Prevent reuse of old password during password change

Added NewPasswordException and updated UserService to throw this exception if the new password matches the current password. Introduced a new error code ERR_SEC_0007 for this scenario and added a matches method to PasswordEncryptionService for password comparison.
6 days ago · c969d35b26
parent 3753918526
commit c969d35b26
4 changed files with 25 additions and 8 deletions
--- a/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/exceptions/NewPasswordException.java
+++ b/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/exceptions/NewPasswordException.java
@ -0,0 +1,10 @@
+package com.mfsys.aconnect.usermanagement.exceptions;
+
+import com.mfsys.common.configuration.constant.ERRCode;
+import com.mfsys.common.configuration.exception.ApplicationException;
+
+public class NewPasswordException extends ApplicationException {
+    public NewPasswordException(String porOrgacode) {
+        super(porOrgacode, ERRCode.NEW_PASSWORD);
+    }
+}
--- a/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/service/UserService.java
+++ b/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/service/UserService.java
@ -3,6 +3,7 @@ package com.mfsys.aconnect.usermanagement.service;
 import com.mfsys.aconnect.security.dto.ChangePasswordDTO;
 import com.mfsys.aconnect.security.dto.ResetPasswordDTO;
 import com.mfsys.aconnect.usermanagement.exceptions.EmailAlreadyExistException;
+import com.mfsys.aconnect.usermanagement.exceptions.NewPasswordException;
 import com.mfsys.aconnect.usermanagement.exceptions.OldPasswordNotMatch;
 import com.mfsys.aconnect.usermanagement.exceptions.UsernameAlreadyExistException;
 import com.mfsys.aconnect.usermanagement.model.Role;
@ -55,9 +56,8 @@ public class UserService {
    User user = userRepository.findById(request.getUserId())
            .orElseThrow(() -> new EntityNotFoundException("User not found with ID: " + request.getUserId()));

-    boolean isPasswordValid = PasswordEncryptionService.verifyPassword(request.getOldPassword(), user.getPassword());
-    if(!isPasswordValid) {
-      throw new OldPasswordNotMatch(request.getPorOrgacode());
+    if (passwordEncryptionService.matches(request.getNewPassword(), user.getPassword())) {
+      throw new NewPasswordException(request.getPorOrgacode());
    }
    user.setPassword(passwordEncryptionService.hashPassword(request.getNewPassword()));
    userRepository.save(user);
@ -69,10 +69,9 @@ public class UserService {
        User user = userRepository.findById(request.getUserId())
                .orElseThrow(() -> new EntityNotFoundException("User not found with ID: " + request.getUserId()));

-        boolean isPasswordValid = PasswordEncryptionService.verifyPassword(request.getOldPassword(), user.getPassword());
-        if(!isPasswordValid) {
-            throw new OldPasswordNotMatch(request.getPorOrgacode());
-        }
+      if (passwordEncryptionService.matches(request.getNewPassword(), user.getPassword())) {
+        throw new NewPasswordException(request.getPorOrgacode());
+      }
        user.setPassword(passwordEncryptionService.hashPassword(request.getNewPassword()));
        user.setFirstLogin(false);
        userRepository.save(user);
@ -84,6 +83,9 @@ public class UserService {
    User user = userRepository.findById(request.getUserId())
            .orElseThrow(() -> new EntityNotFoundException("User not found with ID: " + request.getUserId()));

+    if (passwordEncryptionService.matches(request.getNewPassword(), user.getPassword())) {
+      throw new NewPasswordException(request.getPorOrgacode());
+    }
    user.setPassword(passwordEncryptionService.hashPassword(request.getNewPassword()));
    userRepository.save(user);
    return "Password changed successfully";
--- a/common/src/main/java/com/mfsys/common/configuration/constant/ERRCode.java
+++ b/common/src/main/java/com/mfsys/common/configuration/constant/ERRCode.java
@ -15,7 +15,8 @@ public enum ERRCode implements ErrorMessage {
    MISSING_GL_CODE("ERR_GL_0001","Credit and Debit GL codes are required"),
    SAMEGLCODE("ERR_GL_0002","Credit and Debit GL codes must be different"),
    MISSING_ACCOUNT_NUMBER("ERR_ACCT_0001","Account number is required"),
-    SAMEACCOUNTNUMBER("ERR_ACCT_0002","Account number must be different");
+    SAMEACCOUNTNUMBER("ERR_ACCT_0002","Account number must be different"),
+    NEW_PASSWORD("ERR_SEC_0007","New password cannot be same as old password");



--- a/common/src/main/java/com/mfsys/common/configuration/service/PasswordEncryptionService.java
+++ b/common/src/main/java/com/mfsys/common/configuration/service/PasswordEncryptionService.java
@ -14,4 +14,8 @@ public class PasswordEncryptionService {
    return BCrypt.checkpw(plainPassword, hashedPassword);
  }

+  public boolean matches(String rawPassword, String encodedPassword) {
+    return BCrypt.checkpw(rawPassword, encodedPassword);
+  }
+
 }