dendi-wang/thingsboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Status '410 Gone' when token is expired

Browse Source
This commit is contained in:
ViacheslavKlimov 2024-07-25 11:49:10 +03:00
parent a246032e54
commit 478d20aec7
5 changed files with 47 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
application/src/main/java/org/thingsboard/server/controller/AuthController.java
View File

@ -21,7 +21,6 @@ import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
@ -132,28 +131,28 @@ public class AuthController extends BaseController {
@ApiOperation(value = "Check Activate User Token (checkActivateToken)",
notes = "Checks the activation token and forwards user to 'Create Password' page. " +
"If token is valid, returns '303 See Other' (redirect) response code with the correct address of 'Create Password' page and same 'activateToken' specified in the URL parameters. " +
"If token is not valid, returns '409 Conflict'.")
"If token is not valid, returns '409 Conflict'. " +
"If token is expired, returns '410 Gone'.")
@GetMapping(value = "/noauth/activate", params = {"activateToken"})
public ResponseEntity<String> checkActivateToken(
public ResponseEntity<?> checkActivateToken(
@Parameter(description = "The activate token string.")
@RequestParam(value = "activateToken") String activateToken) {
HttpHeaders headers = new HttpHeaders();
HttpStatus responseStatus;
UserCredentials userCredentials = userService.findUserCredentialsByActivateToken(TenantId.SYS_TENANT_ID, activateToken);
if (userCredentials != null && !userCredentials.isActivationTokenExpired()) {
String createURI = "/login/createPassword";
try {
URI location = new URI(createURI + "?activateToken=" + activateToken);
headers.setLocation(location);
responseStatus = HttpStatus.SEE_OTHER;
} catch (URISyntaxException e) {
log.error("Unable to create URI with address [{}]", createURI);
responseStatus = HttpStatus.BAD_REQUEST;
}
} else {
responseStatus = HttpStatus.CONFLICT;
if (userCredentials == null) {
return response(HttpStatus.CONFLICT);
} else if (userCredentials.isActivationTokenExpired()) {
return response(HttpStatus.GONE);
}
String createURI = "/login/createPassword";
try {
URI location = new URI(createURI + "?activateToken=" + activateToken);
return ResponseEntity.status(HttpStatus.SEE_OTHER)
.location(location).build();
} catch (URISyntaxException e) {
log.error("Unable to create URI with address [{}]", createURI);
return response(HttpStatus.BAD_REQUEST);
}
return new ResponseEntity<>(headers, responseStatus);
}
@ApiOperation(value = "Request reset password email (requestResetPasswordByEmail)",
@ -181,32 +180,31 @@ public class AuthController extends BaseController {
@ApiOperation(value = "Check password reset token (checkResetToken)",
notes = "Checks the password reset token and forwards user to 'Reset Password' page. " +
"If token is valid, returns '303 See Other' (redirect) response code with the correct address of 'Reset Password' page and same 'resetToken' specified in the URL parameters. " +
"If token is not valid, returns '409 Conflict'.")
"If token is not valid, returns '409 Conflict'. " +
"If token is expired, returns '410 Gone'.")
@GetMapping(value = "/noauth/resetPassword", params = {"resetToken"})
public ResponseEntity<String> checkResetToken(
public ResponseEntity<?> checkResetToken(
@Parameter(description = "The reset token string.")
@RequestParam(value = "resetToken") String resetToken) {
HttpHeaders headers = new HttpHeaders();
HttpStatus responseStatus;
String resetURI = "/login/resetPassword";
UserCredentials userCredentials = userService.findUserCredentialsByResetToken(TenantId.SYS_TENANT_ID, resetToken);
if (userCredentials != null && !userCredentials.isResetTokenExpired()) {
if (!rateLimitService.checkRateLimit(LimitedApi.PASSWORD_RESET, userCredentials.getUserId(), defaultLimitsConfiguration)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS).build();
}
try {
URI location = new URI(resetURI + "?resetToken=" + resetToken);
headers.setLocation(location);
responseStatus = HttpStatus.SEE_OTHER;
} catch (URISyntaxException e) {
log.error("Unable to create URI with address [{}]", resetURI);
responseStatus = HttpStatus.BAD_REQUEST;
}
} else {
responseStatus = HttpStatus.CONFLICT;
if (userCredentials == null) {
return response(HttpStatus.CONFLICT);
} else if (userCredentials.isResetTokenExpired()) {
return response(HttpStatus.GONE);
}
if (!rateLimitService.checkRateLimit(LimitedApi.PASSWORD_RESET, userCredentials.getUserId(), defaultLimitsConfiguration)) {
return response(HttpStatus.TOO_MANY_REQUESTS);
}
String resetURI = "/login/resetPassword";
try {
URI location = new URI(resetURI + "?resetToken=" + resetToken);
return ResponseEntity.status(HttpStatus.SEE_OTHER)
.location(location).build();
} catch (URISyntaxException e) {
log.error("Unable to create URI with address [{}]", resetURI);
return response(HttpStatus.BAD_REQUEST);
}
return new ResponseEntity<>(headers, responseStatus);
}
@ApiOperation(value = "Activate User",

6
application/src/main/java/org/thingsboard/server/controller/BaseController.java
View File

@ -27,7 +27,9 @@ import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.dao.DataAccessException;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.MethodArgumentNotValidException;
@ -867,4 +869,8 @@ public abstract class BaseController {
}
}
protected <T> ResponseEntity<T> response(HttpStatus status) {
return ResponseEntity.status(status).build();
}
}

2
application/src/main/java/org/thingsboard/server/controller/ImageController.java
View File

@ -290,7 +290,7 @@ public class ImageController extends BaseController {
if (StringUtils.isNotEmpty(etag)) {
etag = StringUtils.remove(etag, '\"'); // etag is wrapped in double quotes due to HTTP specification
if (etag.equals(tbImageService.getETag(cacheKey))) {
return ResponseEntity.status(HttpStatus.NOT_MODIFIED).build();
return response(HttpStatus.NOT_MODIFIED);
}
}

3
application/src/main/java/org/thingsboard/server/controller/MobileApplicationController.java
View File

@ -183,8 +183,7 @@ public class MobileApplicationController extends BaseController {
.header("Location", appStoreLink)
.build();
} else {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.build();
return response(HttpStatus.NOT_FOUND);
}
}

4
application/src/test/java/org/thingsboard/server/controller/AuthControllerTest.java
View File

@ -193,7 +193,7 @@ public class AuthControllerTest extends AbstractControllerTest {
userCredentialsDao.save(tenantId, userCredentials);
doGet("/api/noauth/resetPassword?resetToken={resetToken}", this.currentResetPasswordToken)
.andExpect(status().isConflict());
.andExpect(status().isGone());
JsonNode resetPasswordRequest = JacksonUtil.newObjectNode()
.put("resetToken", this.currentResetPasswordToken)
.put("password", "wefwefe");
@ -223,7 +223,7 @@ public class AuthControllerTest extends AbstractControllerTest {
userCredentials.setActivateTokenExpTime(System.currentTimeMillis() - 1);
userCredentialsDao.save(tenantId, userCredentials);
doGet("/api/noauth/activate?activateToken={activateToken}", initialActivationToken)
.andExpect(status().isConflict());
.andExpect(status().isGone());
doPost("/api/noauth/activate", JacksonUtil.newObjectNode()
.put("activateToken", initialActivationToken)
.put("password", "wefewe")).andExpect(status().isBadRequest())