Merge pull request #98 from PEC-CSS/Expiry-BloatingDb-Bug

Added a check weather forget-password token is of same user requesting, Expiry of token, bloating db bug
PEC-CSS · Nov 4, 2023 · 0e8da19 · 0e8da19
2 parents 1693478 + 2c2d0f4
commit 0e8da19
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java b/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
@@ -1,5 +1,6 @@
 package com.pecacm.backend.repository;
 
+import com.pecacm.backend.entities.User;
 import com.pecacm.backend.entities.VerificationToken;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Modifying;
@@ -15,14 +16,9 @@ public interface VerificationTokenRepository extends JpaRepository<VerificationT
     @Query("SELECT v from VerificationToken v WHERE v.user.email = :username ORDER BY v.createdDate DESC LIMIT 1")
     Optional<VerificationToken> findByUsername(String username);
 
-    @Query("SELECT "+
-            "CASE " +
-            "WHEN :tokenId = (SELECT v.token from VerificationToken v ORDER BY v.createdDate DESC LIMIT 1)" +
-            "THEN TRUE " +
-            "ELSE FALSE " +
-            "END as result")
-    Boolean checkVerificationToken(UUID tokenId);
-
     @Modifying
     void deleteByToken(UUID tokenId);
+
+    @Modifying
+    void deleteAllByUser(User user);
 }
diff --git a/src/main/java/com/pecacm/backend/services/UserService.java b/src/main/java/com/pecacm/backend/services/UserService.java
@@ -60,12 +60,18 @@ public void addUser(User user, PasswordEncoder passwordEncoder) {
 
     @Transactional
     public void changePassword(UUID tokenId, String username, String password, PasswordEncoder passwordEncoder) {
-        if (!userRepository.existsByEmail(username)) {
+        Optional<User> user = userRepository.findByEmail(username);
+        if (user.isEmpty()) {
             throw new AcmException("Email provided does not match any of the registered users", HttpStatus.NOT_FOUND);
         }
-        if (!verificationTokenRepository.checkVerificationToken(tokenId)) {
+        Optional<VerificationToken> token = verificationTokenRepository.findById(tokenId);
+        if (token.isEmpty() || token.get().getCreatedDate().isBefore(LocalDateTime.now().minusMinutes(15))){
+            verificationTokenRepository.deleteById(tokenId);
             throw new AcmException("UUID token provided does not match, it might be expired", HttpStatus.NOT_FOUND);
         }
+        if (token.get().getUser() != user.get()){
+            throw new AcmException("UUID token provided does not belong to the user.", HttpStatus.UNAUTHORIZED);
+        }
         if (password.isBlank() || password.isEmpty()) {
             throw new AcmException("password cannot be blank or empty", HttpStatus.BAD_REQUEST);
             // TODO: 22/10/23 add required password checks to stay consistent with frontend checks

diff --git a/src/main/java/com/pecacm/backend/services/VerificationService.java b/src/main/java/com/pecacm/backend/services/VerificationService.java
@@ -19,6 +19,7 @@ public VerificationService(VerificationTokenRepository verificationTokenReposito
 
     @Transactional
     public VerificationToken getVerificationToken(User user) {
+        verificationTokenRepository.deleteAllByUser(user);
         return verificationTokenRepository.save(
                 VerificationToken.builder().user(user).build()
         );