From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password
---
pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java | 84 +++++++++++++-----------------------------
1 files changed, 26 insertions(+), 58 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java b/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java
index fbb1b24..04bda6b 100644
--- a/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java
+++ b/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java
@@ -1,22 +1,23 @@
package com.pollex.pam.web.rest;
-import com.pollex.pam.domain.User;
-import com.pollex.pam.repository.UserRepository;
-import com.pollex.pam.security.SecurityUtils;
-import com.pollex.pam.service.MailService;
-import com.pollex.pam.service.UserService;
-import com.pollex.pam.service.dto.AdminUserDTO;
-import com.pollex.pam.service.dto.PasswordChangeDTO;
-import com.pollex.pam.web.rest.errors.*;
-import com.pollex.pam.web.rest.vm.KeyAndPasswordVM;
-import com.pollex.pam.web.rest.vm.ManagedUserVM;
+import com.pollex.pam.business.domain.User;
+import com.pollex.pam.business.repository.UserRepository;
+import com.pollex.pam.business.security.SecurityUtils;
+import com.pollex.pam.service.CustomerService;
+import com.pollex.pam.business.service.MailService;
+import com.pollex.pam.business.service.UserService;
+import com.pollex.pam.business.service.dto.AdminUserDTO;
+import com.pollex.pam.business.service.dto.PasswordChangeDTO;
+import com.pollex.pam.business.web.errors.*;
+import com.pollex.pam.business.web.vm.KeyAndPasswordVM;
+import com.pollex.pam.business.web.vm.ManagedUserVM;
import java.util.*;
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.http.HttpStatus;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
/**
@@ -41,28 +42,13 @@
private final MailService mailService;
+ @Autowired
+ CustomerService customerService;
+
public AccountResource(UserRepository userRepository, UserService userService, MailService mailService) {
this.userRepository = userRepository;
this.userService = userService;
this.mailService = mailService;
- }
-
- /**
- * {@code POST /register} : register the user.
- *
- * @param managedUserVM the managed user View Model.
- * @throws InvalidPasswordException {@code 400 (Bad Request)} if the password is incorrect.
- * @throws EmailAlreadyUsedException {@code 400 (Bad Request)} if the email is already used.
- * @throws LoginAlreadyUsedException {@code 400 (Bad Request)} if the login is already used.
- */
- @PostMapping("/register")
- @ResponseStatus(HttpStatus.CREATED)
- public void registerAccount(@Valid @RequestBody ManagedUserVM managedUserVM) {
- if (isPasswordLengthInvalid(managedUserVM.getPassword())) {
- throw new InvalidPasswordException();
- }
- User user = userService.registerUser(managedUserVM, managedUserVM.getPassword());
- mailService.sendActivationEmail(user);
}
/**
@@ -79,17 +65,17 @@
}
}
- /**
- * {@code GET /authenticate} : check if the user is authenticated, and return its login.
- *
- * @param request the HTTP request.
- * @return the login if the user is authenticated.
- */
- @GetMapping("/authenticate")
- public String isAuthenticated(HttpServletRequest request) {
- log.debug("REST request to check if the current user is authenticated");
- return request.getRemoteUser();
- }
+// /**
+// * {@code GET /authenticate} : check if the user is authenticated, and return its login.
+// *
+// * @param request the HTTP request.
+// * @return the login if the user is authenticated.
+// */
+// @GetMapping("/authenticate")
+// public String isAuthenticated(HttpServletRequest request) {
+// log.debug("REST request to check if the current user is authenticated");
+// return request.getRemoteUser();
+// }
/**
* {@code GET /account} : get the current user.
@@ -134,12 +120,6 @@
);
}
- /**
- * {@code POST /account/change-password} : changes the current user's password.
- *
- * @param passwordChangeDto current and new password.
- * @throws InvalidPasswordException {@code 400 (Bad Request)} if the new password is incorrect.
- */
@PostMapping(path = "/account/change-password")
public void changePassword(@RequestBody PasswordChangeDTO passwordChangeDto) {
if (isPasswordLengthInvalid(passwordChangeDto.getNewPassword())) {
@@ -148,11 +128,6 @@
userService.changePassword(passwordChangeDto.getCurrentPassword(), passwordChangeDto.getNewPassword());
}
- /**
- * {@code POST /account/reset-password/init} : Send an email to reset the password of the user.
- *
- * @param mail the mail of the user.
- */
@PostMapping(path = "/account/reset-password/init")
public void requestPasswordReset(@RequestBody String mail) {
Optional<User> user = userService.requestPasswordReset(mail);
@@ -165,13 +140,6 @@
}
}
- /**
- * {@code POST /account/reset-password/finish} : Finish to reset the password of the user.
- *
- * @param keyAndPassword the generated key and the new password.
- * @throws InvalidPasswordException {@code 400 (Bad Request)} if the password is incorrect.
- * @throws RuntimeException {@code 500 (Internal Server Error)} if the password could not be reset.
- */
@PostMapping(path = "/account/reset-password/finish")
public void finishPasswordReset(@RequestBody KeyAndPasswordVM keyAndPassword) {
if (isPasswordLengthInvalid(keyAndPassword.getNewPassword())) {
--
Gitblit v1.8.0