Commit 6960311f authored by Piotr Gawron's avatar Piotr Gawron
Browse files

don't allow to use the same token twice

parent 464c832d
......@@ -236,6 +236,7 @@ public class UserService implements IUserService {
}
resetToken.getUser().setCryptedPassword(cryptedPassword);
userDao.update(resetToken.getUser());
resetPasswordTokenDao.delete(resetToken);
}
}
......@@ -541,6 +541,44 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
createSession(BUILT_IN_TEST_ADMIN_LOGIN, newPassword);
}
@Test
public void resetPasswordUsingTheSameTokenTwice() throws Exception {
configureServerForResetPasswordRequest();
RequestBuilder request = post("/users/" + BUILT_IN_TEST_ADMIN_LOGIN + ":requestResetPassword");
mockMvc.perform(request)
.andExpect(status().is2xxSuccessful());
String newPassword = "pass2";
ResetPasswordToken token = resetPasswordTokenDao.getAll().iterator().next();
String content = EntityUtils.toString(new UrlEncodedFormEntity(Arrays.asList(
new BasicNameValuePair("token", token.getToken()),
new BasicNameValuePair("password", newPassword))));
RequestBuilder resetRequest = post("/users:resetPassword")
.content(content)
.contentType(MediaType.APPLICATION_FORM_URLENCODED);
mockMvc.perform(resetRequest)
.andExpect(status().is2xxSuccessful());
content = EntityUtils.toString(new UrlEncodedFormEntity(Arrays.asList(
new BasicNameValuePair("token", token.getToken()),
new BasicNameValuePair("password", newPassword+"xx"))));
resetRequest = post("/users:resetPassword")
.content(content)
.contentType(MediaType.APPLICATION_FORM_URLENCODED);
mockMvc.perform(resetRequest)
.andExpect(status().is4xxClientError());
createSession(BUILT_IN_TEST_ADMIN_LOGIN, newPassword);
}
@Test
public void resetPasswordWithExpredToken() throws Exception {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment