How can I generate temporary URL to recover password in the play framework?

Question

How can I generate temporary URL to recover password in the play framework?

Asked 7 years, 4 months ago

Viewed 547 times

0

I am developing a web application using the play 1.4 framework (didactic version) and I want to implement the password recovery functionality where the user will place his email and will be sent a temporary link to reset his password. My doubt, how to generate this temporary link send to completed email and validate the new password?

My MODEL works where already add public String token; Date tokenValidityDate; I know you will need: `package models;

 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 import javax.persistence.Entity;
 import javax.persistence.EnumType;
 import javax.persistence.Enumerated;

 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang.StringUtils;

 import play.data.validation.MinSize;
 import play.data.validation.Required;
 import play.db.jpa.Model;
 import sun.util.calendar.BaseCalendar.Date;

 @Entity
 public class Funcionario extends Model {

final static String chave = "0123456789abcdef";
private static final String ALGORITMO = "AES";
private static byte[] mensagemEncriptada;
private static byte[] mensagemDescriptada;
private static SecretKey key;

public String nome;

public String funcao;

public String nivelAcesso;

public String login;
@MinSize(4)
public String senha;

public String email;

public String token;
Date tokenValidityDate;
@Enumerated(EnumType.STRING)
public Status status;

public Funcionario() {
    status = Status.ATIVO;
}

public boolean autenticar() throws Exception {
    Funcionario u = Funcionario.find("login = ? and senha = ?", login, descriptografar(senha)).first();

    if (u == null) {
        return false;
    } else {
        return true;
    }
}


public static String descriptografar(String mensagem) throws Exception {

    key = new SecretKeySpec(chave.getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, key);
    mensagemDescriptada = cipher.doFinal(mensagem.getBytes());

    return StringUtils.trim(Base64.encodeBase64String(mensagemDescriptada));
}
}

` My html page to recover password:

<!DOCTYPE html>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <html>
 <head>
 <meta charset="ISO-8859-1">
 <link rel="stylesheet" media="screen" href="@{'/public/stylesheets/login.css'}">
 <title>Octopus</title>
 </head>
 <body background="/public/images/back.png">
 <form action="@{Logins.logar}" method="post">
 <input type="hidden" name="login.id" value="${u?.id}" />
 <div class="login">
 <p><center><small>Digite seu endereço de e-mail para redefinir a senha.</small></center></p></small>
<input type="text" placeholder="E-mail" name="funcionario.email" value="${flash['funcionario.email'] ? flash['funcionario.email'] : u?.email}"  > 
<span class="bg-danger">#{error 'login.email' /}</span>  
<input type="submit" value="Enviar">
 </div>
 <div class="shadow"></div>
 </form>
 </body>
 </html>

1

What I would do at my current level was what came to mind: When requesting the password exchange, the email would be passed, this email served to search which user is registered and send the link when generated. Discovered which user, someone would generate a token that would represent that user and serve as a parameter to a valid url. The requester would receive in the email the link (url+token), when accessing would be verified if this token is valid, if yes, search the user who is represented by the token, perform the password exchange and invalidates the token, so that this action can no longer be accessed.

– G. M4rc14L

2017/07/08 at 21:41
exactly that, but in practice I have no idea how to implement, you have some similar example that can help me?

– Carlos Diego

2017/07/10 at 13:09
I’ll take a moment to write a response debugging that "theory" to help you get a light in that tunnel.

– G. M4rc14L

2017/07/10 at 15:06
opa, I am grateful

– Carlos Diego

2017/07/10 at 15:19

1 answer

Browser other questions tagged web-application play-framework password

You are not signed in. Login or sign up in order to post.

by G. M4rc14L • **525** points · Answer 1 · 2017-07-10T16:38:19+00:00

When requesting the password exchange, the e-mail would be passed, this e-mail serve to search which user is registered

Someone will call your entity responsible for access to the bank and search which user is registered with that email. I mean someone, because it depends on how you implemented or will implement your architecture, but in short, someone has to go get this user in the bank.

Discovered which user, someone would generate a token that would represent this user and will serve as a parameter for a valid url.

With the user identified, in case the database record is returned, a token should be generated. This token would consist of a lifetime (expiration), so it can be temporary. When it expires, it is deleted/invalidated, thus being unlinked from the user and can no longer be used.

For it to "represent" the usurer, they must be linked in some way that the system finds/understands. For example, having a field or table that creates a relationship between the token and your user. With this idea, after generating the token you would register/link this token to the user.

and send the link when generated.

Finally you already have the link ready, with the same email sent as request, you send to the user for password exchange.

The requester would receive in the email the link(url+token), when accessing would verified if this token is valid, if yes, search the user who is represents the token, performs the password exchange and invalidates the token, so that this action can no longer be accessed.

Since the goal is a url and that is temporary, you would create an action that received this token as parameter, when receiving this parameter is checked if this token is valid (it has expired ?, does it exist? etc), if it is still valid, you would search in the database which user is linked to that token, really knowing who wants to exchange password.

returns the view, the user successfully changes the password (normal update path) and then you invalidate the token so that it can not be used again, if the user wants to change the password again, will have to do all previous process.

On the run, but that’s it.

Note: You must have some library that generates tokens, do a search.