How can I generate temporary URL to recover password in play framework?

Navigation
0

I am developing a web application using the framework play 1.4 (didatica version) and I want to implement the password recovery functionality where the user will put his email and will be sent a temporary link to reset his password. My question, how to generate this temporary link send to p email filled in and validate the new password?

My official MODEL where ja add public String token;     Date tokenValidityDate; which I know will be necessary: 'package models; 

 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 import javax.persistence.Entity;
 import javax.persistence.EnumType;
 import javax.persistence.Enumerated;

 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang.StringUtils;

 import play.data.validation.MinSize;
 import play.data.validation.Required;
 import play.db.jpa.Model;
 import sun.util.calendar.BaseCalendar.Date;

 @Entity
 public class Funcionario extends Model {

final static String chave = "0123456789abcdef";
private static final String ALGORITMO = "AES";
private static byte[] mensagemEncriptada;
private static byte[] mensagemDescriptada;
private static SecretKey key;

public String nome;

public String funcao;

public String nivelAcesso;

public String login;
@MinSize(4)
public String senha;

public String email;

public String token;
Date tokenValidityDate;
@Enumerated(EnumType.STRING)
public Status status;

public Funcionario() {
    status = Status.ATIVO;
}

public boolean autenticar() throws Exception {
    Funcionario u = Funcionario.find("login = ? and senha = ?", login, descriptografar(senha)).first();

    if (u == null) {
        return false;
    } else {
        return true;
    }
}


public static String descriptografar(String mensagem) throws Exception {

    key = new SecretKeySpec(chave.getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, key);
    mensagemDescriptada = cipher.doFinal(mensagem.getBytes());

    return StringUtils.trim(Base64.encodeBase64String(mensagemDescriptada));
}
}

' My html page to recover password: 

<!DOCTYPE html>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <html>
 <head>
 <meta charset="ISO-8859-1">
 <link rel="stylesheet" media="screen" href="@{'/public/stylesheets/login.css'}">
 <title>Octopus</title>
 </head>
 <body background="/public/images/back.png">
 <form action="@{Logins.logar}" method="post">
 <input type="hidden" name="login.id" value="${u?.id}" />
 <div class="login">
 <p><center><small>Digite seu endereço de e-mail para redefinir a senha.</small></center></p></small>
<input type="text" placeholder="E-mail" name="funcionario.email" value="${flash['funcionario.email'] ? flash['funcionario.email'] : u?.email}"  > 
<span class="bg-danger">#{error 'login.email' /}</span>  
<input type="submit" value="Enviar">
 </div>
 <div class="shadow"></div>
 </form>
 </body>
 </html>
    
asked by anonymous 08.07.2017 / 18:11

1 answer

1
  

When requesting a password change, the email would be passed, this email   it will serve to find which user is registered

Someone will call your entity responsible for accessing the bank and find which user is registered with this email. I say someone because it depends how you implemented or will implement your architecture, but in short, someone has to go get that user in the bank.

  

Discovered which user, someone would generate a token that will represent   this user and would serve as a parameter for a valid url.

With the user identified, in the case returned the bank record, a token must be generated. This token would consist of a lifetime (expiration) so it can be temporary. When it expires, it is deleted / invalidated, thus being unlinked from the user and can no longer be used.

For him to "represent" the usurer, they must be connected in some way that the system finds / understands. For example, have a field or table that creates a relationship between the token and your user. With this idea, after generating the token you would register / bind that token to the user.

  

and send the link when generated.

Finally you already have the link ready, with the same email sent as a request, you will be sent to the user for password change.

  

The requestor would receive in the email the link (url + token), when access would be   verified if this token is valid, if so, it searches the user who is   represented by the token, performs the password change and invalidates the token,   so that this action can no longer be accessed.

As the goal is a url and temporary, you would create an action that would receive this token as a parameter, upon receiving this parameter it is checked if this token is valid (it has expired?, exists? etc), if it is still valid , you would look in the bank which user is linked to that token, really knowing who wants to change the password.

returns the view, the user successfully changes the password (normal update path) and then you invalidate the token so that it can not be used again, if the user wants to change the password again, it will have to do the whole process above.

In the rush, but that's it.

Note: There should be some library that generates tokens, do a search.

    
10.07.2017 / 18:38
Doubts about JS function Google Maps does not work after it generates signed APK for Google Play