Status '410 Gone' when token is expired
This commit is contained in:
ViacheslavKlimov
parent
a246032e54
commit
478d20aec7
@ -21,7 +21,6 @@ import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.context.ApplicationEventPublisher;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
@ -132,28 +131,28 @@ public class AuthController extends BaseController {
|
||||
@ApiOperation(value = "Check Activate User Token (checkActivateToken)",
|
||||
notes = "Checks the activation token and forwards user to 'Create Password' page. " +
|
||||
"If token is valid, returns '303 See Other' (redirect) response code with the correct address of 'Create Password' page and same 'activateToken' specified in the URL parameters. " +
|
||||
"If token is not valid, returns '409 Conflict'.")
|
||||
"If token is not valid, returns '409 Conflict'. " +
|
||||
"If token is expired, returns '410 Gone'.")
|
||||
@GetMapping(value = "/noauth/activate", params = {"activateToken"})
|
||||
public ResponseEntity<String> checkActivateToken(
|
||||
public ResponseEntity<?> checkActivateToken(
|
||||
@Parameter(description = "The activate token string.")
|
||||
@RequestParam(value = "activateToken") String activateToken) {
|
||||
HttpHeaders headers = new HttpHeaders();
|
||||
HttpStatus responseStatus;
|
||||
UserCredentials userCredentials = userService.findUserCredentialsByActivateToken(TenantId.SYS_TENANT_ID, activateToken);
|
||||
if (userCredentials != null && !userCredentials.isActivationTokenExpired()) {
|
||||
if (userCredentials == null) {
|
||||
return response(HttpStatus.CONFLICT);
|
||||
} else if (userCredentials.isActivationTokenExpired()) {
|
||||
return response(HttpStatus.GONE);
|
||||
}
|
||||
|
||||
String createURI = "/login/createPassword";
|
||||
try {
|
||||
URI location = new URI(createURI + "?activateToken=" + activateToken);
|
||||
headers.setLocation(location);
|
||||
responseStatus = HttpStatus.SEE_OTHER;
|
||||
return ResponseEntity.status(HttpStatus.SEE_OTHER)
|
||||
.location(location).build();
|
||||
} catch (URISyntaxException e) {
|
||||
log.error("Unable to create URI with address [{}]", createURI);
|
||||
responseStatus = HttpStatus.BAD_REQUEST;
|
||||
return response(HttpStatus.BAD_REQUEST);
|
||||
}
|
||||
} else {
|
||||
responseStatus = HttpStatus.CONFLICT;
|
||||
}
|
||||
return new ResponseEntity<>(headers, responseStatus);
|
||||
}
|
||||
|
||||
@ApiOperation(value = "Request reset password email (requestResetPasswordByEmail)",
|
||||
@ -181,32 +180,31 @@ public class AuthController extends BaseController {
|
||||
@ApiOperation(value = "Check password reset token (checkResetToken)",
|
||||
notes = "Checks the password reset token and forwards user to 'Reset Password' page. " +
|
||||
"If token is valid, returns '303 See Other' (redirect) response code with the correct address of 'Reset Password' page and same 'resetToken' specified in the URL parameters. " +
|
||||
"If token is not valid, returns '409 Conflict'.")
|
||||
"If token is not valid, returns '409 Conflict'. " +
|
||||
"If token is expired, returns '410 Gone'.")
|
||||
@GetMapping(value = "/noauth/resetPassword", params = {"resetToken"})
|
||||
public ResponseEntity<String> checkResetToken(
|
||||
public ResponseEntity<?> checkResetToken(
|
||||
@Parameter(description = "The reset token string.")
