JCH
Java Community | Help. Code. Learn.ā€¢8mo ago
Itsurran

Resetting password access denied

Hello im trying to fix that a user can reset their password by hitting this endpoint /api/reset-password/password currently im getting access denied but i dont want the users to be authed to use this endpoint. Im gonna share few code if you guys can help me find the issue and i would really appericate it since ive been on this all day. PasswordResetController 
@RestController
@RequestMapping("/api/reset-password")
public class PasswordResetController {

    @Autowired
    private PasswordResetService passwordResetService;

    @Autowired
    private UserService userService;

    @PostMapping("/password")
    public ResponseEntity<?> requestResetPassword(@RequestParam String email) {
        User user = userService.findByEmail(email)
                .orElseThrow(() -> new UsernameNotFoundException("User not found with email: " + email));

        // Create and send password reset token via email
        passwordResetService.createPasswordResetToken(user);

        return ResponseEntity.ok().build();
    }
}
@RestController
@RequestMapping("/api/reset-password")
public class PasswordResetController {

    @Autowired
    private PasswordResetService passwordResetService;

    @Autowired
    private UserService userService;

    @PostMapping("/password")
    public ResponseEntity<?> requestResetPassword(@RequestParam String email) {
        User user = userService.findByEmail(email)
                .orElseThrow(() -> new UsernameNotFoundException("User not found with email: " + email));

        // Create and send password reset token via email
        passwordResetService.createPasswordResetToken(user);

        return ResponseEntity.ok().build();
    }
}
PasswordResetService 
public class PasswordResetService {

    @Autowired
    private TokenRepository tokenRepository;

    @Transactional
    public Token createPasswordResetToken(User user) {
        invalidateExistingTokens(user);

        String tokenValue = UUID.randomUUID().toString();
        Token passwordResetToken = Token.builder()
                .token(tokenValue)
                .tokenType(TokenType.PASSWORD_RESET)
                .user(user)
                .expiryDate(calculateExpiryDate())
                .expired(false)
                .revoked(false)
                .build();

        return tokenRepository.save(passwordResetToken);
    }

    private void invalidateExistingTokens(User user) {
        tokenRepository.findByUserAndTokenType(user, TokenType.PASSWORD_RESET)
                .ifPresent(token -> {
                    token.setExpired(true);
                    tokenRepository.save(token);
                });
    }

    private Date calculateExpiryDate() {
        long ONE_HOUR_IN_MILLIS = 1000 * 60 * 60;
        return new Date(System.currentTimeMillis() + ONE_HOUR_IN_MILLIS);
    }
public class PasswordResetService {

    @Autowired
    private TokenRepository tokenRepository;

    @Transactional
    public Token createPasswordResetToken(User user) {
        invalidateExistingTokens(user);

        String tokenValue = UUID.randomUUID().toString();
        Token passwordResetToken = Token.builder()
                .token(tokenValue)
                .tokenType(TokenType.PASSWORD_RESET)
                .user(user)
                .expiryDate(calculateExpiryDate())
                .expired(false)
                .revoked(false)
                .build();

        return tokenRepository.save(passwordResetToken);
    }

    private void invalidateExistingTokens(User user) {
        tokenRepository.findByUserAndTokenType(user, TokenType.PASSWORD_RESET)
                .ifPresent(token -> {
                    token.setExpired(true);
                    tokenRepository.save(token);
                });
    }

    private Date calculateExpiryDate() {
        long ONE_HOUR_IN_MILLIS = 1000 * 60 * 60;
        return new Date(System.currentTimeMillis() + ONE_HOUR_IN_MILLIS);
    }
SecurityConfiguration 
 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .csrf()
                .disable()
                .authorizeHttpRequests()
                .requestMatchers("/api/v1/auth/**")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authenticationProvider(authenticationProvider)
                .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
                .logout()
                .logoutUrl("/api/v1/auth/logout")
                .addLogoutHandler(logoutHandler)
                .logoutSuccessHandler((request, response, authentication) -> SecurityContextHolder.clearContext()
                );
        return http.build();
    }
 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .csrf()
                .disable()
                .authorizeHttpRequests()
                .requestMatchers("/api/v1/auth/**")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authenticationProvider(authenticationProvider)
                .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
                .logout()
                .logoutUrl("/api/v1/auth/logout")
                .addLogoutHandler(logoutHandler)
                .logoutSuccessHandler((request, response, authentication) -> SecurityContextHolder.clearContext()
                );
        return http.build();
    }
6 Replies
JavaBot
JavaBotā€¢8mo ago
āŒ› This post has been reserved for your question.
Hey @Itsurran! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here. šŸ’¤ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Tomasm21
Tomasm21ā€¢8mo ago
If you don't want to be "authed" and try to reset password while not "authed" then I think your Spring Security doesn't allow you to access the /api/reset-password/password endpoint and thus your access is denied. I guess you get 401-Unauthorized. In such a case permit access for that endpoint for all: 
//....
  .requestMatchers("/api/reset-password/password").permitAll()
//....
//....
  .requestMatchers("/api/reset-password/password").permitAll()
//....
Itsurran
ItsurranOPā€¢8mo ago
Iā€™m getting 404 forbidden 403*
JavaBot
JavaBotā€¢8mo ago
šŸ’¤ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
JavaBot
JavaBotā€¢8mo ago
dan1st
Warn Added (20/100)
Member
<@1156744288571506789>
Moderator
<@358291050957111296>
Reason
spamming in help channels of other people
Severity
LOW (20)
thunder_gaming
JavaBot
JavaBotā€¢8mo ago
šŸ’¤ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.

Did you find this page helpful?