src/main/java/com/commafeed/backend/service/UserService.java

package com.commafeed.backend.service;

import java.util.Collection;
import java.util.Date;
import java.util.UUID;

import javax.inject.Inject;
import javax.inject.Singleton;
import javax.servlet.http.HttpSession;

import lombok.RequiredArgsConstructor;

import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;

import com.commafeed.CommaFeedConfiguration;
import com.commafeed.backend.dao.FeedCategoryDAO;
import com.commafeed.backend.dao.UserDAO;
import com.commafeed.backend.dao.UserSettingsDAO;
import com.commafeed.backend.model.User;
import com.commafeed.backend.model.UserRole;
import com.commafeed.backend.model.UserRole.Role;
import com.commafeed.backend.service.internal.PostLoginActivities;
import com.google.common.base.Optional;
import com.google.common.base.Preconditions;

@RequiredArgsConstructor(onConstructor = @__({ @Inject }))
@Singleton
public class UserService {

	private static final String SESSION_KEY_USER = "user";

	private final FeedCategoryDAO feedCategoryDAO;
	private final UserDAO userDAO;
	private final UserSettingsDAO userSettingsDAO;

	private final FeedSubscriptionService feedSubscriptionService;
	private final PasswordEncryptionService encryptionService;
	private final CommaFeedConfiguration config;

	/**
	 * try to log in with given credentials
	 */
	public Optional<User> login(String nameOrEmail, String password) {
		if (nameOrEmail == null || password == null) {
			return Optional.absent();
		}

		User user = userDAO.findByName(nameOrEmail);
		if (user == null) {
			user = userDAO.findByEmail(nameOrEmail);
		}
		if (user != null && !user.isDisabled()) {
			boolean authenticated = encryptionService.authenticate(password, user.getPassword(), user.getSalt());
			if (authenticated) {
				afterLogin(user);
				return Optional.fromNullable(user);
			}
		}
		return Optional.absent();
	}

	/**
	 * try to log in with given credentials and create a session for the user
	 */
	public Optional<User> login(String nameOrEmail, String password, HttpSession sessionToFill) {
		Optional<User> user = login(nameOrEmail, password);
		if (user.isPresent()) {
			sessionToFill.setAttribute(SESSION_KEY_USER, user.get());
		}
		return user;
	}

	/**
	 * try to log in by checking if the user has an active session
	 */
	public Optional<User> login(HttpSession session) {
		if (session != null) {
			User user = (User) session.getAttribute(SESSION_KEY_USER);
			if (user != null) {
				afterLogin(user);
				return Optional.of(user);
			}
		}
		return Optional.absent();
	}

	/**
	 * try to log in with given api key
	 */
	public Optional<User> login(String apiKey) {
		if (apiKey == null) {
			return Optional.absent();
		}

		User user = userDAO.findByApiKey(apiKey);
		if (user != null && !user.isDisabled()) {
			afterLogin(user);
			return Optional.fromNullable(user);
		}
		return Optional.absent();
	}

	/**
	 * should triggers after successful login
	 * 
	 * Note: Visibility changed to package private to enabled spying on this method
	 */
	void afterLogin(User user) {
		new PostLoginActivities(userDAO, feedSubscriptionService, config).afterLogin(user);
	}

	public User register(String name, String password, String email, Collection<Role> roles) {
		return register(name, password, email, roles, false);
	}

	public User register(String name, String password, String email, Collection<Role> roles, boolean forceRegistration) {

		Preconditions.checkNotNull(name);
		Preconditions.checkArgument(StringUtils.length(name) <= 32, "Name too long (32 characters maximum)");
		Preconditions.checkNotNull(password);

		if (!forceRegistration) {
			Preconditions.checkState(config.getApplicationSettings().isAllowRegistrations(),
					"Registrations are closed on this CommaFeed instance");