|
||||
@RequestParam(value = "resetToken") String resetToken) {
|
||||
HttpHeaders headers = new HttpHeaders();
|
||||
HttpStatus responseStatus;
|
||||
String resetURI = "/login/resetPassword";
|
||||
UserCredentials userCredentials = userService.findUserCredentialsByResetToken(TenantId.SYS_TENANT_ID, resetToken);
|
||||
|
||||
if (userCredentials != null && !userCredentials.isResetTokenExpired()) {
|
||||
if (!rateLimitService.checkRateLimit(LimitedApi.PASSWORD_RESET, userCredentials.getUserId(), defaultLimitsConfiguration)) {
|
||||
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS).build();
|
||||
if (userCredentials == null) {
|
||||
return response(HttpStatus.CONFLICT);
|
||||
} else if (userCredentials.isResetTokenExpired()) {
|
||||
return response(HttpStatus.GONE);
|
||||
}
|
||||
if (!rateLimitService.checkRateLimit(LimitedApi.PASSWORD_RESET, userCredentials.getUserId(), defaultLimitsConfiguration)) {
|
||||
return response(HttpStatus.TOO_MANY_REQUESTS);
|
||||
}
|
||||
|
||||
String resetURI = "/login/resetPassword";
|
||||
try {
|
||||
URI location = new URI(resetURI + "?resetToken=" + resetToken);
|
||||
headers.setLocation(location);
|
||||
responseStatus = HttpStatus.SEE_OTHER;
|
||||
return ResponseEntity.status(HttpStatus.SEE_OTHER)
|
||||
.location(location).build();
|
||||
} catch (URISyntaxException e) {
|
||||
log.error("Unable to create URI with address [{}]", resetURI);
|
||||
responseStatus = HttpStatus.BAD_REQUEST;
|
||||
return response(HttpStatus.BAD_REQUEST);
|
||||
}
|
||||
} else {
|
||||
responseStatus = HttpStatus.CONFLICT;
|
||||
}
|
||||
return new ResponseEntity<>(headers, responseStatus);
|
||||
}
|
||||
|
||||
@ApiOperation(value = "Activate User",
|
||||
|
||||
@ -27,7 +27,9 @@ import org.slf4j.Logger;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.dao.DataAccessException;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.web.bind.MethodArgumentNotValidException;
|
||||
@ -867,4 +869,8 @@ public abstract class BaseController {
|
||||
}
|
||||
}
|
||||
|
||||
protected <T> ResponseEntity<T> response(HttpStatus status) {
|
||||
return ResponseEntity.status(status).build();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -290,7 +290,7 @@ public class ImageController extends BaseController {
|
||||
if (StringUtils.isNotEmpty(etag)) {
|
||||
etag = StringUtils.remove(etag, '\"'); // etag is wrapped in double quotes due to HTTP specification
|
||||
if (etag.equals(tbImageService.getETag(cacheKey))) {
|
||||
return ResponseEntity.status(HttpStatus.NOT_MODIFIED).build();
|
||||
return response(HttpStatus.NOT_MODIFIED);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -183,8 +183,7 @@ public class MobileApplicationController extends BaseController {
|
||||
.header("Location", appStoreLink)
|
||||
.build();
|
||||
} else {
|
||||
return ResponseEntity.status(HttpStatus.NOT_FOUND)
|
||||
.build();
|
||||
return response(HttpStatus.NOT_FOUND);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -193,7 +193,7 @@ public class AuthControllerTest extends AbstractControllerTest {
|
||||
userCredentialsDao.save(tenantId, userCredentials);
|
||||
|
||||
doGet("/api/noauth/resetPassword?resetToken={resetToken}", this.currentResetPasswordToken)
|
||||
.andExpect(status().isConflict());
|
||||
.andExpect(status().isGone());
|
||||
JsonNode resetPasswordRequest = JacksonUtil.newObjectNode()
|
||||
.put("resetToken", this.currentResetPasswordToken)
|
||||
.put("password", "wefwefe");
|
||||
@ -223,7 +223,7 @@ public class AuthControllerTest extends AbstractControllerTest {
|
||||
userCredentials.setActivateTokenExpTime(System.currentTimeMillis() - 1);
|
||||
userCredentialsDao.save(tenantId, userCredentials);
|
||||
doGet("/api/noauth/activate?activateToken={activateToken}", initialActivationToken)
|
||||
.andExpect(status().isConflict());
|
||||
.andExpect(status().isGone());
|
||||
doPost("/api/noauth/activate", JacksonUtil.newObjectNode()
|
||||
.put("activateToken", initialActivationToken)
|
||||
.put("password", "wefewe")).andExpect(status().isBadRequest())
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user