0

I'm trying to authenticate my user given password with the one that is hashed in the DB, but I think I'm comparing the both given? Is there a better (or proper) way to do this?

I'm also not sure what exception I should use for the password not matching.

Controller code -

@PostMapping(path = "/login")
public Object login(User user) throws UsernameNotFoundException {
    User existingUser = userService.findUserByEmail(user.getEmail());
    if (existingUser.getEmail() == null || existingUser.getEmail().equals("")) {
        return new UsernameNotFoundException("User not found");
    }

    String password = user.getPassword();
    BCryptPasswordEncoder bcryptEncoder = new BCryptPasswordEncoder();
    String hashedPassword = "";
    boolean isPasswordMatched = bcryptEncoder.matches(password, hashedPassword);

    if (!isPasswordMatched) {
        return new UsernameNotFoundException("Credentials don't match");
    } else {
        return existingUser;
    }
}
  • hashedPassword is always an empty string. Have you stored a password in DB with value as empty string? – Panagiotis Bougioukos Mar 19 '21 at 21:08
  • @Boug No I have not. Pardon my ignorance, I'm new to BCrypt and have been confused by the matching. –  Mar 19 '21 at 21:18
  • Are you getting an exception or is something specific not working? Can reword the question to be more specific, otherwise this is potentially off-topic - please see https://stackoverflow.com/help/on-topic – Kevin Hooke Mar 19 '21 at 21:21
  • @KevinHooke It's allowing me to login when the passwords don't match –  Mar 19 '21 at 21:35
  • Boug is pointing out that when you call bcryptEncoder.matches(password, hashedPassword); the value for hashedPassword is always "" (you set it in the previous line). Unless your user's password is also "" this will never work? – Kevin Hooke Mar 19 '21 at 21:37
  • @KevinHooke That would make sense. I'm having a blank moment trying to figure out how I should call this. –  Mar 19 '21 at 21:42
  • When you call user.getPassword() what value are you getting back? Is it also ""? If so that might explain why (without fixing the other empty string) why isPasswordMatched is currently true when you think it shouldn't be. – Kevin Hooke Mar 19 '21 at 21:46
  • @KevinHooke When I call user.getPassword() I'm getting back the password I (as the user) have passed in. The problem is that whether isPasswordMatched is true or not, it approves it. –  Mar 19 '21 at 22:03

1 Answers1

0

If isPasswordMatched is false, you are returning an instance of UsernameNotFoundException instead of throwing the exception. Instead of:

return new UsernameNotFoundException("Credentials don't match");

change it to:

throw new UsernameNotFoundException("Credentials don't match");

Kevin Hooke
  • 2,583
  • 2
  • 19
  • 33
  • That definitely prevents it from accepting a false password. Now I need to figure out how to compare it to the actual DB password. It appears that I'm not calling it correctly... –  Mar 19 '21 at 22:20
  • You need to compare existingUser.getPassword() (is this what you retrieved from the db?) with the encoded password entered by the user, which is I think is your user.getPassword() – Kevin Hooke Mar 19 '21 at 22:29