encoding password.

Author: mertakdut

BankApplicationBackend/src/main/java/com/demo/bankapp/configuration/SecurityConfig.java

@@ -1,14 +1,17 @@
 package com.demo.bankapp.configuration;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 @Configuration
 public class SecurityConfig {
 
-//	@Bean
-//	public PasswordEncoder passwordEncoder() {
-//		return new BCryptPasswordEncoder();
-//	}
+	@Bean
+	public PasswordEncoder passwordEncoder() {
+		return new BCryptPasswordEncoder();
+	}
 
 
 }

BankApplicationBackend/src/main/java/com/demo/bankapp/controller/UserController.java

@@ -73,7 +73,7 @@ public Resource<User> login(@RequestBody LoginRequest request) {
 			throw new BadRequestException("Invalid credentials.");
 		}
 
-		User user = userService.login(request);
+		User user = userService.login(request.getUsername(), request.getPassword());
 		return assembler.toResource(user);
 	}
 

BankApplicationBackend/src/main/java/com/demo/bankapp/service/abstractions/IUserService.java

@@ -8,13 +8,13 @@
 public interface IUserService {
 
 	List<User> findAll();
-	
+
 	User findByUserName(String username);
-	
+
 	User findByTcno(String tcno);
-	
+
 	User createNewUser(User user);
-	
-	User login(LoginRequest request);
+
+	User login(String username, String password);
 
 }

BankApplicationBackend/src/main/java/com/demo/bankapp/service/concretions/UserService.java

@@ -3,13 +3,13 @@
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import com.demo.bankapp.exception.BadCredentialsException;
 import com.demo.bankapp.exception.UserNotFoundException;
 import com.demo.bankapp.model.User;
 import com.demo.bankapp.repository.UserRepository;
-import com.demo.bankapp.request.LoginRequest;
 import com.demo.bankapp.service.abstractions.IUserService;
 
 @Service
@@ -18,24 +18,27 @@ public class UserService implements IUserService {
 	@Autowired
 	private UserRepository repository;
 
+	@Autowired
+	private PasswordEncoder passwordEncoder;
+
 	@Override
 	public List<User> findAll() {
 		return repository.findAll();
 	}
 
 	@Override
 	public User createNewUser(User user) {
+		user.setPassword(passwordEncoder.encode(user.getPassword()));
 		return repository.save(user);
 	}
 
 	@Override
-	public User login(LoginRequest request) {
+	public User login(String username, String password) {
 
-		User user = findByUserName(request.getUsername());
+		User user = findByUserName(username);
+		String encodedPassword = passwordEncoder.encode(password);
 
-		// TODO: Encoding.
-		// TODO: Stop timing attacks.
-		if (user.getPassword() == null || !user.getPassword().equals(request.getPassword())) {
+		if (!encodedPassword.equals(user.getPassword())) {
 			throw new BadCredentialsException();
 		}
 
@@ -62,4 +65,17 @@ public User findByTcno(String tcno) {
 			return user;
 	}
 
+	// Avoid timing attacks?
+	// private boolean isEqual(byte[] a, byte[] b) {
+	// if (a.length != b.length) {
+	// return false;
+	// }
+	//
+	// int result = 0;
+	// for (int i = 0; i < a.length; i++) {
+	// result |= a[i] ^ b[i];
+	// }
+	// return result == 0;
+	// }
+
 }