			Preconditions.checkNotNull(email);
			Preconditions.checkArgument(StringUtils.length(name) >= 3, "Name too short (3 characters minimum)");
			Preconditions
					.checkArgument(forceRegistration || StringUtils.length(password) >= 6, "Password too short (6 characters maximum)");
			Preconditions.checkArgument(StringUtils.contains(email, "@"), "Invalid email address");
		}

		Preconditions.checkArgument(userDAO.findByName(name) == null, "Name already taken");
		if (StringUtils.isNotBlank(email)) {
			Preconditions.checkArgument(userDAO.findByEmail(email) == null, "Email already taken");
		}

		User user = new User();
		byte[] salt = encryptionService.generateSalt();
		user.setName(name);
		user.setEmail(email);
		user.setCreated(new Date());
		user.setSalt(salt);
		user.setPassword(encryptionService.getEncryptedPassword(password, salt));
		for (Role role : roles) {
			user.getRoles().add(new UserRole(user, role));
		}
		userDAO.saveOrUpdate(user);
		return user;
	}

	public void unregister(User user) {
		feedCategoryDAO.delete(feedCategoryDAO.findAll(user));
		userSettingsDAO.delete(userSettingsDAO.findByUser(user));
		userDAO.delete(user);
	}

	public String generateApiKey(User user) {
		byte[] key = encryptionService.getEncryptedPassword(UUID.randomUUID().toString(), user.getSalt());
		return DigestUtils.sha1Hex(key);
	}
}
removed wicket and tomee, use dropwizard instead. remove wro4j, use gulp instead 2014-08-08 16:49:02 +02:00			`package com.commafeed.backend.service;`
initial commit 2013-03-20 20:33:42 +01:00
partial user administration 2013-03-30 09:22:49 +01:00			`import java.util.Collection;`
use date constructor directly when a calendar is not needed, better performances 2013-06-25 16:57:48 +02:00			`import java.util.Date;`
recover password (wip) 2013-05-20 21:53:13 +02:00			`import java.util.UUID;`
initial commit 2013-03-20 20:33:42 +01:00
guicing up 2014-08-17 14:16:30 +02:00			`import javax.inject.Inject;`
			`import javax.inject.Singleton;`
hide session management inside UserService 2014-08-15 12:46:52 +02:00			`import javax.servlet.http.HttpSession;`

removed wicket and tomee, use dropwizard instead. remove wro4j, use gulp instead 2014-08-08 16:49:02 +02:00			`import lombok.RequiredArgsConstructor;`
initial commit 2013-03-20 20:33:42 +01:00
recover password (wip) 2013-05-20 21:53:13 +02:00			`import org.apache.commons.codec.digest.DigestUtils;`
registration api (#303) 2013-06-18 12:31:09 +02:00			`import org.apache.commons.lang.StringUtils;`
recover password (wip) 2013-05-20 21:53:13 +02:00
removed wicket and tomee, use dropwizard instead. remove wro4j, use gulp instead 2014-08-08 16:49:02 +02:00			`import com.commafeed.CommaFeedConfiguration;`
allow users to permanently delete their account 2013-05-08 11:15:50 +02:00			`import com.commafeed.backend.dao.FeedCategoryDAO;`
major classes refactoring 2013-04-11 20:49:08 +02:00			`import com.commafeed.backend.dao.UserDAO;`
allow users to permanently delete their account 2013-05-08 11:15:50 +02:00			`import com.commafeed.backend.dao.UserSettingsDAO;`
package refactoring 2013-03-23 16:17:19 +01:00			`import com.commafeed.backend.model.User;`
partial user administration 2013-03-30 09:22:49 +01:00			`import com.commafeed.backend.model.UserRole;`
change role to enum 2013-03-30 19:06:32 +01:00			`import com.commafeed.backend.model.UserRole.Role;`
Extract afterLogin into a separate class 2014-10-08 21:39:39 -04:00			`import com.commafeed.backend.service.internal.PostLoginActivities;`
session support 2014-08-09 15:25:41 +02:00			`import com.google.common.base.Optional;`
check for nulls before querying the database 2013-04-23 09:06:35 +02:00			`import com.google.common.base.Preconditions;`
initial commit 2013-03-20 20:33:42 +01:00
guicing up 2014-08-17 14:16:30 +02:00			`@RequiredArgsConstructor(onConstructor = @__({ @Inject }))`
			`@Singleton`
major classes refactoring 2013-04-11 20:49:08 +02:00			`public class UserService {`
initial commit 2013-03-20 20:33:42 +01:00
hide session management inside UserService 2014-08-15 12:46:52 +02:00			`private static final String SESSION_KEY_USER = "user";`

