From f72ecb5917ce003f6ba45525bdafc72aa7925b63 Mon Sep 17 00:00:00 2001
From: Szymon Radziszewski <sradziszewski@soldevelo.com>
Date: Fri, 20 Sep 2024 10:17:56 +0200
Subject: [PATCH] OIS-56: Fixed sending sensitive information to unauthorized
 users

---
 .../auth/service/PasswordResetNotifier.java      | 15 ++++++++++++---
 .../org/openlmis/auth/web/UserController.java    | 16 +++++++++++-----
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/openlmis/auth/service/PasswordResetNotifier.java b/src/main/java/org/openlmis/auth/service/PasswordResetNotifier.java
index e51524f..92a5967 100644
--- a/src/main/java/org/openlmis/auth/service/PasswordResetNotifier.java
+++ b/src/main/java/org/openlmis/auth/service/PasswordResetNotifier.java
@@ -21,7 +21,10 @@
 import java.time.ZonedDateTime;
 import org.openlmis.auth.domain.PasswordResetToken;
 import org.openlmis.auth.domain.User;
+import org.openlmis.auth.exception.ExternalApiException;
 import org.openlmis.auth.repository.PasswordResetTokenRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
@@ -29,6 +32,7 @@
 @Service
 public class PasswordResetNotifier extends ExpirationTokenNotifier<PasswordResetToken> {
 
+  private final Logger logger = LoggerFactory.getLogger(getClass());
   private static final String RESET_PASSWORD_URL = "/#!/resetPassword/";
 
   @Autowired
@@ -45,9 +49,14 @@ public class PasswordResetNotifier extends ExpirationTokenNotifier<PasswordReset
   public void sendNotification(User user) {
     PasswordResetToken token = createPasswordResetToken(user);
 
-    sendEmail(
-        user, token, PASSWORD_RESET_EMAIL_SUBJECT, PASSWORD_RESET_EMAIL_BODY, getResetPasswordUrl()
-    );
+    try {
+      sendEmail(
+          user, token, PASSWORD_RESET_EMAIL_SUBJECT,
+          PASSWORD_RESET_EMAIL_BODY, getResetPasswordUrl()
+      );
+    } catch (ExternalApiException ex) {
+      logger.error("An exception occurred in the notification service", ex);
+    }
   }
 
   /**
diff --git a/src/main/java/org/openlmis/auth/web/UserController.java b/src/main/java/org/openlmis/auth/web/UserController.java
index c5f4688..eee80b3 100644
--- a/src/main/java/org/openlmis/auth/web/UserController.java
+++ b/src/main/java/org/openlmis/auth/web/UserController.java
@@ -23,6 +23,7 @@
 import static org.openlmis.auth.i18n.MessageKeys.USER_NOT_FOUND_BY_EMAIL;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 import org.openlmis.auth.domain.PasswordResetToken;
 import org.openlmis.auth.domain.User;
@@ -204,13 +205,18 @@ public void forgotPassword(@RequestParam(value = "email") String email) {
     List<UserContactDetailsDto> found = userContactDetailsNotificationService.findByEmail(email);
 
     if (CollectionUtils.isEmpty(found)) {
-      throw new ValidationMessageException(USER_NOT_FOUND_BY_EMAIL);
+      LOGGER.error("User with provided email does not exist.",
+          new ValidationMessageException(USER_NOT_FOUND_BY_EMAIL));
+      return;
     }
 
-    User user = userRepository.findById(found.get(0).getReferenceDataUserId()).orElseThrow(
-        () -> new ValidationMessageException(USER_NOT_FOUND)
-    );
-    passwordResetNotifier.sendNotification(user);
+    Optional<User> optionalUser = userRepository.findById(found.get(0).getReferenceDataUserId());
+    if (!optionalUser.isPresent()) {
+      LOGGER.error("User with ID {} does not exist.", found.get(0).getReferenceDataUserId(),
+          new ValidationMessageException(USER_NOT_FOUND));
+    } else {
+      passwordResetNotifier.sendNotification(optionalUser.get());
+    }
   }
 
   /**