From ca85c1fa9fddc20f3108c7ec9b642545f061d7de Mon Sep 17 00:00:00 2001 From: bgamard Date: Fri, 26 Aug 2022 18:15:49 +0200 Subject: [PATCH] #647: always return OK on password lost route --- .../com/sismics/docs/rest/resource/UserResource.java | 11 +++++++---- .../java/com/sismics/docs/rest/TestUserResource.java | 12 +++++------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java b/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java index 3e36d667..768fb8bd 100644 --- a/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java +++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java @@ -1081,11 +1081,16 @@ public class UserResource extends BaseResource { // Validate input data ValidationUtil.validateStringNotBlank("username", username); + // Prepare response + Response response = Response.ok().entity(Json.createObjectBuilder() + .add("status", "ok") + .build()).build(); + // Check for user existence UserDao userDao = new UserDao(); List userDtoList = userDao.findByCriteria(new UserCriteria().setUserName(username), null); if (userDtoList.isEmpty()) { - throw new ClientException("UserNotFound", "User not found: " + username); + return response; } UserDto user = userDtoList.get(0); @@ -1102,9 +1107,7 @@ public class UserResource extends BaseResource { AppContext.getInstance().getMailEventBus().post(passwordLostEvent); // Always return OK - JsonObjectBuilder response = Json.createObjectBuilder() - .add("status", "ok"); - return Response.ok().entity(response.build()).build(); + return response; } /** diff --git a/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java b/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java index 2aeab9fa..14986a7e 100644 --- a/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java +++ b/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java @@ -439,13 +439,11 @@ public class TestUserResource extends BaseJerseyTest { // Create absent_minded who lost his password clientUtil.createUser("absent_minded"); - // User no_such_user try to recovery its password: invalid user - Response response = target().path("/user/password_lost").request() + // User no_such_user try to recovery its password: silently do nothing to avoid leaking users + JsonObject json = target().path("/user/password_lost").request() .post(Entity.form(new Form() - .param("username", "no_such_user"))); - Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus())); - JsonObject json = response.readEntity(JsonObject.class); - Assert.assertEquals("UserNotFound", json.getString("type")); + .param("username", "no_such_user")), JsonObject.class); + Assert.assertEquals("ok", json.getString("status")); // User absent_minded try to recovery its password: OK json = target().path("/user/password_lost").request() @@ -461,7 +459,7 @@ public class TestUserResource extends BaseJerseyTest { String key = keyMatcher.group(1).replaceAll("=", ""); // User absent_minded resets its password: invalid key - response = target().path("/user/password_reset").request() + Response response = target().path("/user/password_reset").request() .post(Entity.form(new Form() .param("key", "no_such_key") .param("password", "87654321")));