Make sure we check password before continue

KangDroid · KangDroid · commit a97a396586d8 · 2021-06-20T16:15:18.000+09:00
diff --git a/src/main/kotlin/com/mptsix/todaydiary/data/request/PasswordChangeRequest.kt b/src/main/kotlin/com/mptsix/todaydiary/data/request/PasswordChangeRequest.kt
@@ -1,5 +1,6 @@
 package com.mptsix.todaydiary.data.request
 
 data class PasswordChangeRequest(
+    var previousPassword: String,
     var userPassword: String // 바꾸고 싶은 비밀번호
 )
diff --git a/src/main/kotlin/com/mptsix/todaydiary/service/UserService.kt b/src/main/kotlin/com/mptsix/todaydiary/service/UserService.kt
@@ -119,9 +119,11 @@ class UserService(
     }
 
     fun changePassword(userToken: String, passwordChangeRequest: PasswordChangeRequest) {
-        val user: User = userRepository.findByUserId(getUserIdFromToken(userToken)).apply {
-            userPassword = passwordChangeRequest.userPassword
+        val user: User = userRepository.findByUserId(getUserIdFromToken(userToken))
+        if (!passwordEncryptorService.isMatching(passwordChangeRequest.previousPassword, user.userPassword)) {
+            throw ForbiddenException("Password is not correct!")
         }
+        user.userPassword = passwordEncryptorService.encodePlainText(passwordChangeRequest.userPassword)
         userRepository.addUser(user)
     }
 
diff --git a/src/test/kotlin/com/mptsix/todaydiary/controller/UserControllerTest.kt b/src/test/kotlin/com/mptsix/todaydiary/controller/UserControllerTest.kt
@@ -185,7 +185,7 @@ internal class UserControllerTest {
             put("X-AUTH-TOKEN", listOf(loginToken))
         }
         val responseEntity: ResponseEntity<Unit> =
-            restTemplate.exchange(url, HttpMethod.PUT, HttpEntity<PasswordChangeRequest>(PasswordChangeRequest("test"), httpHeaders))
+            restTemplate.exchange(url, HttpMethod.PUT, HttpEntity<PasswordChangeRequest>(PasswordChangeRequest("test", "test"), httpHeaders))
 
         assertThat(responseEntity.statusCode).isEqualTo(HttpStatus.NO_CONTENT)
     }
diff --git a/src/test/kotlin/com/mptsix/todaydiary/service/UserServiceTest.kt b/src/test/kotlin/com/mptsix/todaydiary/service/UserServiceTest.kt
@@ -323,10 +323,24 @@ internal class UserServiceTest {
     @Test
     fun is_changePassword_works_well() {
         val loginToken: String = loginUser()
-        userService.changePassword(loginToken, PasswordChangeRequest("whatever"))
+        val beforeUser: User = userRepository.findByUserId(mockUser.userId)
+        userService.changePassword(loginToken, PasswordChangeRequest(mockUser.userPassword, "whatever"))
 
         val user: User = userRepository.findByUserId(mockUser.userId)
-        assertThat(user.userPassword).isEqualTo("whatever")
+        assertThat(user.userPassword).isNotEqualTo("whatever")
+        assertThat(user.userPassword).isNotEqualTo(beforeUser.userPassword)
+    }
+
+    @Test
+    fun is_changePassword_throws_forbidden() {
+        val loginToken: String = loginUser()
+        runCatching {
+            userService.changePassword(loginToken, PasswordChangeRequest("mockUser.userPassword", "whatever"))
+        }.onSuccess {
+            fail("Password is wrong, but succeed?")
+        }.onFailure {
+            assertThat(it is ForbiddenException).isEqualTo(true)
+        }
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`package com.mptsix.todaydiary.data.request`
`2`	`2`
`3`	`3`	`data class PasswordChangeRequest(`
	`4`	`+ var previousPassword: String,`
`4`	`5`	`var userPassword: String // 바꾸고 싶은 비밀번호`
`5`	`6`	`)`
Original file line number	Diff line number	Diff line change
`@@ -119,9 +119,11 @@ class UserService(`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`fun changePassword(userToken: String, passwordChangeRequest: PasswordChangeRequest) {`
`122`		`- val user: User = userRepository.findByUserId(getUserIdFromToken(userToken)).apply {`
`123`		`- userPassword = passwordChangeRequest.userPassword`
	`122`	`+ val user: User = userRepository.findByUserId(getUserIdFromToken(userToken))`
	`123`	`+ if (!passwordEncryptorService.isMatching(passwordChangeRequest.previousPassword, user.userPassword)) {`
	`124`	`+ throw ForbiddenException("Password is not correct!")`
`124`	`125`	`}`
	`126`	`+ user.userPassword = passwordEncryptorService.encodePlainText(passwordChangeRequest.userPassword)`
`125`	`127`	`userRepository.addUser(user)`
`126`	`128`	`}`
`127`	`129`
Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ internal class UserControllerTest {`
`185`	`185`	`put("X-AUTH-TOKEN", listOf(loginToken))`
`186`	`186`	`}`
`187`	`187`	`val responseEntity: ResponseEntity<Unit> =`
`188`		`- restTemplate.exchange(url, HttpMethod.PUT, HttpEntity<PasswordChangeRequest>(PasswordChangeRequest("test"), httpHeaders))`
	`188`	`+ restTemplate.exchange(url, HttpMethod.PUT, HttpEntity<PasswordChangeRequest>(PasswordChangeRequest("test", "test"), httpHeaders))`
`189`	`189`
`190`	`190`	`assertThat(responseEntity.statusCode).isEqualTo(HttpStatus.NO_CONTENT)`
`191`	`191`	`}`