@RequestMapping(value = "/password_change", method = RequestMethod.POST) public ResponseEntity<LostPasswordChangeResponse> changePassword(@RequestBody LostPasswordChangeRequest passwordChangeRequest) { ResponseEntity<LostPasswordChangeResponse> responseEntity; if (passwordChangeRequest.getChangeCode() != null) { try { ExpiringCode expiringCode = getExpiringCode(passwordChangeRequest.getChangeCode()); ResetPasswordService.ResetPasswordResponse reset = resetPasswordService.resetPassword(expiringCode, passwordChangeRequest.getNewPassword()); ScimUser user = reset.getUser(); ExpiringCode loginCode = getCode(user.getId(), user.getUserName(), reset.getClientId()); LostPasswordChangeResponse response = new LostPasswordChangeResponse(); response.setUserId(user.getId()); response.setUsername(user.getUserName()); response.setEmail(user.getPrimaryEmail()); response.setLoginCode(loginCode.getCode()); return new ResponseEntity<>(response, OK); } catch (BadCredentialsException e) { return new ResponseEntity<>(UNAUTHORIZED); } catch (ScimResourceNotFoundException e) { return new ResponseEntity<>(NOT_FOUND); } catch (InvalidPasswordException | InvalidCodeException e) { throw e; } catch (Exception e) { return new ResponseEntity<>(INTERNAL_SERVER_ERROR); } } else { responseEntity = new ResponseEntity<>(BAD_REQUEST); } return responseEntity; }
@Test void changePassword_ReturnsSuccess_WithValidExpiringCode() throws Exception { String loginToken = testClient.getClientCredentialsOAuthAccessToken("login", "loginsecret", "oauth.login"); String expiringCode = requestExpiringCode(testUser.getUserName(), loginToken); LostPasswordChangeRequest pwch = new LostPasswordChangeRequest(expiringCode, "Koala2"); MockHttpSession session = new MockHttpSession(); MockHttpServletRequestBuilder changePasswordPost = post("/password_change") .accept(APPLICATION_JSON_VALUE) .contentType(MediaType.APPLICATION_JSON) .session(session) .header("Authorization", "Bearer " + loginToken) .content(JsonUtils.writeValueAsBytes(pwch)); mockMvc.perform(changePasswordPost) .andExpect(status().isOk()); ArgumentCaptor<AbstractUaaEvent> captor = ArgumentCaptor.forClass(AbstractUaaEvent.class); verify(listener, atLeastOnce()).onApplicationEvent(captor.capture()); PasswordChangeEvent pce = (PasswordChangeEvent) captor.getValue(); assertEquals(testUser.getUserName(), pce.getUser().getUsername()); assertEquals("Password changed", pce.getMessage()); assertFalse(pce.getAuditEvent().getOrigin().contains("sessionId=<SESSION>")); //PasswordChangeEvent does not contain session in this case }