MOSIP-31314 otp validation security fix (#1190)

* WIP added OTP freezing logic

Signed-off-by: Loganathan Sekar <[email protected]>

* Added test cases

Signed-off-by: Loganathan Sekar <[email protected]>

* Added sendotp test cases

Signed-off-by: Loganathan Sekar <[email protected]>

* Updated db scripts to index refid but not otphash

Signed-off-by: Loganathan Sekar <[email protected]>

* Minor refectoring

Signed-off-by: Loganathan Sekar <[email protected]>

* Corrected otp freezing property names

Signed-off-by: Loganathan Sekar <[email protected]>

* Correction to the OTP frozen message

Signed-off-by: Loganathan Sekar <[email protected]>

* Correction to the OTP frozen message

Signed-off-by: Loganathan Sekar <[email protected]>

* Correction to the OTP frozen message

Signed-off-by: Loganathan Sekar <[email protected]>

* Added validation on frozen error message

Signed-off-by: Loganathan Sekar <[email protected]>

* Minor refactoring

Signed-off-by: Loganathan Sekar <[email protected]>

* Added javadocs

Signed-off-by: Loganathan Sekar <[email protected]>

* Fixed test failure

Signed-off-by: Loganathan Sekar <[email protected]>

* Avoided nested if elses for exceptions in else block

Signed-off-by: Loganathan Sekar <[email protected]>

* Fixed otp error message

Signed-off-by: Loganathan Sekar <[email protected]>

* Applied review comments

Signed-off-by: Loganathan Sekar <[email protected]>

* Minor jdoc update

Signed-off-by: Loganathan Sekar <[email protected]>

* Fix to saving entity

Signed-off-by: Loganathan Sekar <[email protected]>

* Fix for the JPA query method

Signed-off-by: Loganathan Sekar <[email protected]>

* Fix for the JPA query method

Signed-off-by: Loganathan Sekar <[email protected]>

* Fix for the JPA query method

Signed-off-by: Loganathan Sekar <[email protected]>

* Minor fix to OTP generation time setting

Signed-off-by: Loganathan Sekar <[email protected]>

* Fix to updating generated dtimes

Signed-off-by: Loganathan Sekar <[email protected]>

---------

Signed-off-by: Loganathan Sekar <[email protected]>

authentication/authentication-common/src/main/java/io/mosip/authentication/common/service/integration/OTPManager.java

@@ -118,17 +118,28 @@ public boolean sendOtp(OtpRequestDTO otpRequestDTO, String idvid, String idvidTy
 				+ EnvUtil.getKeySplitter() + otpRequestDTO.getTransactionID()
 				+ EnvUtil.getKeySplitter() + otp).getBytes());
 
-		OtpTransaction txn = new OtpTransaction();
-		txn.setId(UUID.randomUUID().toString());
-		txn.setRefId(securityManager.hash(otpRequestDTO.getIndividualId()));
-		txn.setOtpHash(otpHash);
-		txn.setCrBy(securityManager.getUser());
-		txn.setGeneratedDtimes(otpGenerationTime);
-		txn.setCrDtimes(otpGenerationTime);
-		txn.setExpiryDtimes(otpGenerationTime.plusSeconds(
-				EnvUtil.getOtpExpiryTime()));
-		txn.setStatusCode(IdAuthCommonConstants.ACTIVE_STATUS);
-		otpRepo.save(txn);
+		OtpTransaction otpTxn;
+		if (otpEntityOpt.isPresent()
+				&& (otpTxn = otpEntityOpt.get()).getStatusCode().equals(IdAuthCommonConstants.ACTIVE_STATUS)) {
+			otpTxn.setOtpHash(otpHash);
+			otpTxn.setUpdBy(securityManager.getUser());
+			otpTxn.setUpdDTimes(otpGenerationTime);
+			otpTxn.setGeneratedDtimes(otpGenerationTime);
+			otpTxn.setExpiryDtimes(otpGenerationTime.plusSeconds(EnvUtil.getOtpExpiryTime()));
+			otpRepo.save(otpTxn);
+		} else {
+			OtpTransaction txn = new OtpTransaction();
+			txn.setId(UUID.randomUUID().toString());
+			txn.setRefId(securityManager.hash(otpRequestDTO.getIndividualId()));
+			txn.setOtpHash(otpHash);
+			txn.setCrBy(securityManager.getUser());
+			txn.setCrDtimes(otpGenerationTime);
+			txn.setGeneratedDtimes(otpGenerationTime);
+			txn.setExpiryDtimes(otpGenerationTime.plusSeconds(
+					EnvUtil.getOtpExpiryTime()));
+			txn.setStatusCode(IdAuthCommonConstants.ACTIVE_STATUS);
+			otpRepo.save(txn);
+		}
 
 		String notificationProperty = null;
 		notificationProperty = otpRequestDTO