简柏林 / thingskit · Commits

Commit bfec91567f0bfd3a9684db15d15eadba20a9ec26

Authored by Igor Kulikov
1 parent 19c5f92e

Send user password as payload field rather than url parameter.

Inline Side-by-side
Showing 4 changed files with 40 additions and 23 deletions
@@ -19,8 +19,6 @@ import com.fasterxml.jackson.databind.JsonNode; @@ -19,8 +19,6 @@ import com.fasterxml.jackson.databind.JsonNode;
19 import com.fasterxml.jackson.databind.ObjectMapper; 19 import com.fasterxml.jackson.databind.ObjectMapper;
20 import com.fasterxml.jackson.databind.node.ObjectNode; 20 import com.fasterxml.jackson.databind.node.ObjectNode;
21 import lombok.extern.slf4j.Slf4j; 21 import lombok.extern.slf4j.Slf4j;
22 -import org.slf4j.Logger;  
23 -import org.slf4j.LoggerFactory;  
24 import org.springframework.beans.factory.annotation.Autowired; 22 import org.springframework.beans.factory.annotation.Autowired;
25 import org.springframework.http.HttpHeaders; 23 import org.springframework.http.HttpHeaders;
26 import org.springframework.http.HttpStatus; 24 import org.springframework.http.HttpStatus;
@@ -30,7 +28,6 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @@ -30,7 +28,6 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
30 import org.springframework.web.bind.annotation.*; 28 import org.springframework.web.bind.annotation.*;
31 import org.thingsboard.server.common.data.User; 29 import org.thingsboard.server.common.data.User;
32 import org.thingsboard.server.common.data.security.UserCredentials; 30 import org.thingsboard.server.common.data.security.UserCredentials;
33 -import org.thingsboard.server.dao.user.UserService;  
34 import org.thingsboard.server.exception.ThingsboardErrorCode; 31 import org.thingsboard.server.exception.ThingsboardErrorCode;
35 import org.thingsboard.server.exception.ThingsboardException; 32 import org.thingsboard.server.exception.ThingsboardException;
36 import org.thingsboard.server.service.mail.MailService; 33 import org.thingsboard.server.service.mail.MailService;
@@ -78,9 +75,10 @@ public class AuthController extends BaseController { @@ -78,9 +75,10 @@ public class AuthController extends BaseController {
78 @RequestMapping(value = "/auth/changePassword", method = RequestMethod.POST) 75 @RequestMapping(value = "/auth/changePassword", method = RequestMethod.POST)
79 @ResponseStatus(value = HttpStatus.OK) 76 @ResponseStatus(value = HttpStatus.OK)
80 public void changePassword ( 77 public void changePassword (
81 - @RequestParam(value = "currentPassword") String currentPassword,  
82 - @RequestParam(value = "newPassword") String newPassword) throws ThingsboardException { 78 + @RequestBody JsonNode changePasswordRequest) throws ThingsboardException {
83 try { 79 try {
  80 + String currentPassword = changePasswordRequest.get("currentPassword").asText();
  81 + String newPassword = changePasswordRequest.get("newPassword").asText();
84 SecurityUser securityUser = getCurrentUser(); 82 SecurityUser securityUser = getCurrentUser();
85 UserCredentials userCredentials = userService.findUserCredentialsByUserId(securityUser.getId()); 83 UserCredentials userCredentials = userService.findUserCredentialsByUserId(securityUser.getId());
86 if (!passwordEncoder.matches(currentPassword, userCredentials.getPassword())) { 84 if (!passwordEncoder.matches(currentPassword, userCredentials.getPassword())) {
@@ -118,9 +116,10 @@ public class AuthController extends BaseController { @@ -118,9 +116,10 @@ public class AuthController extends BaseController {
118 @RequestMapping(value = "/noauth/resetPasswordByEmail", method = RequestMethod.POST) 116 @RequestMapping(value = "/noauth/resetPasswordByEmail", method = RequestMethod.POST)
119 @ResponseStatus(value = HttpStatus.OK) 117 @ResponseStatus(value = HttpStatus.OK)
