Commit bfec91567f0bfd3a9684db15d15eadba20a9ec26
1 parent
19c5f92e
Send user password as payload field rather than url parameter.
Showing
4 changed files
with
40 additions
and
23 deletions
| ... | ... | @@ -19,8 +19,6 @@ import com.fasterxml.jackson.databind.JsonNode; |
| 19 | 19 | import com.fasterxml.jackson.databind.ObjectMapper; |
| 20 | 20 | import com.fasterxml.jackson.databind.node.ObjectNode; |
| 21 | 21 | import lombok.extern.slf4j.Slf4j; |
| 22 | -import org.slf4j.Logger; | |
| 23 | -import org.slf4j.LoggerFactory; | |
| 24 | 22 | import org.springframework.beans.factory.annotation.Autowired; |
| 25 | 23 | import org.springframework.http.HttpHeaders; |
| 26 | 24 | import org.springframework.http.HttpStatus; |
| ... | ... | @@ -30,7 +28,6 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; |
| 30 | 28 | import org.springframework.web.bind.annotation.*; |
| 31 | 29 | import org.thingsboard.server.common.data.User; |
| 32 | 30 | import org.thingsboard.server.common.data.security.UserCredentials; |
| 33 | -import org.thingsboard.server.dao.user.UserService; | |
| 34 | 31 | import org.thingsboard.server.exception.ThingsboardErrorCode; |
| 35 | 32 | import org.thingsboard.server.exception.ThingsboardException; |
| 36 | 33 | import org.thingsboard.server.service.mail.MailService; |
| ... | ... | @@ -78,9 +75,10 @@ public class AuthController extends BaseController { |
| 78 | 75 | @RequestMapping(value = "/auth/changePassword", method = RequestMethod.POST) |
| 79 | 76 | @ResponseStatus(value = HttpStatus.OK) |
| 80 | 77 | public void changePassword ( |
| 81 | - @RequestParam(value = "currentPassword") String currentPassword, | |
| 82 | - @RequestParam(value = "newPassword") String newPassword) throws ThingsboardException { | |
| 78 | + @RequestBody JsonNode changePasswordRequest) throws ThingsboardException { | |
| 83 | 79 | try { |
| 80 | + String currentPassword = changePasswordRequest.get("currentPassword").asText(); | |
| 81 | + String newPassword = changePasswordRequest.get("newPassword").asText(); | |
| 84 | 82 | SecurityUser securityUser = getCurrentUser(); |
| 85 | 83 | UserCredentials userCredentials = userService.findUserCredentialsByUserId(securityUser.getId()); |
| 86 | 84 | if (!passwordEncoder.matches(currentPassword, userCredentials.getPassword())) { |
| ... | ... | @@ -118,9 +116,10 @@ public class AuthController extends BaseController { |
| 118 | 116 | @RequestMapping(value = "/noauth/resetPasswordByEmail", method = RequestMethod.POST) |
| 119 | 117 | @ResponseStatus(value = HttpStatus.OK) |
| 120 | 118 | public void requestResetPasswordByEmail ( |
| 121 | - @RequestParam(value = "email") String email, | |
| 119 | + @RequestBody JsonNode resetPasswordByEmailRequest, | |
| 122 | 120 | HttpServletRequest request) throws ThingsboardException { |
| 123 | 121 | try { |
| 122 | + String email = resetPasswordByEmailRequest.get("email").asText(); | |
| 124 | 123 | UserCredentials userCredentials = userService.requestPasswordReset(email); |
| 125 | 124 | String baseUrl = constructBaseUrl(request); |
| 126 | 125 | String resetUrl = String.format("%s/api/noauth/resetPassword?resetToken=%s", baseUrl, |
| ... | ... | @@ -158,10 +157,11 @@ public class AuthController extends BaseController { |
| 158 | 157 | @ResponseStatus(value = HttpStatus.OK) |
| 159 | 158 | @ResponseBody |
| 160 | 159 | public JsonNode activateUser( |
| 161 | - @RequestParam(value = "activateToken") String activateToken, | |
| 162 | - @RequestParam(value = "password") String password, | |
| 160 | + @RequestBody JsonNode activateRequest, | |
| 163 | 161 | HttpServletRequest request) throws ThingsboardException { |
| 164 | 162 | try { |
| 163 | + String activateToken = activateRequest.get("activateToken").asText(); | |
| 164 | + String password = activateRequest.get("password").asText(); | |
| 165 | 165 | String encodedPassword = passwordEncoder.encode(password); |
