OIS-56: Fixed sending sensitive information to unauthorized users

OpenLMIS · Sep 20, 2024 · f72ecb5 · f72ecb5
1 parent 8126bd1
commit f72ecb5
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/src/main/java/org/openlmis/auth/service/PasswordResetNotifier.java b/src/main/java/org/openlmis/auth/service/PasswordResetNotifier.java
@@ -21,14 +21,18 @@
 import java.time.ZonedDateTime;
 import org.openlmis.auth.domain.PasswordResetToken;
 import org.openlmis.auth.domain.User;
+import org.openlmis.auth.exception.ExternalApiException;
 import org.openlmis.auth.repository.PasswordResetTokenRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 @Service
 public class PasswordResetNotifier extends ExpirationTokenNotifier<PasswordResetToken> {
 
+  private final Logger logger = LoggerFactory.getLogger(getClass());
   private static final String RESET_PASSWORD_URL = "/#!/resetPassword/";
 
   @Autowired
@@ -45,9 +49,14 @@ public class PasswordResetNotifier extends ExpirationTokenNotifier<PasswordReset
   public void sendNotification(User user) {
     PasswordResetToken token = createPasswordResetToken(user);
 
-    sendEmail(
-        user, token, PASSWORD_RESET_EMAIL_SUBJECT, PASSWORD_RESET_EMAIL_BODY, getResetPasswordUrl()
-    );
+    try {
+      sendEmail(
+          user, token, PASSWORD_RESET_EMAIL_SUBJECT,
+          PASSWORD_RESET_EMAIL_BODY, getResetPasswordUrl()
+      );
+    } catch (ExternalApiException ex) {
+      logger.error("An exception occurred in the notification service", ex);
+    }
   }
 
   /**

diff --git a/src/main/java/org/openlmis/auth/web/UserController.java b/src/main/java/org/openlmis/auth/web/UserController.java
@@ -23,6 +23,7 @@
 import static org.openlmis.auth.i18n.MessageKeys.USER_NOT_FOUND_BY_EMAIL;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 import org.openlmis.auth.domain.PasswordResetToken;
 import org.openlmis.auth.domain.User;
@@ -204,13 +205,18 @@ public void forgotPassword(@RequestParam(value = "email") String email) {
     List<UserContactDetailsDto> found = userContactDetailsNotificationService.findByEmail(email);
 
     if (CollectionUtils.isEmpty(found)) {
-      throw new ValidationMessageException(USER_NOT_FOUND_BY_EMAIL);
+      LOGGER.error("User with provided email does not exist.",
+          new ValidationMessageException(USER_NOT_FOUND_BY_EMAIL));
+      return;
     }
 
-    User user = userRepository.findById(found.get(0).getReferenceDataUserId()).orElseThrow(
-        () -> new ValidationMessageException(USER_NOT_FOUND)
-    );
-    passwordResetNotifier.sendNotification(user);
+    Optional<User> optionalUser = userRepository.findById(found.get(0).getReferenceDataUserId());
+    if (!optionalUser.isPresent()) {
+      LOGGER.error("User with ID {} does not exist.", found.get(0).getReferenceDataUserId(),
+          new ValidationMessageException(USER_NOT_FOUND));
+    } else {
+      passwordResetNotifier.sendNotification(optionalUser.get());
+    }
   }
 
   /**