From c969d35b26786ce8828cfa9e5204107d94373663 Mon Sep 17 00:00:00 2001 From: Naeem Ullah Date: Thu, 29 Jan 2026 15:44:19 +0500 Subject: [PATCH] Prevent reuse of old password during password change Added NewPasswordException and updated UserService to throw this exception if the new password matches the current password. Introduced a new error code ERR_SEC_0007 for this scenario and added a matches method to PasswordEncryptionService for password comparison. --- .../exceptions/NewPasswordException.java | 10 ++++++++++ .../usermanagement/service/UserService.java | 16 +++++++++------- .../common/configuration/constant/ERRCode.java | 3 ++- .../service/PasswordEncryptionService.java | 4 ++++ 4 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 aconnect/src/main/java/com/mfsys/aconnect/usermanagement/exceptions/NewPasswordException.java diff --git a/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/exceptions/NewPasswordException.java b/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/exceptions/NewPasswordException.java new file mode 100644 index 0000000..483449a --- /dev/null +++ b/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/exceptions/NewPasswordException.java @@ -0,0 +1,10 @@ +package com.mfsys.aconnect.usermanagement.exceptions; + +import com.mfsys.common.configuration.constant.ERRCode; +import com.mfsys.common.configuration.exception.ApplicationException; + +public class NewPasswordException extends ApplicationException { + public NewPasswordException(String porOrgacode) { + super(porOrgacode, ERRCode.NEW_PASSWORD); + } +} \ No newline at end of file diff --git a/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/service/UserService.java b/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/service/UserService.java index 492cc2e..c3fd6f5 100644 --- a/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/service/UserService.java +++ b/aconnect/src/main/java/com/mfsys/aconnect/usermanagement/service/UserService.java @@ -3,6 +3,7 @@ package com.mfsys.aconnect.usermanagement.service; import com.mfsys.aconnect.security.dto.ChangePasswordDTO; import com.mfsys.aconnect.security.dto.ResetPasswordDTO; import com.mfsys.aconnect.usermanagement.exceptions.EmailAlreadyExistException; +import com.mfsys.aconnect.usermanagement.exceptions.NewPasswordException; import com.mfsys.aconnect.usermanagement.exceptions.OldPasswordNotMatch; import com.mfsys.aconnect.usermanagement.exceptions.UsernameAlreadyExistException; import com.mfsys.aconnect.usermanagement.model.Role; @@ -55,9 +56,8 @@ public class UserService { User user = userRepository.findById(request.getUserId()) .orElseThrow(() -> new EntityNotFoundException("User not found with ID: " + request.getUserId())); - boolean isPasswordValid = PasswordEncryptionService.verifyPassword(request.getOldPassword(), user.getPassword()); - if(!isPasswordValid) { - throw new OldPasswordNotMatch(request.getPorOrgacode()); + if (passwordEncryptionService.matches(request.getNewPassword(), user.getPassword())) { + throw new NewPasswordException(request.getPorOrgacode()); } user.setPassword(passwordEncryptionService.hashPassword(request.getNewPassword())); userRepository.save(user); @@ -69,10 +69,9 @@ public class UserService { User user = userRepository.findById(request.getUserId()) .orElseThrow(() -> new EntityNotFoundException("User not found with ID: " + request.getUserId())); - boolean isPasswordValid = PasswordEncryptionService.verifyPassword(request.getOldPassword(), user.getPassword()); - if(!isPasswordValid) { - throw new OldPasswordNotMatch(request.getPorOrgacode()); - } + if (passwordEncryptionService.matches(request.getNewPassword(), user.getPassword())) { + throw new NewPasswordException(request.getPorOrgacode()); + } user.setPassword(passwordEncryptionService.hashPassword(request.getNewPassword())); user.setFirstLogin(false); userRepository.save(user); @@ -84,6 +83,9 @@ public class UserService { User user = userRepository.findById(request.getUserId()) .orElseThrow(() -> new EntityNotFoundException("User not found with ID: " + request.getUserId())); + if (passwordEncryptionService.matches(request.getNewPassword(), user.getPassword())) { + throw new NewPasswordException(request.getPorOrgacode()); + } user.setPassword(passwordEncryptionService.hashPassword(request.getNewPassword())); userRepository.save(user); return "Password changed successfully"; diff --git a/common/src/main/java/com/mfsys/common/configuration/constant/ERRCode.java b/common/src/main/java/com/mfsys/common/configuration/constant/ERRCode.java index bb04c39..542631d 100644 --- a/common/src/main/java/com/mfsys/common/configuration/constant/ERRCode.java +++ b/common/src/main/java/com/mfsys/common/configuration/constant/ERRCode.java @@ -15,7 +15,8 @@ public enum ERRCode implements ErrorMessage { MISSING_GL_CODE("ERR_GL_0001","Credit and Debit GL codes are required"), SAMEGLCODE("ERR_GL_0002","Credit and Debit GL codes must be different"), MISSING_ACCOUNT_NUMBER("ERR_ACCT_0001","Account number is required"), - SAMEACCOUNTNUMBER("ERR_ACCT_0002","Account number must be different"); + SAMEACCOUNTNUMBER("ERR_ACCT_0002","Account number must be different"), + NEW_PASSWORD("ERR_SEC_0007","New password cannot be same as old password"); diff --git a/common/src/main/java/com/mfsys/common/configuration/service/PasswordEncryptionService.java b/common/src/main/java/com/mfsys/common/configuration/service/PasswordEncryptionService.java index 46962bc..2c247aa 100644 --- a/common/src/main/java/com/mfsys/common/configuration/service/PasswordEncryptionService.java +++ b/common/src/main/java/com/mfsys/common/configuration/service/PasswordEncryptionService.java @@ -14,4 +14,8 @@ public class PasswordEncryptionService { return BCrypt.checkpw(plainPassword, hashedPassword); } + public boolean matches(String rawPassword, String encodedPassword) { + return BCrypt.checkpw(rawPassword, encodedPassword); + } + }