120 public void requestResetPasswordByEmail ( 118 public void requestResetPasswordByEmail (
121 - @RequestParam(value = "email") String email, 119 + @RequestBody JsonNode resetPasswordByEmailRequest,
122 HttpServletRequest request) throws ThingsboardException { 120 HttpServletRequest request) throws ThingsboardException {
123 try { 121 try {
  122 + String email = resetPasswordByEmailRequest.get("email").asText();
124 UserCredentials userCredentials = userService.requestPasswordReset(email); 123 UserCredentials userCredentials = userService.requestPasswordReset(email);
125 String baseUrl = constructBaseUrl(request); 124 String baseUrl = constructBaseUrl(request);
126 String resetUrl = String.format("%s/api/noauth/resetPassword?resetToken=%s", baseUrl, 125 String resetUrl = String.format("%s/api/noauth/resetPassword?resetToken=%s", baseUrl,
@@ -158,10 +157,11 @@ public class AuthController extends BaseController { @@ -158,10 +157,11 @@ public class AuthController extends BaseController {
158 @ResponseStatus(value = HttpStatus.OK) 157 @ResponseStatus(value = HttpStatus.OK)
159 @ResponseBody 158 @ResponseBody
160 public JsonNode activateUser( 159 public JsonNode activateUser(
161 - @RequestParam(value = "activateToken") String activateToken,  
162 - @RequestParam(value = "password") String password, 160 + @RequestBody JsonNode activateRequest,
163 HttpServletRequest request) throws ThingsboardException { 161 HttpServletRequest request) throws ThingsboardException {
164 try { 162 try {
  163 + String activateToken = activateRequest.get("activateToken").asText();
  164 + String password = activateRequest.get("password").asText();
165 String encodedPassword = passwordEncoder.encode(password); 165 String encodedPassword = passwordEncoder.encode(password);
166 UserCredentials credentials = userService.activateUserCredentials(activateToken, encodedPassword); 166 UserCredentials credentials = userService.activateUserCredentials(activateToken, encodedPassword);
167 User user = userService.findUserById(credentials.getUserId()); 167 User user = userService.findUserById(credentials.getUserId());
@@ -194,10 +194,11 @@ public class AuthController extends BaseController { @@ -194,10 +194,11 @@ public class AuthController extends BaseController {
194 @ResponseStatus(value = HttpStatus.OK) 194 @ResponseStatus(value = HttpStatus.OK)
195 @ResponseBody 195 @ResponseBody
196 public JsonNode resetPassword( 196 public JsonNode resetPassword(
197 - @RequestParam(value = "resetToken") String resetToken,  
198 - @RequestParam(value = "password") String password, 197 + @RequestBody JsonNode resetPasswordRequest,
199 HttpServletRequest request) throws ThingsboardException { 198 HttpServletRequest request) throws ThingsboardException {
200 try { 199 try {
  200 + String resetToken = resetPasswordRequest.get("resetToken").asText();
  201 + String password = resetPasswordRequest.get("password").asText();
201 UserCredentials userCredentials = userService.findUserCredentialsByResetToken(resetToken); 202 UserCredentials userCredentials = userService.findUserCredentialsByResetToken(resetToken);
202 if (userCredentials != null) { 203 if (userCredentials != null) {
203 String encodedPassword = passwordEncoder.encode(password); 204 String encodedPassword = passwordEncoder.encode(password);
@@ -221,7 +221,10 @@ public abstract class AbstractControllerTest { @@ -221,7 +221,10 @@ public abstract class AbstractControllerTest {
221 doGet("/api/noauth/activate?activateToken={activateToken}", TestMailService.currentActivateToken) 221 doGet("/api/noauth/activate?activateToken={activateToken}", TestMailService.currentActivateToken)
222 .andExpect(status().isSeeOther()) 222 .andExpect(status().isSeeOther())