removed wicket and tomee, use dropwizard instead. remove wro4j, use gulp instead 2014-08-08 16:49:02 +02:00			`private final FeedCategoryDAO feedCategoryDAO;`
			`private final UserDAO userDAO;`
			`private final UserSettingsDAO userSettingsDAO;`
case insensitive login (fixes #16) 2013-04-06 17:10:38 +02:00
removed wicket and tomee, use dropwizard instead. remove wro4j, use gulp instead 2014-08-08 16:49:02 +02:00			`private final FeedSubscriptionService feedSubscriptionService;`
			`private final PasswordEncryptionService encryptionService;`
			`private final CommaFeedConfiguration config;`
move logic to user service 2013-11-26 15:09:32 +01:00
hide session management inside UserService 2014-08-15 12:46:52 +02:00			`/**`
			`* try to log in with given credentials`
			`*/`
login by name or email 2014-08-12 19:55:57 +02:00			`public Optional<User> login(String nameOrEmail, String password) {`
			`if (nameOrEmail == null \|\| password == null) {`
welcome page 2014-08-09 16:07:24 +02:00			`return Optional.absent();`
jklm initial implementation 2013-05-24 09:21:20 +02:00			`}`
check for nulls before querying the database 2013-04-23 09:06:35 +02:00
login by name or email 2014-08-12 19:55:57 +02:00			`User user = userDAO.findByName(nameOrEmail);`
			`if (user == null) {`
			`user = userDAO.findByEmail(nameOrEmail);`
			`}`
add a disabled state to users 2013-03-29 12:59:21 +01:00			`if (user != null && !user.isDisabled()) {`
apply formatter 2013-07-25 09:17:33 +02:00			`boolean authenticated = encryptionService.authenticate(password, user.getPassword(), user.getSalt());`
initial commit 2013-03-20 20:33:42 +01:00			`if (authenticated) {`
user update should proc with api key and cookie login too 2014-08-15 12:18:10 +02:00			`afterLogin(user);`
session support 2014-08-09 15:25:41 +02:00			`return Optional.fromNullable(user);`
initial commit 2013-03-20 20:33:42 +01:00			`}`
			`}`
session support 2014-08-09 15:25:41 +02:00			`return Optional.absent();`
security revamp 2014-08-08 21:57:16 +02:00			`}`

hide session management inside UserService 2014-08-15 12:46:52 +02:00			`/**`
			`* try to log in with given credentials and create a session for the user`
			`*/`
			`public Optional<User> login(String nameOrEmail, String password, HttpSession sessionToFill) {`
			`Optional<User> user = login(nameOrEmail, password);`
			`if (user.isPresent()) {`
			`sessionToFill.setAttribute(SESSION_KEY_USER, user.get());`
			`}`
			`return user;`
			`}`

			`/**`
			`* try to log in by checking if the user has an active session`
			`*/`
			`public Optional<User> login(HttpSession session) {`
don't create a session if it does not exists 2014-08-19 07:34:07 +02:00			`if (session != null) {`
			`User user = (User) session.getAttribute(SESSION_KEY_USER);`
			`if (user != null) {`
			`afterLogin(user);`
			`return Optional.of(user);`
			`}`
hide session management inside UserService 2014-08-15 12:46:52 +02:00			`}`
			`return Optional.absent();`
			`}`

