From 178ec13dff2074308b40d901d2bc881feab09322 Mon Sep 17 00:00:00 2001 From: "thomas.dang" Date: Fri, 27 Oct 2023 14:10:54 +0700 Subject: [PATCH] fix(auth): Correct security authentication logic - Fixed the security authentication logic to allow access when the user is either enabled or not disabled. - Updated the conditional statement from logical AND (&&) to logical OR (||). Closes #18 This commit addresses a security issue by ensuring that user access is granted if the user is enabled or not currently disabled, and it closes issue #18. --- .../service/AuthenticationProviderService.java | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/shopping-cart-backend/src/main/java/fptu/swp391/shoppingcart/user/authentication/service/AuthenticationProviderService.java b/shopping-cart-backend/src/main/java/fptu/swp391/shoppingcart/user/authentication/service/AuthenticationProviderService.java index 1911751..7536bd2 100644 --- a/shopping-cart-backend/src/main/java/fptu/swp391/shoppingcart/user/authentication/service/AuthenticationProviderService.java +++ b/shopping-cart-backend/src/main/java/fptu/swp391/shoppingcart/user/authentication/service/AuthenticationProviderService.java @@ -1,7 +1,6 @@ package fptu.swp391.shoppingcart.user.authentication.service; import fptu.swp391.shoppingcart.user.authentication.model.CustomUserDetails; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; @@ -14,11 +13,14 @@ @Service public class AuthenticationProviderService implements AuthenticationProvider { - @Autowired - private JpaUserDetailsService userDetailsService; + private final JpaUserDetailsService userDetailsService; - @Autowired - private BCryptPasswordEncoder bCryptPasswordEncoder; + private final BCryptPasswordEncoder bCryptPasswordEncoder; + + public AuthenticationProviderService(JpaUserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) { + this.userDetailsService = userDetailsService; + this.bCryptPasswordEncoder = bCryptPasswordEncoder; + } @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { @@ -27,9 +29,9 @@ public Authentication authenticate(Authentication authentication) throws Authent CustomUserDetails userDetails = userDetailsService.loadUserByUsername(username); - if (!userDetails.getUser().isEnabled() && (userDetails.getUser().getDisabledUntil().isAfter(LocalDateTime.now()))){ - throw new BadCredentialsException("Account is disabled, please try again later until " - + userDetails.getUser().getDisabledUntil()); + if (!userDetails.getUser().isEnabled() || (userDetails.getUser().getDisabledUntil().isAfter(LocalDateTime.now()))) { + throw new BadCredentialsException("Account is disabled, please try again later until " + + userDetails.getUser().getDisabledUntil()); } if (bCryptPasswordEncoder.matches(password, userDetails.getPassword())) { return new UsernamePasswordAuthenticationToken(userDetails.getUsername(), userDetails.getPassword(), userDetails.getAuthorities());