  }
 }
diff --git a/src/main/java/com/faforever/api/security/FafTokenService.java b/src/main/java/com/faforever/api/security/FafTokenService.java
@@ -64,7 +64,7 @@ public String createToken(@NotNull FafTokenType type, @NotNull TemporalAmount li
    */
   @SneakyThrows
   public Map<String, String> resolveToken(@NotNull FafTokenType expectedTokenType, @NotNull String token) {
-    Map<String, String> claims = null;
+    Map<String, String> claims;
 
     try {
       claims = objectMapper.readValue(JwtHelper.decodeAndVerify(token, macSigner).getClaims(), new TypeReference<Map<String, String>>() {

diff --git a/src/main/java/com/faforever/api/user/UserController.java b/src/main/java/com/faforever/api/user/UserController.java
@@ -9,6 +9,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -87,9 +88,9 @@ public void resetPassword(@RequestParam("identifier") String identifier,
   }
 
   @ApiOperation("Sets a new password for an account.")
-  @RequestMapping(path = "/confirmPasswordReset", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
+  @RequestMapping(path = "/confirmPasswordReset/{token}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
   public void claimPasswordResetToken(HttpServletResponse response,
-                                      @RequestParam("token") String token) throws IOException {
+                                      @PathVariable("token") String token) throws IOException {
     userService.claimPasswordResetToken(token);
     response.sendRedirect(fafApiProperties.getPasswordReset().getSuccessRedirectUrl());
   }