223 .andExpect(header().string(HttpHeaders.LOCATION, "/login/createPassword?activateToken=" + TestMailService.currentActivateToken)); 223 .andExpect(header().string(HttpHeaders.LOCATION, "/login/createPassword?activateToken=" + TestMailService.currentActivateToken));
224 - JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", "activateToken", TestMailService.currentActivateToken, "password", password).andExpect(status().isOk()), JsonNode.class); 224 + JsonNode activateRequest = new ObjectMapper().createObjectNode()
  225 + .put("activateToken", TestMailService.currentActivateToken)
  226 + .put("password", password);
  227 + JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", activateRequest).andExpect(status().isOk()), JsonNode.class);
225 validateAndSetJwtToken(tokenInfo, user.getEmail()); 228 validateAndSetJwtToken(tokenInfo, user.getEmail());
226 return savedUser; 229 return savedUser;
227 } 230 }
@@ -17,6 +17,7 @@ package org.thingsboard.server.controller; @@ -17,6 +17,7 @@ package org.thingsboard.server.controller;
17 17
18 import com.fasterxml.jackson.core.type.TypeReference; 18 import com.fasterxml.jackson.core.type.TypeReference;
19 import com.fasterxml.jackson.databind.JsonNode; 19 import com.fasterxml.jackson.databind.JsonNode;
  20 +import com.fasterxml.jackson.databind.ObjectMapper;
20 import org.apache.commons.lang3.RandomStringUtils; 21 import org.apache.commons.lang3.RandomStringUtils;
21 import org.junit.Assert; 22 import org.junit.Assert;
22 import org.junit.Test; 23 import org.junit.Test;
@@ -73,7 +74,11 @@ public abstract class BaseUserControllerTest extends AbstractControllerTest { @@ -73,7 +74,11 @@ public abstract class BaseUserControllerTest extends AbstractControllerTest {
73 .andExpect(status().isSeeOther()) 74 .andExpect(status().isSeeOther())
74 .andExpect(header().string(HttpHeaders.LOCATION, "/login/createPassword?activateToken=" + TestMailService.currentActivateToken)); 75 .andExpect(header().string(HttpHeaders.LOCATION, "/login/createPassword?activateToken=" + TestMailService.currentActivateToken));
75 76
76 - JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", "activateToken", TestMailService.currentActivateToken, "password", "testPassword").andExpect(status().isOk()), JsonNode.class); 77 + JsonNode activateRequest = new ObjectMapper().createObjectNode()
  78 + .put("activateToken", TestMailService.currentActivateToken)
  79 + .put("password", "testPassword");
  80 +
  81 + JsonNode tokenInfo = readResponse(doPost("/api/noauth/activate", activateRequest).andExpect(status().isOk()), JsonNode.class);
77 validateAndSetJwtToken(tokenInfo, email); 82 validateAndSetJwtToken(tokenInfo, email);
78 83
79 doGet("/api/auth/user") 84 doGet("/api/auth/user")
@@ -117,13 +122,21 @@ public abstract class BaseUserControllerTest extends AbstractControllerTest { @@ -117,13 +122,21 @@ public abstract class BaseUserControllerTest extends AbstractControllerTest {
117 122
118 User savedUser = createUserAndLogin(user, "testPassword1"); 123 User savedUser = createUserAndLogin(user, "testPassword1");
119 logout(); 124 logout();
120 - doPost("/api/noauth/resetPasswordByEmail", "email", email) 125 +
  126 + JsonNode resetPasswordByEmailRequest = new ObjectMapper().createObjectNode()
  127 + .put("email", email);
  128 +
  129 + doPost("/api/noauth/resetPasswordByEmail", resetPasswordByEmailRequest)
121 .andExpect(status().isOk()); 130 .andExpect(status().isOk());
122 doGet("/api/noauth/resetPassword?resetToken={resetToken}", TestMailService.currentResetPasswordToken) 131 doGet("/api/noauth/resetPassword?resetToken={resetToken}", TestMailService.currentResetPasswordToken)
123 .andExpect(status().isSeeOther()) 132 .andExpect(status().isSeeOther())
