Feature/forgot password

api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsResetPasswordPage.java

@@ -7,6 +7,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import edu.cornell.mannlib.vitro.webapp.controller.authenticate.PasswordChangeRequestSpamMitigation;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -40,6 +41,8 @@ public void resetPassword() {
 		log.debug("Set password on '" + userAccount.getEmailAddress()
 				+ "' to '" + newPassword + "'");
 
+		PasswordChangeRequestSpamMitigation
+			.requestSuccessfullyHandledAndUserPasswordUpdated(userAccount.getEmailAddress());
 		notifyUser();
 	}
 

api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ForgotPassword.java

@@ -0,0 +1,153 @@
+package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.mail.Message;
+import javax.servlet.ServletContext;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
+import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
+import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
+import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
+import edu.cornell.mannlib.vitro.webapp.email.FreemarkerEmailFactory;
+import edu.cornell.mannlib.vitro.webapp.email.FreemarkerEmailMessage;
+import edu.cornell.mannlib.vitro.webapp.i18n.I18n;
+import edu.cornell.mannlib.vitro.webapp.i18n.I18nBundle;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+@WebServlet(name = "forgot-password", urlPatterns = {"/forgot-password"})
+public class ForgotPassword extends VitroHttpServlet {
+
+    private static final String RESET_PASSWORD_URL = "/accounts/resetPassword";
+
+    private static final int DAYS_TO_USE_PASSWORD_LINK = 5;
+
+    private static final Log log = LogFactory.getLog(ForgotPassword.class.getName());
+
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        PrintWriter out = setupResponsePrintWriter(response);
+        log.info("Password reset requested from client: " + request.getRemoteAddr());
+
+        VitroRequest vreq = new VitroRequest(request);
+        UserAccountsDao userAccountsDao = constructUserAccountsDao(vreq);
+        I18nBundle i18n = I18n.bundle(vreq);
+
+        String email = request.getParameter("email");
+
+        UserAccount userAccount = getAccountForInternalAuth(email, request);
+        if (userAccount == null) {
+            out.println("<h1>" + i18n.text("password_reset_email_non_existing") + "</h1>");
+            return;
+        }
+
+        PasswordChangeRequestSpamMitigationResponse mitigationResponse =
+            PasswordChangeRequestSpamMitigation.isPasswordResetRequestable(userAccount);
+        if (!mitigationResponse.getCanBeRequested()) {
+            out.println(
+                "<h1>" + i18n.text("password_reset_too_many_requests") +
+                    mitigationResponse.getNextRequestAvailableAtDate() +
+                    i18n.text("password_reset_too_many_requests_at_time") +
+                    mitigationResponse.getNextRequestAvailableAtTime() + "</h1>");
+            return;
+        }
+
+        requestPasswordChange(userAccount, userAccountsDao);
+        notifyUser(userAccount, i18n, vreq);
+        PasswordChangeRequestSpamMitigation.requestSuccessfullyHandledAndUserIsNotified(userAccount.getEmailAddress());
+
+        out.println("<h1>" + i18n.text("password_reset_email_sent") + email + "</h1>");
+    }
+
+    private void notifyUser(UserAccount userAccount, I18nBundle i18n,
+                            VitroRequest vreq) {
+
+        Map<String, Object> body = new HashMap<String, Object>();
+        body.put("userAccount", userAccount);
+        body.put("passwordLink",
+            buildResetPasswordLink(userAccount.getEmailAddress(), userAccount.getEmailKey(), vreq));
+        body.put("siteName", vreq.getAppBean().getApplicationName());
+        body.put("subject", i18n.text("password_reset_pending_email_subject"));
+        body.put("textMessage", i18n.text("password_reset_pending_email_plain_text"));
+        body.put("htmlMessage", i18n.text("password_reset_pending_email_html_text"));
+
+        FreemarkerEmailMessage emailMessage = FreemarkerEmailFactory
+            .createNewMessage(vreq);
+        emailMessage.addRecipient(Message.RecipientType.TO, userAccount.getEmailAddress());
+        emailMessage.setBodyMap(body);
+        emailMessage.processTemplate();
+        emailMessage.send();
+    }
+
+    private UserAccountsDao constructUserAccountsDao(VitroRequest vreq) {
+        ServletContext ctx = vreq.getSession().getServletContext();
+        WebappDaoFactory wdf = ModelAccess.on(ctx).getWebappDaoFactory();
+        return wdf.getUserAccountsDao();
+    }
+
+    private PrintWriter setupResponsePrintWriter(HttpServletResponse response) throws IOException {
+        response.setContentType("text/html");
+        return response.getWriter();
+    }
+
+    private void requestPasswordChange(UserAccount userAccount, UserAccountsDao userAccountsDao) {
+        userAccount.setPasswordLinkExpires(figureExpirationDate().getTime());
+        userAccount.generateEmailKey();
+        userAccountsDao.updateUserAccount(userAccount);
+    }
+
+    private UserAccount getAccountForInternalAuth(String emailAddress, HttpServletRequest request) {
+        UserAccountsDao userAccountsDao = getUserAccountsDao(request);
+        if (userAccountsDao == null) {
+            return null;
+        }
+        return userAccountsDao.getUserAccountByEmail(emailAddress);
+    }
+
+    private UserAccountsDao getUserAccountsDao(HttpServletRequest request) {
+        UserAccountsDao userAccountsDao = getWebappDaoFactory(request)
+            .getUserAccountsDao();
+        if (userAccountsDao == null) {
+            log.error("getUserAccountsDao: no UserAccountsDao");
+        }
+
+        return userAccountsDao;
+    }
+
+    private WebappDaoFactory getWebappDaoFactory(HttpServletRequest request) {
+        return ModelAccess.on(request).getWebappDaoFactory();
+    }
+
+    private String buildResetPasswordLink(String email, String key, VitroRequest vreq) {
+        try {
+            String relativeUrl = UrlBuilder.getUrl(RESET_PASSWORD_URL, "user", email, "key", key);
+
+            URL context = new URL(vreq.getRequestURL().toString());
+            URL url = new URL(context, relativeUrl);
+            return url.toExternalForm();
+        } catch (MalformedURLException e) {
+            return "error_creating_password_link";
+        }
+    }
+
+    private Date figureExpirationDate() {
+        Calendar c = Calendar.getInstance();
+        c.add(Calendar.DATE, DAYS_TO_USE_PASSWORD_LINK);
+        return c.getTime();
+    }
+}

