Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

One Time Token should not be created if user does not exist #16483

Open
5 of 6 tasks
rwinch opened this issue Jan 24, 2025 · 0 comments
Open
5 of 6 tasks

One Time Token should not be created if user does not exist #16483

rwinch opened this issue Jan 24, 2025 · 0 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@rwinch
Copy link
Member

rwinch commented Jan 24, 2025
edited
Loading

Currently One Time Tokens are created and then the success handler is invoked even if the user does not exist. We should only generate a token and invoke the success handler if a user exists. We should also pass the user to the success handler so it can be used by the success handler without the need to look up the user again.

NOTE: Consider a resulthandler that does both success/failure. Failure is indicated by the ott not generated. Need a new method to pass in the UserDetails on success anyway. Failure should be handled the same as success so as not to reveal information to the end user so this helps to use ensure logic is the same and that a functional API can be used. Alternatively could have two methods on the new interface but might encourage users to handle the logic differently.

If user exists

  • generate a new ott
  • invoke success handler

If user does not exist

  • do not generate ott
  • do not invoke success handler
  • invoke failure handler
  • log.debug ott not generated
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jan 24, 2025
@rwinch rwinch self-assigned this Jan 24, 2025
@rwinch rwinch added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 24, 2025
@rwinch rwinch moved this to In Progress in Spring Security Team Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
Spring Security Team
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rwinch