From 450b4276c8eba700fc603a6f259a40b311bab86c Mon Sep 17 00:00:00 2001 From: Loganathan Sekar <42532387+LoganathanSekar7627@users.noreply.github.com> Date: Fri, 9 Feb 2024 20:09:01 +0530 Subject: [PATCH] MOSIP-31314 otp validation security fix (#1190) * WIP added OTP freezing logic Signed-off-by: Loganathan Sekar * Added test cases Signed-off-by: Loganathan Sekar * Added sendotp test cases Signed-off-by: Loganathan Sekar * Updated db scripts to index refid but not otphash Signed-off-by: Loganathan Sekar * Minor refectoring Signed-off-by: Loganathan Sekar * Corrected otp freezing property names Signed-off-by: Loganathan Sekar * Correction to the OTP frozen message Signed-off-by: Loganathan Sekar * Correction to the OTP frozen message Signed-off-by: Loganathan Sekar * Correction to the OTP frozen message Signed-off-by: Loganathan Sekar * Added validation on frozen error message Signed-off-by: Loganathan Sekar * Minor refactoring Signed-off-by: Loganathan Sekar * Added javadocs Signed-off-by: Loganathan Sekar * Fixed test failure Signed-off-by: Loganathan Sekar * Avoided nested if elses for exceptions in else block Signed-off-by: Loganathan Sekar * Fixed otp error message Signed-off-by: Loganathan Sekar * Applied review comments Signed-off-by: Loganathan Sekar * Minor jdoc update Signed-off-by: Loganathan Sekar * Fix to saving entity Signed-off-by: Loganathan Sekar * Fix for the JPA query method Signed-off-by: Loganathan Sekar * Fix for the JPA query method Signed-off-by: Loganathan Sekar * Fix for the JPA query method Signed-off-by: Loganathan Sekar * Minor fix to OTP generation time setting Signed-off-by: Loganathan Sekar * Fix to updating generated dtimes Signed-off-by: Loganathan Sekar --------- Signed-off-by: Loganathan Sekar --- .../service/integration/OTPManager.java | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/authentication/authentication-common/src/main/java/io/mosip/authentication/common/service/integration/OTPManager.java b/authentication/authentication-common/src/main/java/io/mosip/authentication/common/service/integration/OTPManager.java index 6494dfd8538..2b659684f5f 100644 --- a/authentication/authentication-common/src/main/java/io/mosip/authentication/common/service/integration/OTPManager.java +++ b/authentication/authentication-common/src/main/java/io/mosip/authentication/common/service/integration/OTPManager.java @@ -118,17 +118,28 @@ public boolean sendOtp(OtpRequestDTO otpRequestDTO, String idvid, String idvidTy + EnvUtil.getKeySplitter() + otpRequestDTO.getTransactionID() + EnvUtil.getKeySplitter() + otp).getBytes()); - OtpTransaction txn = new OtpTransaction(); - txn.setId(UUID.randomUUID().toString()); - txn.setRefId(securityManager.hash(otpRequestDTO.getIndividualId())); - txn.setOtpHash(otpHash); - txn.setCrBy(securityManager.getUser()); - txn.setGeneratedDtimes(otpGenerationTime); - txn.setCrDtimes(otpGenerationTime); - txn.setExpiryDtimes(otpGenerationTime.plusSeconds( - EnvUtil.getOtpExpiryTime())); - txn.setStatusCode(IdAuthCommonConstants.ACTIVE_STATUS); - otpRepo.save(txn); + OtpTransaction otpTxn; + if (otpEntityOpt.isPresent() + && (otpTxn = otpEntityOpt.get()).getStatusCode().equals(IdAuthCommonConstants.ACTIVE_STATUS)) { + otpTxn.setOtpHash(otpHash); + otpTxn.setUpdBy(securityManager.getUser()); + otpTxn.setUpdDTimes(otpGenerationTime); + otpTxn.setGeneratedDtimes(otpGenerationTime); + otpTxn.setExpiryDtimes(otpGenerationTime.plusSeconds(EnvUtil.getOtpExpiryTime())); + otpRepo.save(otpTxn); + } else { + OtpTransaction txn = new OtpTransaction(); + txn.setId(UUID.randomUUID().toString()); + txn.setRefId(securityManager.hash(otpRequestDTO.getIndividualId())); + txn.setOtpHash(otpHash); + txn.setCrBy(securityManager.getUser()); + txn.setCrDtimes(otpGenerationTime); + txn.setGeneratedDtimes(otpGenerationTime); + txn.setExpiryDtimes(otpGenerationTime.plusSeconds( + EnvUtil.getOtpExpiryTime())); + txn.setStatusCode(IdAuthCommonConstants.ACTIVE_STATUS); + otpRepo.save(txn); + } String notificationProperty = null; notificationProperty = otpRequestDTO