api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/PasswordChangeRequestSpamMitigation.java

@@ -0,0 +1,57 @@
+package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
+
+import java.time.LocalDateTime;
+import java.util.HashMap;
+import java.util.Map;
+
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+
+public class PasswordChangeRequestSpamMitigation {
+
+    private static final Map<String, LocalDateTime> requestHistory = new HashMap<>();
+
+    private static final Map<String, Integer> requestFrequency = new HashMap<>();
+
+    private static final long INTERVAL_INCREASE_MINUTES = 1;
+
+    private static boolean initializeHistoryRequestDataIfNotExists(String emailAddress) {
+        if (requestHistory.containsKey(emailAddress)) {
+            return false;
+        }
+
+        requestHistory.put(emailAddress, LocalDateTime.now());
+        requestFrequency.put(emailAddress, 0);
+        return true;
+    }
+
+    public static PasswordChangeRequestSpamMitigationResponse isPasswordResetRequestable(UserAccount userAccount) {
+        boolean justInitialised = initializeHistoryRequestDataIfNotExists(userAccount.getEmailAddress());
+
+        Integer numberOfSuccessiveRequests = requestFrequency.get(userAccount.getEmailAddress());
+        LocalDateTime momentOfFirstRequest = requestHistory.get(userAccount.getEmailAddress());
+        LocalDateTime nextRequestAvailableAt =
+            momentOfFirstRequest.plusMinutes(numberOfSuccessiveRequests * INTERVAL_INCREASE_MINUTES);
+
+        if (nextRequestAvailableAt.isAfter(LocalDateTime.now())) {
+            String[] dateTimeTokens = nextRequestAvailableAt.toString().split("T");
+            String dateString = dateTimeTokens[0];
+            String timeString = dateTimeTokens[1].split("\\.")[0];
+            return new PasswordChangeRequestSpamMitigationResponse(false, dateString, timeString);
+        }
+
+        if (numberOfSuccessiveRequests > 0) {
+            requestHistory.put(userAccount.getEmailAddress(), LocalDateTime.now());
+        }
+
+        return new PasswordChangeRequestSpamMitigationResponse(true);
+    }
+
+    public static void requestSuccessfullyHandledAndUserIsNotified(String email) {
+        requestFrequency.computeIfPresent(email, (key, value) -> ++value);
+    }
+
+    public static void requestSuccessfullyHandledAndUserPasswordUpdated(String email) {
+        requestHistory.remove(email);
+        requestFrequency.remove(email);
+    }
+}

api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/PasswordChangeRequestSpamMitigationResponse.java

