Skip to content

Validate account status in OneTimeTokenAuthenticationProvider #17656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Validate account status in OneTimeTokenAuthenticationProvider #17656

wants to merge 1 commit into from

Conversation

therepanic
Copy link
Contributor

@therepanic therepanic commented Aug 2, 2025
edited
Loading

The main problem is that OneTimeTokenAuthenticationProvider does not extend from AbstractUserDetailsAuthenticationProvider, which has a preauthentication check for user details. However, we do not need to extend from it because it does not fit the context of the class. In this regard, I decided to add my own checker to this commit, which performs a preauthentication check before authorizing the account, similar to how it is done in AbstractUserDetailsAuthenticationProvider. I also added a test to OneTimeTokenAuthenticationProviderTests that identifies this problem.

Closes: #17655

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 2, 2025
@therepanic therepanic force-pushed the gh-17655 branch 2 times, most recently from c7c8f08 to 971a23c Compare August 2, 2025 13:30
@therepanic therepanic marked this pull request as ready for review August 2, 2025 13:31
therepanic
therepanic commented Aug 2, 2025
View reviewed changes
...java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
Comment on lines +108 to +110
throw new LockedException(OneTimeTokenAuthenticationProvider.this.messages
.getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked"));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I agree with you that this is a slippery slope. On the other hand, it will work.

Is there any other way to do this? Yes, we could hypothetically copy the message text personally for OneTimeTokenAuthenticationProvider, but I believe that this is not flexible at all.

Are there any suggestions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should just throw messages directly.

In AbstractUserDetailsAuthenticationProvider for BadCredentialsException, we do

this.messages.getMessage(“AbstractUserDetailsAuthenticationProvider.badCredentials”, “Bad credentials”)

In turn, in OneTimeTokenAuthenticationProvider, we write this directly. Therefore, I think it would be best to simply display error messages without using MessageSourceAccessor.

@therepanic
Validate account status in OneTimeTokenAuthenticationProvider
b2bd58d 
The main problem is that OneTimeTokenAuthenticationProvider does not
extend from AbstractUserDetailsAuthenticationProvider, which has a
preauthentication check for user details. However, we do not need to
extend from it because it does not fit the context of the class. In this
regard, I decided to add my own checker to this commit, which performs a
preauthentication check before authorizing the account, similar to how
it is done in AbstractUserDetailsAuthenticationProvider. I also added a
test to OneTimeTokenAuthenticationProviderTests that identifies this
problem.

Closes: spring-projectsgh-17655
Signed-off-by: Andrey Litvitski <[email protected]>

1

Signed-off-by: Andrey Litvitski <[email protected]>
ronodhirSoumik
ronodhirSoumik reviewed Aug 6, 2025
View reviewed changes
...java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
@@ -56,6 +74,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
}
try {
Copy link
Contributor

@ronodhirSoumik ronodhirSoumik Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the catch can be common something considering your added exceptions - like AuthenticationException
Then you can send specific exception message

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you in advance for your comment.

Am I correct in assuming that you are suggesting something like this:

try {...

} catch (AuthenticationException e) {
throw new BadCredentialsException(e.getMessage());
}

In general, I personally think that this is not a good idea, as we would like the user to know what type of exception is being thrown. Since in check() we throw exceptions that are primarily inherited from AccountStatusException. We should also understand that BadCredentialsException is not related to AccountStatusException, which I think could confuse the user.

You can also see how this is implemented in AbstractUserDetailsAuthenticationProvider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ronodhirSoumik ronodhirSoumik ronodhirSoumik left review comments

Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OneTimeTokenAuthenticationProvider should validate UserDetails account status like DaoAuthenticationProvider
3 participants
@therepanic @ronodhirSoumik @spring-projects-issues