fix: register user while already logged in as other user. (#2042)

src/it/java/org/owasp/webgoat/playwright/webgoat/RegistrationUITest.java

@@ -0,0 +1,48 @@
+/*
+ * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+package org.owasp.webgoat.playwright.webgoat;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import com.microsoft.playwright.Browser;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
+import org.owasp.webgoat.playwright.webgoat.pages.RegistrationPage;
+import org.owasp.webgoat.playwright.webgoat.pages.WebGoatLoginPage;
+
+public class RegistrationUITest extends PlaywrightTest {
+
+  @Test
+  @DisplayName("Should register a new user while logged in as other user")
+  void registerWhileLoggedIn(Browser browser) {
+    var page = Authentication.tweety(browser);
+    var loginPage = new WebGoatLoginPage(page);
+    loginPage.open();
+    loginPage.login(Authentication.getTweety().name(), Authentication.getTweety().password());
+
+    var newUsername = "newuser" + System.currentTimeMillis();
+    var password = "password123";
+    var registrationPage = new RegistrationPage(page);
+    registrationPage.open();
+    registrationPage.register(newUsername, password);
+
+    assertThat(page.content()).contains(newUsername);
+  }
+
+  @Test
+  @DisplayName("Should register a new user")
+  void registerNewUser(Browser browser) {
+    var page = browser.newContext().newPage();
+    var registrationPage = new RegistrationPage(page);
+    registrationPage.open();
+
+    var newUsername = "newuser" + System.currentTimeMillis();
+    var password = "password123";
+    registrationPage.register(newUsername, password);
+
+    assertThat(page.content()).contains(newUsername);
+  }
+}

src/main/java/org/owasp/webgoat/container/users/RegistrationController.java

@@ -6,11 +6,14 @@ package org.owasp.webgoat.container.users;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import java.util.UUID;
-import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -22,12 +25,12 @@ import org.springframework.web.bind.annotation.PostMapping;
  * @since 3/19/17.
  */
 @Controller
-@AllArgsConstructor
+@RequiredArgsConstructor
 @Slf4j
 public class RegistrationController {
 
-  private UserValidator userValidator;
+  private final UserValidator userValidator;
-  private UserService userService;
+  private final UserService userService;
 
   @GetMapping("/registration")
   public String showForm(UserForm userForm) {
@@ -38,13 +41,21 @@ public class RegistrationController {
   public String registration(
       @ModelAttribute("userForm") @Valid UserForm userForm,
       BindingResult bindingResult,
-      HttpServletRequest request)
+      HttpServletRequest request,
+      HttpServletResponse response)
       throws ServletException {
     userValidator.validate(userForm, bindingResult);
 
     if (bindingResult.hasErrors()) {
       return "registration";
     }
+
+    // Logout current user if any
+    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+    if (auth != null) {
+      new SecurityContextLogoutHandler().logout(request, response, auth);
+    }
+
     userService.addUser(userForm.getUsername(), userForm.getPassword());
     request.login(userForm.getUsername(), userForm.getPassword());