Validate account status in OneTimeTokenAuthenticationProvider

therepanic · therepanic · commit 6acc76f4d12f · 2025-08-02T15:45:41.000+03:00
Signed-off-by: Andrey Litvitski &lt;andrey1010102008@gmail.com&gt;
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
@@ -16,11 +16,18 @@
 
 package org.springframework.security.authentication.ott;
 
-import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.BadCredentialsException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.context.MessageSource;
+import org.springframework.context.MessageSourceAware;
+import org.springframework.context.support.MessageSourceAccessor;
+import org.springframework.security.authentication.*;
+import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsChecker;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.util.Assert;
@@ -33,12 +40,18 @@
  * @author Marcus da Coregio
  * @since 6.4
  */
-public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {
+public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider, MessageSourceAware {
+
+	private final Log logger = LogFactory.getLog(getClass());
 
 	private final OneTimeTokenService oneTimeTokenService;
 
 	private final UserDetailsService userDetailsService;
 
+	private UserDetailsChecker userDetailsChecker = new DefaultPreAuthenticationChecks();
+
+	private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
+
 	public OneTimeTokenAuthenticationProvider(OneTimeTokenService oneTimeTokenService,
 			UserDetailsService userDetailsService) {
 		Assert.notNull(oneTimeTokenService, "oneTimeTokenService cannot be null");
@@ -56,6 +69,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		}
 		try {
 			UserDetails user = this.userDetailsService.loadUserByUsername(consumed.getUsername());
+			userDetailsChecker.check(user);
 			OneTimeTokenAuthenticationToken authenticated = OneTimeTokenAuthenticationToken.authenticated(user,
 					user.getAuthorities());
 			authenticated.setDetails(otpAuthenticationToken.getDetails());
@@ -71,4 +85,39 @@ public boolean supports(Class<?> authentication) {
 		return OneTimeTokenAuthenticationToken.class.isAssignableFrom(authentication);
 	}
 
+	@Override
+	public void setMessageSource(MessageSource messageSource) {
+		this.messages = new MessageSourceAccessor(messageSource);
+	}
+
+	public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) {
+		this.userDetailsChecker = userDetailsChecker;
+	}
+
+	private class DefaultPreAuthenticationChecks implements UserDetailsChecker {
+
+		@Override
+		public void check(UserDetails user) {
+			if (!user.isAccountNonLocked()) {
+				OneTimeTokenAuthenticationProvider.this.logger
+						.debug("Failed to authenticate since user account is locked");
+				throw new LockedException(OneTimeTokenAuthenticationProvider.this.messages
+						.getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked"));
+			}
+			if (!user.isEnabled()) {
+				OneTimeTokenAuthenticationProvider.this.logger
+						.debug("Failed to authenticate since user account is disabled");
+				throw new DisabledException(OneTimeTokenAuthenticationProvider.this.messages
+						.getMessage("AbstractUserDetailsAuthenticationProvider.disabled", "User is disabled"));
+			}
+			if (!user.isAccountNonExpired()) {
+				OneTimeTokenAuthenticationProvider.this.logger
+						.debug("Failed to authenticate since user account has expired");
+				throw new AccountExpiredException(OneTimeTokenAuthenticationProvider.this.messages
+						.getMessage("AbstractUserDetailsAuthenticationProvider.expired", "User account has expired"));
+			}
+		}
+
+	}
+
 }
