Fixed password resetting for local users

Change-Id: I01192aa367d3156dcc17c8b2b3f263f14291861d

Fixed password resetting for local users
d7567dc0 · William Enright · 4469bb0a · d7567dc0 · d7567dc0 · d7567dc0
Commit d7567dc0 authored 4 years ago by William Enright
--- a/datastore/src/main/java/net/jami/datastore/dao/UserDao.java
+++ b/datastore/src/main/java/net/jami/datastore/dao/UserDao.java
@@ -89,6 +89,10 @@ public class UserDao extends AbstractDao<User> {
        String pw = update.getStatements().get(0).getValue();
        String user = update.getStatements().get(1).getValue();
+        String needsPasswordReset = "";
+        if (update.getStatements().size() >= 3 && update.getStatements().get(2) != null)
+            needsPasswordReset = update.getStatements().get(2).getValue();
        SQLConnection connection = DataStore.connectionPool.getConnection();
        try{
@@ -98,7 +102,11 @@ public class UserDao extends AbstractDao<User> {
            ps.executeUpdate();
            ps = connection.getConnection().prepareStatement("UPDATE users SET needsPasswordReset = ? WHERE username = ?");
+            if (!needsPasswordReset.isEmpty())
+                ps.setString(1, needsPasswordReset);
+            else
                ps.setString(1, "false");
            ps.setString(2, user);
            return ps.executeUpdate() != 0;
        }

--- a/jams-common/src/main/java/net/jami/jams/common/utils/PasswordGenerator.java
+++ b/jams-common/src/main/java/net/jami/jams/common/utils/PasswordGenerator.java
@@ -23,18 +23,13 @@
 package net.jami.jams.common.utils;
 import java.security.SecureRandom;
+import java.util.stream.Collectors;
 public class PasswordGenerator {
    //Assume all passwords are 12 chars long.
-    public static char[] generatePassword(){
+    public static String generatePassword(){
-        char[] password = new char[12];
-        SecureRandom sc = new SecureRandom();
+        return new SecureRandom().ints(12, 48, 58).mapToObj(i -> String.valueOf((char)i)).collect(Collectors.joining());
-        for(int i=0;i<password.length;i++){
-            int x = sc.nextInt(121);
-            while(x <= 52)  x = sc.nextInt(121);
-            password[i] = (char) x;
-        }
-        return password;
    }
 }
--- a/jams-common/src/test/java/net/jami/jams/common/utils/PasswordGeneratorTest.java
+++ b/jams-common/src/test/java/net/jami/jams/common/utils/PasswordGeneratorTest.java
@@ -28,7 +28,7 @@ class PasswordGeneratorTest {
    @Test
    void testPasswordGeneration() {
-        char[] res = PasswordGenerator.generatePassword();
+        String res = PasswordGenerator.generatePassword();
        System.out.println(res);
    }
 }
\ No newline at end of file
--- a/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/users/UserServlet.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/users/UserServlet.java
@@ -37,6 +37,7 @@ import net.jami.jams.common.objects.requests.CreateAuthSourceRequest;
 import net.jami.jams.common.objects.responses.DeviceRevocationResponse;
 import net.jami.jams.common.objects.user.User;
 import net.jami.jams.common.objects.user.UserProfile;
+import net.jami.jams.common.utils.PasswordGenerator;
 import net.jami.jams.server.core.workflows.RevokeUserFlow;
 import java.io.IOException;
@@ -66,12 +67,11 @@ public class UserServlet extends HttpServlet {
        User user = new User();
        user.setUsername(req.getParameter("username"));
        user.setNeedsPasswordReset(true);
-        String pw = new SecureRandom().ints(12, 48, 58).mapToObj(i -> String.valueOf((char)i)).collect(Collectors.joining());
+        String pw = PasswordGenerator.generatePassword();
        user.setPassword(pw);
        user.setRealm("LOCAL");
        user.setUserType(AuthenticationSourceType.LOCAL);
        if(userAuthenticationModule.createUser(user.getUserType(),user.getRealm(),nameServer,user)){
-            // resp.getOutputStream().write(JsonStream.serialize(user).getBytes());
            HashMap<String,String> statusInfo = new HashMap<>();
            statusInfo.put("password", pw);
            resp.getOutputStream().write(JsonStream.serialize(statusInfo).getBytes());