| 166 | 166 | UserCredentials credentials = userService.activateUserCredentials(activateToken, encodedPassword); |
| 167 | 167 | User user = userService.findUserById(credentials.getUserId()); |
| ... | ... | @@ -194,10 +194,11 @@ public class AuthController extends BaseController { |
| 194 | 194 | @ResponseStatus(value = HttpStatus.OK) |
| 195 | 195 | @ResponseBody |
| 196 | 196 | public JsonNode resetPassword( |
| 197 | - @RequestParam(value = "resetToken") String resetToken, | |
| 198 | - @RequestParam(value = "password") String password, | |
| 197 | + @RequestBody JsonNode resetPasswordRequest, | |
| 199 | 198 | HttpServletRequest request) throws ThingsboardException { |
| 200 | 199 | try { |
| 200 | + String resetToken = resetPasswordRequest.get("resetToken").asText(); | |
| 201 | + String password = resetPasswordRequest.get("password").asText(); | |
| 201 | 202 | UserCredentials userCredentials = userService.findUserCredentialsByResetToken(resetToken); |
| 202 | 203 | if (userCredentials != null) { |
| 203 | 204 | String encodedPassword = passwordEncoder.encode(password); | ... | ... |
| ... | ... | @@ -221,7 +221,10 @@ public abstract class AbstractControllerTest { |
| 221 | 221 | doGet("/api/noauth/activate?activateToken={activateToken}", TestMailService.currentActivateToken) |
| 222 | 222 | .andExpect(status().isSeeOther()) |
| 223 | 223 | .andExpect(header().string(HttpHeaders.LOCATION, "/login/createPassword?activateToken=" + TestMailService.currentActivateToken)); |
| 224 | - JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", "activateToken", TestMailService.currentActivateToken, "password", password).andExpect(status().isOk()), JsonNode.class); | |
| 224 | + JsonNode activateRequest = new ObjectMapper().createObjectNode() | |
| 225 | + .put("activateToken", TestMailService.currentActivateToken) | |
| 226 | + .put("password", password); | |
| 227 | + JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", activateRequest).andExpect(status().isOk()), JsonNode.class); | |
| 225 | 228 | validateAndSetJwtToken(tokenInfo, user.getEmail()); |
| 226 | 229 | return savedUser; |
| 227 | 230 | } | ... | ... |
| ... | ... | @@ -17,6 +17,7 @@ package org.thingsboard.server.controller; |
| 17 | 17 | |
| 18 | 18 | import com.fasterxml.jackson.core.type.TypeReference; |
| 19 | 19 | import com.fasterxml.jackson.databind.JsonNode; |
| 20 | +import com.fasterxml.jackson.databind.ObjectMapper; | |
| 20 | 21 | import org.apache.commons.lang3.RandomStringUtils; |
| 21 | 22 | import org.junit.Assert; |
| 22 | 23 | import org.junit.Test; |
| ... | ... | @@ -73,7 +74,11 @@ public abstract class BaseUserControllerTest extends AbstractControllerTest { |
| 73 | 74 | .andExpect(status().isSeeOther()) |
| 74 | 75 | .andExpect(header().string(HttpHeaders.LOCATION, "/login/createPassword?activateToken=" + TestMailService.currentActivateToken)); |
| 75 | 76 | |
| 76 | - JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", "activateToken", TestMailService.currentActivateToken, "password", "testPassword").andExpect(status().isOk()), JsonNode.class); | |
| 77 | + JsonNode activateRequest = new ObjectMapper().createObjectNode() | |
| 78 | + .put("activateToken", TestMailService.currentActivateToken) | |
| 79 | + .put("password", "testPassword"); | |
| 80 | + | |
| 81 | + JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", activateRequest).andExpect(status().isOk()), JsonNode.class); | |
| 77 | 82 | validateAndSetJwtToken(tokenInfo, email); |
| 78 | 83 | |
| 79 | 84 | doGet("/api/auth/user") |
| ... | ... | @@ -117,13 +122,21 @@ public abstract class BaseUserControllerTest extends AbstractControllerTest { |
| 117 | 122 | |
| 118 | 123 | User savedUser = createUserAndLogin(user, "testPassword1"); |
| 119 | 124 | logout(); |
| 120 | - doPost("/api/noauth/resetPasswordByEmail", "email", email) | |
