@Override
public String requestPasswordReset(AppUser _user) throws NoSuchUserException {
AppUser user = db.load(AppUser.class, _user.getEmail());
if (user == null) {
throw new NoSuchUserException(_user.getEmail());
}
String signedToken =
SignedToken.sign(
_user.getEmail(),
"hello", // TODO: Use KmsDao
PASS_RESET_VALIDITY_MILLIS);
user.setPasswordResetToken(signedToken);
db.save(user);
return signedToken;
}
@Override
public boolean resetPassword(String signedToken, String newPassword) {
// TODO: use KmsDao
String email = SignedToken.validate(signedToken, "hello");
if (email != null) {
// Invalid or expired token
return false;
}
AppUser user = db.load(AppUser.class, email);
if (ObjectUtils.notEqual(signedToken, user.getPasswordResetToken())) {
// Token is used more than once
return false;
}
user.setPasswordHash(PasswordUtil.hash(newPassword, email));
user.setPasswordResetToken(null);
db.save(user);
return true;
}