temporary field for recovery password

问题: when I restore a password, a password is generated in my project, with which you can log in to your account and change the password, I can’t understand how to limit the tem...

问题:

when I restore a password, a password is generated in my project, with which you can log in to your account and change the password, I can’t understand how to limit the temporary password field by time? let's say that the user can log in using this password for an hour, I have a date field for the password, but I don't know what to compare it with

public class SecurityUser implements UserDetails {

    private Integer id;
    private String username;
    private String password;
    private String email;
    private Date lastPasswordReset;
    private Collection<? extends GrantedAuthority> authorities;
    private Boolean accountNonExpired = true;
    private Boolean accountNonLocked = true;
    private Boolean credentialsNonExpired = true;
    private Boolean enabled = true;
    private String temporaryPassword;
    private Date validatyTime;

回答1:

You can use a ScheduledTasks to reset all the temporary passwords that have expired and set a flag indicating that temp password is not valid anymore.

https://spring.io/guides/gs/scheduling-tasks/


回答2:

tl;dr

Instant                                // Represents a moment in UTC.
.now()                                 // Capture the current moment, as seen through the wall-clock time of UTC.
.ifAfter(                              // Compare one `Instant` object to another.
    user.whenTemporaryPasswordExpires  // This stored moment (an `Instant`) represents an hour later than the current moment captured when the temporary password was issued. 
)                                      // Returns a boolean.

Expiration, not validity

Track the moment when the password expires. So change the name of your validityTime variable to something like whenTemporaryPasswordExpires.

When the user attempts another login, you capture the current moment, then compare to the stored whenTemporaryPasswordExpires.

java.time

Never use java.util.Date. That is one of the terrible date-time classes from the earliest versions of Java. Those legacy classes were supplanted entirely years ago by the java.time classes with the adoption of JSR 310.

Set the expiration

The first of two phases, set the expiration when generating the temporary password.

Capture the current moment.

Instant instant = Instant.now() ;  // Capture the current moment in UTC.

Determine the business policy for how long the temp password is good. Use the Duration to track a span of time in terms of days (24-hour chunks of time, not calendar days), hours, minutes, and seconds.

Duration d = Duration.ofHours( 1 ) ;  // Policy says temporary password is good for one hour.

Do some date-time math, adding the span-of-time (Duration object) to the Instant to get a new Instant representing a future moment. Notice how java.time uses immutable objects, so a new Instant object is produced with values based on the original.

Instant expires = instant.plus( d ) ; // Date-time math, adding the one hour to the current moment gets us a moment 1 hour in the future.

Store that expiration moment as a member variable on your class.

public class SecurityUser implements UserDetails {

    private Integer id;
    private String username;
    …
    private Instant whenTemporaryPasswordExpires;
    …
}

Assign the future moment to the variable.

user.whenTemporaryPasswordExpires = expires ;

Compare current moment to expiration

Phase Two, when user attempts a login, we see if the current moment is later than the expiration. The Instant class has comparison methods such as isBefore and isAfter.

boolean expired = Instant.now().isAfter( user.whenTemporaryPasswordExpires ) ;
if( expired ) {
    // TODO: Display error message about temp pw expired. Offer new temp pw.
} else {  // Else, not expired. Accept temporary password.
    // TODO: Check submitted password to see if it matches temporary password issued earlier.
}

Notice that all the code above uses UTC. There is no need to bother with time zones for the expiration logic. If you want to display the expiration, search Stack Overflow to learn about ZoneId, ZonedDateTime, and DateTimeFormatter.ofLocalized….


In discussion above, I ignored the obvious problem that we never store passwords as such. We use salting & hashing, but that is an altogether different discussion.


About java.time

The java.time framework is built into Java 8 and later. These classes supplant the troublesome old legacy date-time classes such as java.util.Date, Calendar, & SimpleDateFormat.

The Joda-Time project, now in maintenance mode, advises migration to the java.time classes.

To learn more, see the Oracle Tutorial. And search Stack Overflow for many examples and explanations. Specification is JSR 310.

You may exchange java.time objects directly with your database. Use a JDBC driver compliant with JDBC 4.2 or later. No need for strings, no need for java.sql.* classes.

Where to obtain the java.time classes?

The ThreeTen-Extra project extends java.time with additional classes. This project is a proving ground for possible future additions to java.time. You may find some useful classes here such as Interval, YearWeek, YearQuarter, and more.

  • 发表于 2019-01-16 21:54
  • 阅读 ( 214 )
  • 分类:网络文章

条评论

请先 登录 后评论
不写代码的码农
小编

篇文章

作家榜 »

  1. 小编 文章
返回顶部
部分文章转自于网络,若有侵权请联系我们删除