ohadr / authentication-flows Goto Github PK

add classes for GAE repo, and Mail Sender to auth-flows. so GAE-apps can use auth-flows package without implementing their own implementations for the above classes.

if the link that the user got to his email was changed, an exception is shown on the browser:

HTTP Status 500 - Request processing failed; nested exception is com.ohadr.crypto.exception.CryptoException: Failed to decrypt URL content adEQ3R5utnfWr2kugM2xQ29u.rm448.ujJZtIspKvbJ

MySQL works fine, but GAE' datastore does not. so the framework should support all cases and take care of this issue - convert all usernames to lowercase

description: 2 users, A@A and a@a should not be allowed.

the target HTML should be a param. currently it is hard ocded to
LOGIN_FORMS_DIR +"/" + "AccountActivated.htm"

when i wanna run in REST mode, i want the HTML page to be in a different dir (with the controller) so i need it to be parameterized.
'AuthenticationFailureHandler' is doing similar thing - with a param (defaultTargetUrl)

related to support Google AppEngine ! #26

restoreEndpoint calls directly the repo object. support the layers model, and let the RestoreEP call the FlowsProcessor (that will be held in the CommonEndpoint) that will delegate the call to the repo.

similar to #43

see here : http://stackoverflow.com/questions/512266/java-multiply-operation-behavior

after reverting #44

2 cases: (1) after successful login, when password has expired.
(2) a link "change password" was clicked in the 'hosting' application.

common-crypto does not work on GAE. because class DefaultCryptoProvider tries to store the key-store, and GAE does not allow that, jar fails to load.

trying to work with 'MockAuthenticationPolicyRepositoryImpl' - the is a mixture in the order of the fileds, so values are incorrect. e.g. 'password needs at least 30 characters'

the secured resource: instead of print "Hello, world" to the browser in /secured/test, show a page with logout/change-password.

lower grade is better.

related to #35 .
the login-fail-handler is good for REST as well, since if no "redirect-uri" is defined, the parent class (SimpleUrlAuthenticationFailureHandler) does not redirect, but sends 401 instead.
However, if account is locked, i have a special treatment here, that DOES redirect. and this is a bug . So there is a need in a flag that indicates whether this is REST call, and if it is, when account is locked, instead of redirection it will return 423 (LOCKED).

/setNewPassword
java.util.NoSuchElementException: No entity was found matching the key: User("[email protected]")
at com.ohadr.dictionary.gae.GAEAuthenticationAccountRepositoryImpl.changePassword(GAEAuthenticationAccountRepositoryImpl.java:200)
at com.ohadr.auth_flows.core.AuthenticationFlowsProcessorImpl.setPassword(AuthenticationFlowsProcessorImpl.java:270)
at com.ohadr.auth_flows.web.UserActionController.setNewPassword(UserActionController.java:431)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

JdbcAuthenticationAccountRepositoryImpl.loadUserByUsername(): be Spring-compatible, and use UsernameNotFoundException, and never return null.
need to change also AbstractAuthenticationAccountRepository, to catch this exception.

currently, i do only authentication, without any authorization. fix that!

NOTE and TODO: if i implement this method correctly, then when creds expired the login will fail (bcoz Spring calls this method and then throws CredsExpiredEception). in my flows (not sure it is the right thing), the login is successful and in the successHandler I check if password has expired.

CreateAccountEndpoint.java should be moved from package 'web' to 'endpoints'

for example, when calling "createAccount", a RESTful does not redirect to another page. Redirecting is MVC behavior; but there are clients (AngularJS) that perform their own MVC architecture, so the auth-flows should support that hence identify REST calls (different URL?) and not redirect, but only return value.

allow applications to overload the behavior of endpoint . for example: "create account". there is an app that allows only account from domain "nice.com". let this app overload the functionality.

AuthenticationPolicy.getAuthenticationPolicy() - 'passwordLifeInDays' was 0 (in 1.5.0-RELEASE).

"Password was set successfully to user email" instead of the username.

related to : OhadR/oAuth2-sample#2

set new password flow: UAC should return View, and redirect, and not setting response on the HttpResponse Writer.
same as for other flows in UAC.

AuthenticationFlowsException.java should be mvoed from 'web' to 'core'

the content of email (account created, forgot password, etc) - read from file, and let it be configurabile, so apps can have their own text.

in AuthenticationSuccessHandler, there is a wrong redirect.

before uploading to Repository

in GAEAuthenticationAccountRepositoryImpl.java
the methods throws this exception; TODO: make sure that the callers catch this exception

/forgotPasswordPage
java.lang.IllegalArgumentException: name cannot be null or empty