124 .andExpect(header().string(HttpHeaders.LOCATION, "/login/resetPassword?resetToken=" + TestMailService.currentResetPasswordToken)); 133 .andExpect(header().string(HttpHeaders.LOCATION, "/login/resetPassword?resetToken=" + TestMailService.currentResetPasswordToken));
125 -  
126 - JsonNode tokenInfo = readResponse(doPost("/api/noauth/resetPassword", "resetToken", TestMailService.currentResetPasswordToken, "password", "testPassword2").andExpect(status().isOk()), JsonNode.class); 134 +
  135 + JsonNode resetPasswordRequest = new ObjectMapper().createObjectNode()
  136 + .put("resetToken", TestMailService.currentResetPasswordToken)
  137 + .put("password", "testPassword2");
  138 +
  139 + JsonNode tokenInfo = readResponse(doPost("/api/noauth/resetPassword", resetPasswordRequest).andExpect(status().isOk()), JsonNode.class);
127 validateAndSetJwtToken(tokenInfo, email); 140 validateAndSetJwtToken(tokenInfo, email);
128 141
129 doGet("/api/auth/user") 142 doGet("/api/auth/user")
@@ -65,8 +65,8 @@ function LoginService($http, $q) { @@ -65,8 +65,8 @@ function LoginService($http, $q) {
65 65
66 function sendResetPasswordLink(email) { 66 function sendResetPasswordLink(email) {
67 var deferred = $q.defer(); 67 var deferred = $q.defer();
68 - var url = '/api/noauth/resetPasswordByEmail?email=' + email;  
69 - $http.post(url, null).then(function success(response) { 68 + var url = '/api/noauth/resetPasswordByEmail';
  69 + $http.post(url, {email: email}).then(function success(response) {
70 deferred.resolve(response); 70 deferred.resolve(response);
71 }, function fail() { 71 }, function fail() {
72 deferred.reject(); 72 deferred.reject();
@@ -76,8 +76,8 @@ function LoginService($http, $q) { @@ -76,8 +76,8 @@ function LoginService($http, $q) {
76 76
77 function resetPassword(resetToken, password) { 77 function resetPassword(resetToken, password) {
78 var deferred = $q.defer(); 78 var deferred = $q.defer();
79 - var url = '/api/noauth/resetPassword?resetToken=' + resetToken + '&password=' + password;  
80 - $http.post(url, null).then(function success(response) { 79 + var url = '/api/noauth/resetPassword';
  80 + $http.post(url, {resetToken: resetToken, password: password}).then(function success(response) {
81 deferred.resolve(response); 81 deferred.resolve(response);
82 }, function fail() { 82 }, function fail() {
83 deferred.reject(); 83 deferred.reject();
@@ -87,8 +87,8 @@ function LoginService($http, $q) { @@ -87,8 +87,8 @@ function LoginService($http, $q) {
87 87
88 function activate(activateToken, password) { 88 function activate(activateToken, password) {
89 var deferred = $q.defer(); 89 var deferred = $q.defer();
90 - var url = '/api/noauth/activate?activateToken=' + activateToken + '&password=' + password;  
91 - $http.post(url, null).then(function success(response) { 90 + var url = '/api/noauth/activate';
  91 + $http.post(url, {activateToken: activateToken, password: password}).then(function success(response) {
92 deferred.resolve(response); 92 deferred.resolve(response);
93 }, function fail() { 93 }, function fail() {
94 deferred.reject(); 94 deferred.reject();
@@ -98,8 +98,8 @@ function LoginService($http, $q) { @@ -98,8 +98,8 @@ function LoginService($http, $q) {
98 98
99 function changePassword(currentPassword, newPassword) { 99 function changePassword(currentPassword, newPassword) {
100 var deferred = $q.defer(); 100 var deferred = $q.defer();
101 - var url = '/api/auth/changePassword?currentPassword=' + currentPassword + '&newPassword=' + newPassword;  
102 - $http.post(url, null).then(function success(response) { 101 + var url = '/api/auth/changePassword';
  102 + $http.post(url, {currentPassword: currentPassword, newPassword: newPassword}).then(function success(response) {
103 deferred.resolve(response); 103 deferred.resolve(response);
104 }, function fail() { 104 }, function fail() {
105 deferred.reject(); 105 deferred.reject();