--- a/jams-server/src/main/java/net/jami/jams/server/servlets/api/auth/user/UserServlet.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/api/auth/user/UserServlet.java
@@ -34,6 +34,7 @@ import net.jami.jams.common.dao.StatementElement;
 import net.jami.jams.common.dao.StatementList;
 import net.jami.jams.common.objects.user.AccessLevel;
 import net.jami.jams.common.objects.user.User;
+import net.jami.jams.common.utils.PasswordGenerator;
 import java.io.IOException;
@@ -71,13 +72,28 @@ public class UserServlet extends HttpServlet {
     */
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        String username = req.getAttribute("username").toString();
        StatementList select = new StatementList();
-        StatementElement st = new StatementElement("username","=",username,"");
+        StatementElement st = new StatementElement("username","=",req.getParameter("username"),"");
        select.addStatement(st);
        User user = dataStore.getUserDao().getObjects(select).get(0);
-        user.setRevoked(certificateAuthority.getLatestCRL().get().getRevokedCertificate(user.getCertificate().getSerialNumber()) != null);
+        String password = user.getPassword();
-        resp.getOutputStream().write(JsonStream.serialize(user).getBytes());
+        if (!user.getNeedsPasswordReset()) {
+            password = PasswordGenerator.generatePassword();
+            StatementList update = new StatementList();
+            StatementElement st0 = new StatementElement("password","=",password,"");
+            update.addStatement(st0);
+            StatementList constraint = new StatementList();
+            StatementElement st1 = new StatementElement("username","=",req.getParameter("username"),"");
+            update.addStatement(st1);
+            StatementElement st2 = new StatementElement("needsPasswordReset","=","true","");
+            update.addStatement(st2);
+            // refresh variable
+            user = dataStore.getUserDao().getObjects(select).get(0);
+            dataStore.getUserDao().updateObject(update,constraint);
+        }
+        resp.setHeader("needspasswordreset", (user.getNeedsPasswordReset()).toString());
+        resp.setHeader("password", password);
    }
    //The user can update 3 fields: password,privatekey,publickey

--- a/jams-server/src/main/resources/webapp/js/api.js
+++ b/jams-server/src/main/resources/webapp/js/api.js
@@ -19,7 +19,6 @@
 */
 var admin_account = false;
-var isAdmin = false;
 var isSearch = false;
 var uri = '';
 var current_uri = window.location.href;
@@ -47,14 +46,11 @@ var api_path_get_directories = '/api/auth/directories';
 var api_path_get_needs_update = '/api/admin/update';
 var api_path_get_start_update = '/api/admin/update';
 var api_path_post_create_user = '/api/admin/user';
-var api_path_put_update_user = '/api/auth/user';
+var api_path_post_update_user = '/api/auth/user';
-var api_path_put_admin_update_user = '/api/admin/user';
 var api_path_get_exists_user = '/api/admin/user';
 var api_path_get_user_directory_search ='/api/auth/directory/search';
-var api_path_get_user_needs_reset ='/api/user/needsreset';
 var api_path_post_create_user_profile = '/api/admin/directory/entry';
 function ajaxApiCall(api_path, request_type, data, credentials, callBackFunction, async) {
    // build AJAX call
    var ajax = {
@@ -87,8 +83,7 @@ function ajaxApiCall(api_path, request_type, data, credentials, callBackFunction
    // pass data in the header
    if (data) {
        if (api_path == api_path_get_user_directory_search || api_path == api_path_get_auth_user_search ||
-            api_path == api_path_get_user_needs_reset || (api_path == api_path_post_create_user && request_type == 'POST') ||
+           (api_path == api_path_post_create_user && request_type == 'POST') || api_path == api_path_post_update_user)
-            api_path == api_path_put_update_user)
            isSearch = true;
        // search dataType