@@ -0,0 +1,46 @@
+package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
+
+public class PasswordChangeRequestSpamMitigationResponse {
+
+    private Boolean canBeRequested;
+
+    private String nextRequestAvailableAtDate;
+
+    private String nextRequestAvailableAtTime;
+
+
+    public PasswordChangeRequestSpamMitigationResponse(Boolean canBeRequested, String nextRequestAvailableAtDate,
+                                                       String nextRequestAvailableAtTime) {
+        this.canBeRequested = canBeRequested;
+        this.nextRequestAvailableAtDate = nextRequestAvailableAtDate;
+        this.nextRequestAvailableAtTime = nextRequestAvailableAtTime;
+    }
+
+    public PasswordChangeRequestSpamMitigationResponse(Boolean canBeRequested) {
+        this.canBeRequested = canBeRequested;
+    }
+
+    public Boolean getCanBeRequested() {
+        return canBeRequested;
+    }
+
+    public void setCanBeRequested(Boolean canBeRequested) {
+        this.canBeRequested = canBeRequested;
+    }
+
+    public String getNextRequestAvailableAtDate() {
+        return nextRequestAvailableAtDate;
+    }
+
+    public void setNextRequestAvailableAtDate(String nextRequestAvailableAtDate) {
+        this.nextRequestAvailableAtDate = nextRequestAvailableAtDate;
+    }
+
+    public String getNextRequestAvailableAtTime() {
+        return nextRequestAvailableAtTime;
+    }
+
+    public void setNextRequestAvailableAtTime(String nextRequestAvailableAtTime) {
+        this.nextRequestAvailableAtTime = nextRequestAvailableAtTime;
+    }
+}

api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/widgets/LoginWidget.java

@@ -52,6 +52,7 @@ public String toString() {
     private static enum TemplateVariable {
         LOGIN_NAME("loginName"),
         FORM_ACTION("formAction"),
+        FORGOT_PASSWORD("forgotPassword"),
         INFO_MESSAGE("infoMessage"),
         ERROR_MESSAGE("errorMessage"),
         EXTERNAL_AUTH_NAME("externalAuthName"),
@@ -134,6 +135,7 @@ private WidgetTemplateValues showLoginScreen(HttpServletRequest request, String
         WidgetTemplateValues values = new WidgetTemplateValues(Macro.LOGIN.toString());
         values.put(TemplateVariable.FORM_ACTION.toString(), getAuthenticateUrl(request));
         values.put(TemplateVariable.LOGIN_NAME.toString(), bean.getUsername());
+        values.put(TemplateVariable.FORGOT_PASSWORD.toString(), getForgotPasswordUrl(request));
 
 		boolean showExternalAuth = StringUtils.isNotBlank(
 				ConfigurationProperties.getBean(request).getProperty(
@@ -232,4 +234,10 @@ private String getCancelUrl(HttpServletRequest request) {
         return contextPath + "/authenticate" + urlParams;
     }
 
+    /** What's the password recovery URL for this servlet? */
+    private String getForgotPasswordUrl(HttpServletRequest request) {
+        String contextPath = request.getContextPath();
+        return contextPath + "/forgot-password";
+    }
+
 }

home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl

@@ -254,6 +254,46 @@ uil-data:reset_password_note.Vitro
         uil:hasKey      "reset_password_note" ;
         uil:hasPackage  "Vitro-languages" .
 
+uil-data:password_reset_email_sent.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "E-Mail zur Passwortwiederherstellung gesendet an "@de-DE ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_email_sent" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_email_non_existing.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "Die von Ihnen angegebene E-Mail-Adresse ist keinem Benutzerkonto zugeordnet."@de-DE ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_email_non_existing" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_too_many_requests.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "Die nächste Anfrage können Sie am "@de-DE ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_too_many_requests" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_too_many_requests_at_time.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       " um "@de-DE ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_too_many_requests_at_time" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_label.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "I forgot my password"@de-DE ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_label" ;
+        uil:hasPackage  "Vitro-languages" .
+
 uil-data:startup_status.Vitro
         rdf:type         owl:NamedIndividual ;
         rdf:type         uil:UILabel ;

home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl

@@ -254,6 +254,46 @@ uil-data:reset_password_note.Vitro
         uil:hasKey      "reset_password_note" ;
         uil:hasPackage  "Vitro-languages" .
 
+uil-data:password_reset_email_sent.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "Password recovery email sent to "@en-CA ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_email_sent" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_email_non_existing.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "Email you have provided is not associated with any user account."@en-CA ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_email_non_existing" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_too_many_requests.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "You will be able to send the next request on "@en-CA ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_too_many_requests" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_too_many_requests_at_time.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       " at "@en-CA ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_too_many_requests_at_time" ;
+        uil:hasPackage  "Vitro-languages" .
+
+uil-data:password_reset_label.Vitro
+        rdf:type         owl:NamedIndividual ;
+        rdf:type         uil:UILabel ;
+        rdfs:label       "I forgot my password"@en-CA ;
+        uil:hasApp      "Vitro" ;
+        uil:hasKey      "password_reset_label" ;
+        uil:hasPackage  "Vitro-languages" .
+
 uil-data:startup_status.Vitro
         rdf:type         owl:NamedIndividual ;
         rdf:type         uil:UILabel ;