fixed views for password reset (#679)

2019-10-10 07:50:47 +02:00 · 2019-10-10 07:50:47 +02:00 · f140875156
commit f140875156
parent 18d43f16d3
3 changed files with 26 additions and 11 deletions
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
@ -31,6 +31,7 @@ import org.owasp.webgoat.password_reset.resetlink.PasswordChangeForm;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.servlet.ModelAndView;

 import java.util.Map;

@ -46,7 +47,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
    static final String TOM_EMAIL = "tom@webgoat-cloud.org";
    static Map<String, String> userToTomResetLink = Maps.newHashMap();
    static Map<String, String> usersToTomPassword = Maps.newHashMap();
-    static EvictingQueue resetLinks = EvictingQueue.create(1000);
+    static EvictingQueue<String> resetLinks = EvictingQueue.create(1000);

    static final String TEMPLATE = "Hi, you requested a password reset link, please use this " +
            "<a target='_blank' href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your password." +
@ -73,32 +74,46 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
    }

    @GetMapping("/PasswordReset/reset/reset-password/{link}")
-    public String resetPassword(@PathVariable(value = "link") String link, Model model) {
-        if (this.resetLinks.contains(link)) {
+    public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
+    	ModelAndView modelAndView = new ModelAndView();
+        if (ResetLinkAssignment.resetLinks.contains(link)) {
            PasswordChangeForm form = new PasswordChangeForm();
            form.setResetLink(link);
            model.addAttribute("form", form);
-            return "password_reset"; //Display html page for changing password
+            modelAndView.addObject("form", form);
+            modelAndView.setViewName("password_reset"); //Display html page for changing password
        } else {
-            return "password_link_not_found";
+        	modelAndView.setViewName("password_link_not_found");
        }
+        return modelAndView;
+    }
+
+    @GetMapping("/PasswordReset/reset/change-password")
+    public ModelAndView illegalCall() {
+    	ModelAndView modelAndView = new ModelAndView();
+    	modelAndView.setViewName("password_link_not_found");
+    	return modelAndView;
    }
    
    @PostMapping("/PasswordReset/reset/change-password")
-    public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    public ModelAndView changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    	ModelAndView modelAndView = new ModelAndView();
        if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
            bindingResult.rejectValue("password", "not.empty");
        }
        if (bindingResult.hasErrors()) {
-            return "password_reset";
+        	modelAndView.setViewName("password_reset");
+        	return modelAndView;
        }
        if (!resetLinks.contains(form.getResetLink())) {
-            return "password_link_not_found";
+        	modelAndView.setViewName("password_link_not_found");
+        	return modelAndView;
        }
        if (checkIfLinkIsFromTom(form.getResetLink())) {
            usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
        }
-        return "success";
+        modelAndView.setViewName("success");
+        return modelAndView;
    }

    private boolean checkIfLinkIsFromTom(String resetLinkFromForm) {
--- a/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
+++ b/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
@ -3,7 +3,7 @@
 <head>
    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/>
+    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
 </head>

 <body>
--- a/webgoat-lessons/password-reset/src/main/resources/templates/success.html
+++ b/webgoat-lessons/password-reset/src/main/resources/templates/success.html
@ -3,7 +3,7 @@
 <head>
    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/>
+    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
 </head>

 <body>