| 125 | + | |
| 126 | + JsonNode resetPasswordByEmailRequest = new ObjectMapper().createObjectNode() | |
| 127 | + .put("email", email); | |
| 128 | + | |
| 129 | + doPost("/api/noauth/resetPasswordByEmail", resetPasswordByEmailRequest) | |
| 121 | 130 | .andExpect(status().isOk()); |
| 122 | 131 | doGet("/api/noauth/resetPassword?resetToken={resetToken}", TestMailService.currentResetPasswordToken) |
| 123 | 132 | .andExpect(status().isSeeOther()) |
| 124 | 133 | .andExpect(header().string(HttpHeaders.LOCATION, "/login/resetPassword?resetToken=" + TestMailService.currentResetPasswordToken)); |
| 125 | - | |
| 126 | - JsonNode tokenInfo = readResponse(doPost("/api/noauth/resetPassword", "resetToken", TestMailService.currentResetPasswordToken, "password", "testPassword2").andExpect(status().isOk()), JsonNode.class); | |
| 134 | + | |
| 135 | + JsonNode resetPasswordRequest = new ObjectMapper().createObjectNode() | |
| 136 | + .put("resetToken", TestMailService.currentResetPasswordToken) | |
| 137 | + .put("password", "testPassword2"); | |
| 138 | + | |
| 139 | + JsonNode tokenInfo = readResponse(doPost("/api/noauth/resetPassword", resetPasswordRequest).andExpect(status().isOk()), JsonNode.class); | |
| 127 | 140 | validateAndSetJwtToken(tokenInfo, email); |
| 128 | 141 | |
| 129 | 142 | doGet("/api/auth/user") | ... | ... |
| ... | ... | @@ -65,8 +65,8 @@ function LoginService($http, $q) { |
| 65 | 65 | |
| 66 | 66 | function sendResetPasswordLink(email) { |
| 67 | 67 | var deferred = $q.defer(); |
| 68 | - var url = '/api/noauth/resetPasswordByEmail?email=' + email; | |
| 69 | - $http.post(url, null).then(function success(response) { | |
| 68 | + var url = '/api/noauth/resetPasswordByEmail'; | |
| 69 | + $http.post(url, {email: email}).then(function success(response) { | |
| 70 | 70 | deferred.resolve(response); |
| 71 | 71 | }, function fail() { |
| 72 | 72 | deferred.reject(); |
| ... | ... | @@ -76,8 +76,8 @@ function LoginService($http, $q) { |
| 76 | 76 | |
| 77 | 77 | function resetPassword(resetToken, password) { |
| 78 | 78 | var deferred = $q.defer(); |
| 79 | - var url = '/api/noauth/resetPassword?resetToken=' + resetToken + '&password=' + password; | |
| 80 | - $http.post(url, null).then(function success(response) { | |
| 79 | + var url = '/api/noauth/resetPassword'; | |
| 80 | + $http.post(url, {resetToken: resetToken, password: password}).then(function success(response) { | |
| 81 | 81 | deferred.resolve(response); |
| 82 | 82 | }, function fail() { |
| 83 | 83 | deferred.reject(); |
| ... | ... | @@ -87,8 +87,8 @@ function LoginService($http, $q) { |
| 87 | 87 | |
| 88 | 88 | function activate(activateToken, password) { |
| 89 | 89 | var deferred = $q.defer(); |
| 90 | - var url = '/api/noauth/activate?activateToken=' + activateToken + '&password=' + password; | |
| 91 | - $http.post(url, null).then(function success(response) { | |
| 90 | + var url = '/api/noauth/activate'; | |
| 91 | + $http.post(url, {activateToken: activateToken, password: password}).then(function success(response) { | |
| 92 | 92 | deferred.resolve(response); |
| 93 | 93 | }, function fail() { |
| 94 | 94 | deferred.reject(); |
| ... | ... | @@ -98,8 +98,8 @@ function LoginService($http, $q) { |
| 98 | 98 | |
| 99 | 99 | function changePassword(currentPassword, newPassword) { |
| 100 | 100 | var deferred = $q.defer(); |
| 101 | - var url = '/api/auth/changePassword?currentPassword=' + currentPassword + '&newPassword=' + newPassword; | |
| 102 | - $http.post(url, null).then(function success(response) { | |
| 101 | + var url = '/api/auth/changePassword'; | |
| 102 | + $http.post(url, {currentPassword: currentPassword, newPassword: newPassword}).then(function success(response) { | |
| 103 | 103 | deferred.resolve(response); |
| 104 | 104 | }, function fail() { |
| 105 | 105 | deferred.reject(); | ... | ... |