Skip to content
Permalink
Browse files
Invalidate session cookie on password reset
  • Loading branch information
Nonononoki committed Jul 19, 2021
1 parent a64d732 commit d4be216564d4508550955ab6013506697059d5e8
@@ -4,6 +4,7 @@
import java.security.NoSuchAlgorithmException;

import javax.mail.MessagingException;
import javax.servlet.http.HttpSession;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
@@ -30,7 +31,7 @@ public void resetPasword(@RequestBody PasswordResetDto dto)
}

@PostMapping(value = "/change", consumes = "application/json")
public void changePasword(@RequestBody PasswordChangeDto dto) throws AlovoaException {
passwordService.changePasword(dto);
public void changePasword(@RequestBody PasswordChangeDto dto, HttpSession session) throws AlovoaException {
passwordService.changePasword(dto, session);
}
}
@@ -5,6 +5,7 @@
import java.util.Date;

import javax.mail.MessagingException;
import javax.servlet.http.HttpSession;

import org.apache.commons.lang3.RandomStringUtils;
import org.springframework.beans.factory.annotation.Autowired;
@@ -59,7 +60,7 @@ public UserPasswordToken resetPasword(PasswordResetDto dto)
if (u == null) {
throw new DisabledException("user_not_found");
}

if (u.isDisabled()) {
throw new DisabledException("user_disabled");
}
@@ -77,7 +78,7 @@ public UserPasswordToken resetPasword(PasswordResetDto dto)
return u.getPasswordToken();
}

public void changePasword(PasswordChangeDto dto) throws AlovoaException {
public void changePasword(PasswordChangeDto dto, HttpSession session) throws AlovoaException {
UserPasswordToken token = userPasswordTokenRepo.findByContent(dto.getToken());
if (token == null) {
throw new AlovoaException("token_not_found");
@@ -98,5 +99,6 @@ public void changePasword(PasswordChangeDto dto) throws AlovoaException {
}

userRepo.saveAndFlush(user);
session.invalidate();
}
}
@@ -1,9 +1,12 @@
package com.nonononoki.alovoa.service;

import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;

import java.util.List;

import javax.servlet.http.HttpSession;

import org.junit.Assert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
@@ -111,7 +114,9 @@ void test() throws Exception {
passwordChangeDto.setEmail(user1.getEmail());
passwordChangeDto.setPassword(newPassword);
passwordChangeDto.setToken(userPasswordToken.getContent());
passwordService.changePasword(passwordChangeDto);

HttpSession session = mock(HttpSession.class);
passwordService.changePasword(passwordChangeDto, session);

user1 = userRepo.findById(user1.getId()).get();

0 comments on commit d4be216

Please sign in to comment.