PasswordResetResource.java

package ca.intelliware.ihtsdo.mlds.web.rest;

import java.util.Map;

import javax.annotation.Resource;
import javax.annotation.security.PermitAll;
import javax.transaction.Transactional;

import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;

import ca.intelliware.ihtsdo.mlds.domain.User;
import ca.intelliware.ihtsdo.mlds.repository.UserRepository;
import ca.intelliware.ihtsdo.mlds.service.PasswordResetService;
import ca.intelliware.ihtsdo.mlds.service.mail.MailService;
import ca.intelliware.ihtsdo.mlds.service.mail.PasswordResetEmailSender;

import com.codahale.metrics.annotation.Timed;
import com.google.common.base.Strings;

@RestController
public class PasswordResetResource {
	
	@Resource
	MailService mailService;
	
	@Resource UserRepository userRepository;
	
	@Resource PasswordResetService passwordResetService;
	
	@Resource PasswordResetEmailSender passwordResetEmailSender;

	@RequestMapping(value=Routes.PASSWORD_RESET,
			method = RequestMethod.POST,
    		produces = MediaType.APPLICATION_JSON_VALUE)
	@PermitAll
	@Timed
	@Transactional
	public ResponseEntity<String> requestPasswordReset(@RequestBody Map<String,Object> params) {
		String emailAddress = (String) params.get("email");
		if (Strings.isNullOrEmpty(emailAddress)) {
			return new ResponseEntity<>("no email provided", HttpStatus.BAD_REQUEST);
		}
		
		final User user = userRepository.getUserByEmailIgnoreCase(emailAddress);
		if (user == null) {
			return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
		}
		
		final String tokenKey = passwordResetService.createTokenForUser(user);
		
		// Activate the user.  If the activation email is lost, reset password is the obvious thing to try.
		// Let's let them in.  Otherwise, they're lost forever.
		user.setActivated(true);
		
		passwordResetEmailSender.sendPasswordResetEmail(user, tokenKey);
		
		return new ResponseEntity<>("OK", HttpStatus.OK);
	}

	@RequestMapping(value=Routes.PASSWORD_RESET_ITEM,
			method = RequestMethod.POST,
    		produces = MediaType.APPLICATION_JSON_VALUE)
	@PermitAll
	@Timed
	public ResponseEntity<String> resetPassword(@PathVariable String token, @RequestBody Map<String,Object>params) {
		
		String newPassword = (String) params.get("password");
		if (Strings.isNullOrEmpty(newPassword)) {
			return new ResponseEntity<>("no password provided", HttpStatus.BAD_REQUEST);
		}
		
		try {
			passwordResetService.resetPassword(token, newPassword);
		} catch (IllegalArgumentException e) {
			return new ResponseEntity<>("Password reset token not found in our records", HttpStatus.NOT_FOUND);
		}
		
		return new ResponseEntity<>("OK", HttpStatus.OK);
	}

	
}