From 66e1ee79d01464e60d1a6296a8b8920111511b17 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Tue, 26 Jan 2016 15:45:40 -0500 Subject: [PATCH] KEYCLOAK-2349 --- .../services/managers/ClientSessionCode.java | 13 +++++++++---- .../org/keycloak/services/messages/Messages.java | 2 ++ .../services/resources/LoginActionsService.java | 8 ++++++-- .../base/login/messages/messages_en.properties | 1 + 4 files changed, 18 insertions(+), 6 deletions(-) mode change 100644 => 100755 themes/src/main/resources/theme/base/login/messages/messages_en.properties diff --git a/server-spi/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/server-spi/src/main/java/org/keycloak/services/managers/ClientSessionCode.java index 5e2468155c62..91c388f704c0 100755 --- a/server-spi/src/main/java/org/keycloak/services/managers/ClientSessionCode.java +++ b/server-spi/src/main/java/org/keycloak/services/managers/ClientSessionCode.java @@ -65,6 +65,7 @@ public static class ParseResult { ClientSessionCode code; boolean clientSessionNotFound; boolean illegalHash; + ClientSessionModel clientSession; public ClientSessionCode getCode() { return code; @@ -77,6 +78,10 @@ public boolean isClientSessionNotFound() { public boolean isIllegalHash() { return illegalHash; } + + public ClientSessionModel getClientSession() { + return clientSession; + } } public static ParseResult parseResult(String code, KeycloakSession session, RealmModel realm) { @@ -89,19 +94,19 @@ public static ParseResult parseResult(String code, KeycloakSession session, Real String[] parts = code.split("\\."); String id = parts[1]; - ClientSessionModel clientSession = session.sessions().getClientSession(realm, id); - if (clientSession == null) { + result.clientSession = session.sessions().getClientSession(realm, id); + if (result.clientSession == null) { result.clientSessionNotFound = true; return result; } - String hash = createHash(realm, clientSession); + String hash = createHash(realm, result.clientSession); if (!hash.equals(parts[0])) { result.illegalHash = true; return result; } - result.code = new ClientSessionCode(realm, clientSession); + result.code = new ClientSessionCode(realm, result.clientSession); return result; } catch (RuntimeException e) { result.illegalHash = true; diff --git a/services/src/main/java/org/keycloak/services/messages/Messages.java b/services/src/main/java/org/keycloak/services/messages/Messages.java index ca1db9659042..71238b772d8b 100755 --- a/services/src/main/java/org/keycloak/services/messages/Messages.java +++ b/services/src/main/java/org/keycloak/services/messages/Messages.java @@ -151,6 +151,8 @@ public class Messages { public static final String INVALID_CODE = "invalidCodeMessage"; + public static final String STALE_VERIFY_EMAIL_LINK = "staleEmailVerificationLink"; + public static final String IDENTITY_PROVIDER_UNEXPECTED_ERROR = "identityProviderUnexpectedErrorMessage"; public static final String IDENTITY_PROVIDER_NOT_FOUND = "identityProviderNotFoundMessage"; diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index e46cbcad5e0a..e23f9df21668 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -169,6 +169,7 @@ private boolean checkSsl() { private class Checks { ClientSessionCode clientCode; Response response; + ClientSessionCode.ParseResult result; boolean verifyCode(String code, String requiredAction, ClientSessionCode.ActionType actionType) { if (!verifyCode(code)) { @@ -213,7 +214,7 @@ public boolean verifyCode(String code) { response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return false; } - ClientSessionCode.ParseResult result = ClientSessionCode.parseResult(code, session, realm); + result = ClientSessionCode.parseResult(code, session, realm); clientCode = result.getCode(); if (clientCode == null) { if (result.isClientSessionNotFound()) { // timeout @@ -654,6 +655,9 @@ public Response emailVerification(@QueryParam("code") String code, @QueryParam(" if (key != null) { Checks checks = new Checks(); if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { + if (checks.clientCode == null && checks.result.isClientSessionNotFound() || checks.result.isIllegalHash()) { + return ErrorPage.error(session, Messages.STALE_VERIFY_EMAIL_LINK); + } return checks.response; } ClientSessionCode accessCode = checks.clientCode; @@ -661,7 +665,7 @@ public Response emailVerification(@QueryParam("code") String code, @QueryParam(" if (!ClientSessionModel.Action.VERIFY_EMAIL.name().equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) { logger.reqdActionDoesNotMatch(); event.error(Errors.INVALID_CODE); - throw new WebApplicationException(ErrorPage.error(session, Messages.INVALID_CODE)); + throw new WebApplicationException(ErrorPage.error(session, Messages.STALE_VERIFY_EMAIL_LINK)); } UserSessionModel userSession = clientSession.getUserSession(); diff --git a/themes/src/main/resources/theme/base/login/messages/messages_en.properties b/themes/src/main/resources/theme/base/login/messages/messages_en.properties old mode 100644 new mode 100755 index 0641230e0e0f..cc3f410e955f --- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties +++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties @@ -205,6 +205,7 @@ identityProviderLinkSuccess=Your account was successfully linked with {0} accoun realmSupportsNoCredentialsMessage=Realm does not support any credential type. identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with. emailVerifiedMessage=Your email address has been verified. +staleEmailVerificationLink=The link you clicked is a old stale link and is no longer valid. Maybe you have already verified your email? locale_ca=Catal\u00E0 locale_de=Deutsch