PUT endpoint for users now hashes password correctly and generates new salt value

Change-Id: Id41956d500b0d52572ff0e307d73a48e4fb530a7

datastore/src/main/java/net/jami/datastore/dao/UserDao.java

@@ -60,25 +60,30 @@ public class UserDao extends AbstractDao<User> {
     public boolean updateObject(StatementList update, StatementList constraints) {
 
         String pw = update.getStatements().get(0).getValue();
-        String user = constraints.getStatements().get(0).getValue();
-        String pwReset = "false";
+        String salt = "";
+        if (update.getStatements().size() > 1)
+            salt = update.getStatements().get(1).getValue();
 
-        if (update.getStatements().size() > 1) {
-            pwReset = update.getStatements().get(1).getValue();
-        }
+        String user = constraints.getStatements().get(0).getValue();
+//        String pwReset = "false";
+//
+//        if (update.getStatements().size() > 1) {
+//            pwReset = update.getStatements().get(1).getValue();
+//        }
 
         SQLConnection connection = DataStore.connectionPool.getConnection();
 
         try {
-            PreparedStatement ps = connection.getConnection().prepareStatement("UPDATE users SET password = ? WHERE username = ?");
+            PreparedStatement ps = connection.getConnection().prepareStatement("UPDATE users SET password = ?, salt = ? WHERE username = ?");
             ps.setString(1, pw);
-            ps.setString(2, user);
-            ps.executeUpdate();
-
-            ps = connection.getConnection().prepareStatement("UPDATE users SET needsPasswordReset = ? WHERE username = ?");
-            ps.setString(1, pwReset);
-
-            ps.setString(2, user);
+            ps.setString(2, salt);
+            ps.setString(3, user);
+//            ps.executeUpdate();
+//
+//            ps = connection.getConnection().prepareStatement("UPDATE users SET needsPasswordReset = ? WHERE username = ?");
+//            ps.setString(1, pwReset);
+//
+//            ps.setString(2, user);
             return ps.executeUpdate() != 0;
         } catch (Exception e) {
             log.error("An error has occurred while trying to update a user: " + e.toString());

jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/users/UserServlet.java

@@ -119,17 +119,32 @@ public class UserServlet extends HttpServlet {
         final JSONObject obj = new JSONObject(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())));
         String pw = obj.getString("password");
         String username = obj.getString("username");
+
+        StatementList statementList = new StatementList();
+        StatementElement st0 = new StatementElement("username","=",username,"");
+        statementList.addStatement(st0);
+        if (dataStore.getUserDao().getObjects(statementList).isEmpty()) {
+            resp.sendError(404,"User was not found!");
+            return;
+        }
+
+        User user = dataStore.getUserDao().getObjects(statementList).get(0);
+
         //Check if he is AD/LDAP - then return a 403, because we can't set such password.
-        if(dataStore.getUserDao().getObjects(null).get(0).getUserType() != AuthenticationSourceType.LOCAL){
+        if(user.getUserType() != AuthenticationSourceType.LOCAL){
             resp.sendError(500,"The user is not a local user, therefore we cannot change his data!");
             return;
         }
+
+        byte[] salt = PasswordUtil.generateSalt();
         StatementList update = new StatementList();
-        StatementElement st0 = new StatementElement("password","=",PasswordUtil.hashPassword(pw, Base64.decodeBase64(dataStore.getUserDao().getObjects(null).get(0).getSalt())),"");
-        update.addStatement(st0);
+        StatementElement st1 = new StatementElement("password","=",PasswordUtil.hashPassword(pw, salt),"");
+        update.addStatement(st1);
+        StatementElement st2 = new StatementElement("salt","=",Base64.encodeBase64String(salt),"");
+        update.addStatement(st2);
         StatementList constraint = new StatementList();
-        StatementElement st1 = new StatementElement("username","=",username,"");
-        constraint.addStatement(st1);
+        StatementElement st3 = new StatementElement("username","=",username,"");
+        constraint.addStatement(st3);
         if(dataStore.getUserDao().updateObject(update,constraint)) resp.setStatus(200);
         else resp.sendError(500,"could not update the users's data field!");
     }