--- a/jams-server/src/main/resources/webapp/js/new-password.js
+++ b/jams-server/src/main/resources/webapp/js/new-password.js
@@ -52,7 +52,7 @@ document.getElementById("changePasswordButton").addEventListener('click', functi
    else if (inputPassword == inputConfirmPassword) {
        $('#message').html('Password Match: Welcome to Jams').css('color', '#28a745');
        if (credentials["username"] && credentials["password"] && credentials["oldPassword"]) {
-            ajaxApiCall(api_path_put_update_user, "POST", credentials, null, updateLocalAccountPasswordCallBackHandler);
+            ajaxApiCall(api_path_post_update_user, "POST", credentials, null, updateLocalAccountPasswordCallBackHandler);
        }
    }
 });

--- a/jams-server/src/main/resources/webapp/js/search.js
+++ b/jams-server/src/main/resources/webapp/js/search.js
@@ -214,7 +214,7 @@ function addListenersForActions() {
            }
            // send post request
-            ajaxApiCall(api_path_put_update_user, 'POST', data, null, handleUserUpdate);
+            ajaxApiCall(api_path_post_update_user, 'POST', data, null, handleUserUpdate);
        });
    });

--- a/jams-server/src/main/resources/webapp/js/user.js
+++ b/jams-server/src/main/resources/webapp/js/user.js
@@ -82,7 +82,7 @@ $(document).ready(function() {
                    'extension': $('#input-extension-update').val(),
                    'mobile': $('#input-mobile-update').val()
                }
-                ajaxApiCall(api_path_put_update_user, 'POST', data, null, handleUserUpdate);
+                ajaxApiCall(api_path_post_update_user, 'POST', data, null, handleUserUpdate);
            });
        });
@@ -98,7 +98,7 @@ $(document).ready(function() {
        });
        $( '.user-information' ).on( 'click', '.reset-password', function (e) {
-            ajaxApiCall(api_path_get_user_needs_reset, 'GET', searchData, null, handleNewOTP);
+            ajaxApiCall(api_path_post_update_user, 'GET', userData, null, handleNewOTP);
        });
        // change device name
@@ -399,7 +399,7 @@ function handleUserUpdate(){
    setTimeout(function() {
        ajaxApiCall(api_path_get_user_directory_search, 'GET', searchData, null, setUserInfoDataSource);
        ajaxApiCall(api_path_get_user_directory_search, 'GET', searchData, null, setUserExtendedData);
-    }, 500);
+    }, 700);
 }
 function handleFileSelect(evt) {
@@ -474,19 +474,18 @@ function ishsqlConfig(data, statusCode, jqXHR){
    }
 }
-function handleNewOTP(data, statusCode, jqXHR) {
+function handleNewOTP(data) {
-    if (jqXHR.status == 200) {
+    if (data.status == 200) {
-        if (data.needsReset == "false") {
+        if (data.getResponseHeader('needspasswordreset') == "false") {
            $('#otpModalCenter').modal('show');
-            $('#user-pw-modal-body').text("User password reset. Here is the new one time password: " + data.newPW);
+            $('#user-pw-modal-body').text("User password reset. Here is the new one time password: " + data.getResponseHeader('password'));
-        } else {
+        } else if (data.getResponseHeader('needspasswordreset') == "true") {
            // show modal
            $('#otpModalCenter').modal('show');
-            $('#user-pw-modal-body').text("User has not changed his temporary password. Current password: " + data.otp);
+            $('#user-pw-modal-body').text("User has not changed his temporary password. Current password: " + data.getResponseHeader('password'));
        }
    }
 }