token max valid for 15 minutes

cthit · Jun 15, 2024 · 55b4fd6 · 55b4fd6
1 parent c1c151a
commit 55b4fd6
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 14 deletions.
diff --git a/...in/java/it/chalmers/gamma/adapter/secondary/jpa/user/UserActivationRepositoryAdapter.java b/...in/java/it/chalmers/gamma/adapter/secondary/jpa/user/UserActivationRepositoryAdapter.java
@@ -7,11 +7,14 @@
 import it.chalmers.gamma.app.user.activation.domain.UserActivationToken;
 import it.chalmers.gamma.app.user.domain.Cid;
 import jakarta.transaction.Transactional;
-import java.util.List;
-import java.util.Optional;
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.stereotype.Service;
 
+import java.time.Duration;
+import java.time.Instant;
+import java.util.List;
+import java.util.Optional;
+
 @Service
 public class UserActivationRepositoryAdapter implements UserActivationRepository {
 
@@ -54,9 +57,11 @@ public List<UserActivation> getAll() {
         .toList();
   }
 
+
+
   @Override
-  public boolean doesTokenExist(UserActivationToken token) {
-    return this.userActivationJpaRepository.findByToken(token.value()).isPresent();
+  public boolean isTokenValid(UserActivationToken token) {
+    return this.userActivationJpaRepository.findByToken(token.value()).map(this::isStillValid).orElse(false);
   }
 
   @Override
@@ -68,11 +73,20 @@ public Cid useToken(UserActivationToken token) {
       throw new TokenNotActivatedRuntimeException();
     }
 
+    if (!isStillValid(maybeActivation.get())) {
+      throw new TokenNotActivatedRuntimeException();
+    }
+
     this.userActivationJpaRepository.deleteById(maybeActivation.get().getId());
 
     return new Cid(maybeActivation.get().getId());
   }
 
+  public boolean isStillValid(UserActivationEntity userActivationEntity) {
+    Instant createdAt = userActivationEntity.toDomain().createdAt();
+    return Duration.between(createdAt, Instant.now()).toMinutes() < 15;
+  }
+
   @Override
   public void removeActivation(Cid cid) throws CidNotActivatedException {
     this.userActivationJpaRepository.deleteById(cid.value());

diff --git a/...java/it/chalmers/gamma/adapter/secondary/jpa/user/UserPasswordResetRepositoryAdapter.java b/...java/it/chalmers/gamma/adapter/secondary/jpa/user/UserPasswordResetRepositoryAdapter.java
@@ -6,9 +6,12 @@
 import it.chalmers.gamma.app.user.passwordreset.domain.PasswordResetRepository;
 import it.chalmers.gamma.app.user.passwordreset.domain.PasswordResetToken;
 import jakarta.transaction.Transactional;
-import java.util.Optional;
 import org.springframework.stereotype.Service;
 
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Optional;
+
 @Service("PasswordResetRepository")
 @Transactional
 public class UserPasswordResetRepositoryAdapter implements PasswordResetRepository {
@@ -61,8 +64,8 @@ public PasswordReset createNewToken(Cid cid) throws UserNotFoundException {
   }
 
   @Override
-  public boolean doesTokenExist(PasswordResetToken token) {
-    return this.userPasswordResetJpaRepository.findByToken(token.value()).isPresent();
+  public boolean isTokenValid(PasswordResetToken token) {
+    return this.userPasswordResetJpaRepository.findByToken(token.value()).map(this::isStillValid).orElse(false);
   }
 
   @Override
@@ -75,8 +78,18 @@ public UserId useToken(PasswordResetToken token) {
       throw new TokenNotFoundRuntimeException();
     }
 
+    if (!this.isStillValid(maybeReset.get())) {
+      throw new TokenNotFoundRuntimeException();
+    }
+
     this.userPasswordResetJpaRepository.deleteByToken(token.value());
 
     return new UserId(maybeReset.get().userId);
   }
+
+  public boolean isStillValid(UserPasswordResetEntity userPasswordResetEntity) {
+    Instant createdAt = userPasswordResetEntity.toDomain().createdAt();
+    return Duration.between(createdAt, Instant.now()).toMinutes() < 15;
+  }
+
 }
diff --git a/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java b/app/src/main/java/it/chalmers/gamma/app/user/UserCreationFacade.java
@@ -132,14 +132,14 @@ public void createUserWithCode(
   private void sendEmail(Cid cid, UserActivationToken userActivationToken) {
     String to = cid.getValue() + "@" + MAIL_POSTFIX;
     String resetUrl = baseUrl + "/register?token=" + userActivationToken.value();
-    String message = "Follow this link to finish up creating your account: " + resetUrl;
+    String message = "Follow this link to finish up creating your account: " + resetUrl + ". \nThe link is valid for 15 minutes.";
     this.mailService.sendMail(to, "Gamma activation url", message);
   }
 
   public boolean isValidToken(String token) {
     this.accessGuard.require(isNotSignedIn());
 
-    return this.userActivationRepository.doesTokenExist(new UserActivationToken(token));
+    return this.userActivationRepository.isTokenValid(new UserActivationToken(token));
   }
 
   public record NewUserByCode(

diff --git a/app/src/main/java/it/chalmers/gamma/app/user/activation/domain/UserActivationRepository.java b/app/src/main/java/it/chalmers/gamma/app/user/activation/domain/UserActivationRepository.java
@@ -9,7 +9,7 @@ public interface UserActivationRepository {
 
   List<UserActivation> getAll();
 
-  boolean doesTokenExist(UserActivationToken token);
+  boolean isTokenValid(UserActivationToken token);
 
   Cid useToken(UserActivationToken token);
 

diff --git a/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java b/app/src/main/java/it/chalmers/gamma/app/user/passwordreset/UserResetPasswordFacade.java
@@ -94,15 +94,15 @@ private void sendPasswordResetTokenMail(Email email, PasswordResetToken token) {
     String message =
         "A password reset have been requested for this account, if you have not requested "
             + "this mail, feel free to ignore it. \n Click here to reset password: "
-            + resetUrl;
+            + resetUrl + ". \nThe link is valid for 15 minutes.";
 
     this.mailService.sendMail(email.value(), subject, message);
   }
 
   public boolean isValidToken(String token) {
     this.accessGuard.require(isNotSignedIn());
 
-    return this.passwordResetRepository.doesTokenExist(new PasswordResetToken(token));
+    return this.passwordResetRepository.isTokenValid(new PasswordResetToken(token));
   }
 
   // Vague for security reasons

diff --git a/...rc/main/java/it/chalmers/gamma/app/user/passwordreset/domain/PasswordResetRepository.java b/...rc/main/java/it/chalmers/gamma/app/user/passwordreset/domain/PasswordResetRepository.java
@@ -12,7 +12,7 @@ record PasswordReset(PasswordResetToken token, Email email) {}
 
   PasswordReset createNewToken(Cid cid) throws UserNotFoundException;
 
-  boolean doesTokenExist(PasswordResetToken token);
+  boolean isTokenValid(PasswordResetToken token);
 
   UserId useToken(PasswordResetToken token);
 

diff --git a/app/src/main/resources/templates/register-account/email-sent.html b/app/src/main/resources/templates/register-account/email-sent.html
@@ -6,7 +6,7 @@
         </header>
         <p>
             If you have not received an email within a few minutes, you may have entered the wrong cid.
-            If you're sure that you have written the correct cid, and you still haven't received an email please contact digIT at digit@chalmers.it.
+            If you're sure that you have written the correct cid, and you still haven't received an email please contact ita@chalmers.it.
             Make sure to check your spam folder as well.
         </p>
         <footer>