Skip to content

feat(auth): add session management options to credential change endpoints #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lucas-adm merged 1 commit into from
Apr 15, 2026
Merged

feat(auth): add session management options to credential change endpoints #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions src/main/java/br/com/notehub/application/controller/user/UserController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import br.com.notehub.application.dto.response.page.PageRES;
import br.com.notehub.application.dto.response.user.CreateUserRES;
import br.com.notehub.application.dto.response.user.DetailUserRES;
import br.com.notehub.domain.token.TokenService;
import br.com.notehub.domain.user.Subscription;
import br.com.notehub.domain.user.User;
import br.com.notehub.domain.user.UserService;
Expand All @@ -20,6 +21,7 @@
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springdoc.core.annotations.ParameterObject;
Expand Down Expand Up @@ -48,6 +50,7 @@ public class UserController {
private String client;

private final UserService service;
private final TokenService tokenService;
private final MailProducer producer;

private UUID getSubject(String bearerToken) {
Expand Down Expand Up @@ -94,37 +97,47 @@ public ResponseEntity<Void> activeUser(
@Operation(summary = "Reset user password", description = "Resets the user's password using the provided token.")
@ApiResponses(value = {
@ApiResponse(responseCode = "204", description = "User's password updated successfully."),
@ApiResponse(responseCode = "400", description = "Invalid or same password."),
@ApiResponse(responseCode = "400", description = """
- `INVALID_DEVICE_ID`: Missing or invalid X-Device-Id
- `SAME_PASSWORD`: Invalid password or new password is identical to the current one
"""),
@ApiResponse(responseCode = "403", description = "Invalid token."),
@ApiResponse(responseCode = "404", description = "User not found."),
@ApiResponse(responseCode = "500", description = "Internal server error.")
})
@PatchMapping("/change-password")
public ResponseEntity<Void> patchPassword(
HttpServletRequest request,
@Parameter(hidden = true) @RequestHeader("Authorization") String token,
@Valid @RequestBody ChangePasswordREQ dto
) {
String emailFromToken = getSubject(token, "password");
service.changePassword(emailFromToken, dto.password());
if (dto.disconnectAll()) tokenService.disconnectAll(request, dto.keepCurrentSession(), emailFromToken);
return ResponseEntity.status(HttpStatus.NO_CONTENT).build();
}

@Operation(summary = "Update email", description = "Updates the user's email address.")
@ApiResponses(value = {
@ApiResponse(responseCode = "204", description = "Email updated successfully."),
@ApiResponse(responseCode = "400", description = "Invalid or same email."),
@ApiResponse(responseCode = "400", description = """
- `INVALID_DEVICE_ID`: Missing or invalid X-Device-Id
- `SAME_EMAIL`: Invalid email or new email is identical to the current one
"""),
@ApiResponse(responseCode = "403", description = "Invalid token."),
@ApiResponse(responseCode = "404", description = "User not found."),
@ApiResponse(responseCode = "406", description = "Email already exists."),
@ApiResponse(responseCode = "500", description = "Internal server error.")
})
@PatchMapping("/change-email")
public ResponseEntity<Void> patchEmail(
HttpServletRequest request,
@Parameter(hidden = true) @RequestHeader("Authorization") String token,
@Valid @RequestBody ChangeEmailREQ dto
) {
String emailFromToken = getSubject(token, "email");
service.changeEmail(emailFromToken, dto.email());
if (dto.disconnectAll()) tokenService.disconnectAll(request, dto.keepCurrentSession(), emailFromToken);
return ResponseEntity.status(HttpStatus.NO_CONTENT).build();
}

Expand Down
4 changes: 3 additions & 1 deletion src/main/java/br/com/notehub/application/dto/request/user/ChangeEmailREQ.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ public record ChangeEmailREQ(
regexp = "(?i)[a-z0-9!#$%&'*+=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?",
message = "Email inválido"
)
String email
String email,
boolean disconnectAll,
boolean keepCurrentSession
) {
}
4 changes: 3 additions & 1 deletion src/main/java/br/com/notehub/application/dto/request/user/ChangePasswordREQ.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
public record ChangePasswordREQ(
@NotBlank(message = "Não pode ser vazio")
@Size(min = 4, max = 255, message = "Tamanho inválido")
String password
String password,
boolean disconnectAll,
boolean keepCurrentSession
) {
}
8 changes: 8 additions & 0 deletions src/main/java/br/com/notehub/application/implementation/token/TokenServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,14 @@ public void logout(HttpServletRequest request) {
repository.delete(token);
}

@Override
public void disconnectAll(HttpServletRequest request, boolean keepCurrentSession, String email) {
List<Token> connections = repository.findAllByUserEmail(email);
UUID device = validateDevice(request);
if (keepCurrentSession) connections = connections.stream().filter(t -> !t.getDevice().equals(device)).toList();
repository.deleteAll(connections);
}

@Override
public void cleanExpiredTokens() {
List<Token> expiredTokens = repository.findExpiredTokens(Instant.now());
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/br/com/notehub/domain/token/TokenRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ public interface TokenRepository extends JpaRepository<Token, UUID> {

Optional<Token> findByDevice(UUID id);

List<Token> findAllByUserEmail(String email);

@Query("SELECT t FROM Token t WHERE t.expiresAt < :now")
List<Token> findExpiredTokens(@Param("now") Instant now);

Expand Down
2 changes: 2 additions & 0 deletions src/main/java/br/com/notehub/domain/token/TokenService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ public interface TokenService {

void logout(HttpServletRequest request);

void disconnectAll(HttpServletRequest request, boolean keepCurrentSession, String email);

void cleanExpiredTokens();

}
Loading