How do we Validate a User?

[ZackHollander]

For issue #668 I want to validate a password before the user is deleted. Originally my code to do this looked like this (userService.getCurrentUser().getPassword().equals(passwordEncoder.encode(password). This did not work out, as the passwordEncoder changes the output each time. The top line in the screen shot is the users password that is stored in the db. The second line is the encoded version of the same string before was encoded and stored. They are different.

I went to try to find the login endpoint to see how the user is validated to get the Bearer Token, however could not find the file. I thought I would get a hint on how to do it for my issue. Which leads me to my question of how do we validate a user? What file is it in?

[knjk04]

The bearer token validation should work. I think you're trying to check whether the encoded password stored for the user matches the cleartext (unencrypted) password passed in, which is different

        if (userService.getCurrentUser().getPassword().equals(passwordEncoder.encode(password))) {

If we look at the method description for encode() in the Spring documentation, we can see the following:

Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.

In particular, note that the BCryptPasswordEncoder also uses a randomly generated salt (emphasis mine). As we don't want know what the salt is, we should be using a different method.

---

Instead, we can use the matches() method:

public boolean matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)

Method description:

Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.

The subtle difference here is that it can tell us whether they match without us having to concern ourselves with the salt used to encrypt the password stored in the database.

See the Spring documentation for more information on this method (it's below encode() at the time of writing).

[knjk04]

I've tried this on your code and I can see that matches() returns false. I'm looking into why this is

[knjk04]

If you add

System.out.println(password)

you get back

{
    "password": "password"
}

This is because you're using @RequestBody. A simple workaround here would be to use a @PathVariable instead:

    @DeleteMapping("/delete-current/{password}")
    @ResponseStatus(HttpStatus.OK)
    public void deleteCurrentUser(@PathVariable String password) {

The curly braces on the @DeleteMapping line is a placeholder. It will place the value passed into the parameter password into the URL. You'll need to ensure that what's in the curly braces matches the argument name (in this case, they're both password).

In Postman, you can enter in a path variable by adding a colon before the path variable key (otherwise, it will just treat it as a String -- a regular part of the URL):

[ZackHollander]

That should solve my problem. Thank you for being supper helpful.

[knjk04]

@ZackHollander If this answer helped, would it be possible to mark this as the accepted answer?