			`/**`
			`* try to log in with given api key`
			`*/`
session support 2014-08-09 15:25:41 +02:00			`public Optional<User> login(String apiKey) {`
security revamp 2014-08-08 21:57:16 +02:00			`if (apiKey == null) {`
session support 2014-08-09 15:25:41 +02:00			`return Optional.absent();`
security revamp 2014-08-08 21:57:16 +02:00			`}`

			`User user = userDAO.findByApiKey(apiKey);`
			`if (user != null && !user.isDisabled()) {`
user update should proc with api key and cookie login too 2014-08-15 12:18:10 +02:00			`afterLogin(user);`
session support 2014-08-09 15:25:41 +02:00			`return Optional.fromNullable(user);`
security revamp 2014-08-08 21:57:16 +02:00			`}`
session support 2014-08-09 15:25:41 +02:00			`return Optional.absent();`
initial commit 2013-03-20 20:33:42 +01:00			`}`
partial user administration 2013-03-30 09:22:49 +01:00
hide session management inside UserService 2014-08-15 12:46:52 +02:00			`/**`
			`* should triggers after successful login`
Added additional tests for UserService login 2014-10-08 20:59:05 -04:00			`*`
Change visibility to package private 2014-10-08 21:03:53 -04:00			`* Note: Visibility changed to package private to enabled spying on this method`
hide session management inside UserService 2014-08-15 12:46:52 +02:00			`*/`
Change visibility to package private 2014-10-08 21:03:53 -04:00			`void afterLogin(User user) {`
Extract afterLogin into a separate class 2014-10-08 21:39:39 -04:00			`new PostLoginActivities(userDAO, feedSubscriptionService, config).afterLogin(user);`
user update should proc with api key and cookie login too 2014-08-15 12:18:10 +02:00			`}`

apply formatter 2013-07-25 09:17:33 +02:00			`public User register(String name, String password, String email, Collection<Role> roles) {`
registration api (#303) 2013-06-18 12:31:09 +02:00			`return register(name, password, email, roles, false);`
added registration on welcome page 2013-04-06 21:38:18 +02:00			`}`

apply formatter 2013-07-25 09:17:33 +02:00			`public User register(String name, String password, String email, Collection<Role> roles, boolean forceRegistration) {`
registration api (#303) 2013-06-18 12:31:09 +02:00
check for nulls before querying the database 2013-04-23 09:06:35 +02:00			`Preconditions.checkNotNull(name);`
apply formatter 2013-07-25 09:17:33 +02:00			`Preconditions.checkArgument(StringUtils.length(name) <= 32, "Name too long (32 characters maximum)");`
admin panel should force registrations (#323) 2013-06-22 16:08:33 +02:00			`Preconditions.checkNotNull(password);`

			`if (!forceRegistration) {`
removed wicket and tomee, use dropwizard instead. remove wro4j, use gulp instead 2014-08-08 16:49:02 +02:00			`Preconditions.checkState(config.getApplicationSettings().isAllowRegistrations(),`
admin panel should force registrations (#323) 2013-06-22 16:08:33 +02:00			`"Registrations are closed on this CommaFeed instance");`

			`Preconditions.checkNotNull(email);`
apply formatter 2013-07-25 09:17:33 +02:00			`Preconditions.checkArgument(StringUtils.length(name) >= 3, "Name too short (3 characters minimum)");`
			`Preconditions`
			`.checkArgument(forceRegistration \|\| StringUtils.length(password) >= 6, "Password too short (6 characters maximum)");`
			`Preconditions.checkArgument(StringUtils.contains(email, "@"), "Invalid email address");`
admin panel should force registrations (#323) 2013-06-22 16:08:33 +02:00			`}`

apply formatter 2013-07-25 09:17:33 +02:00			`Preconditions.checkArgument(userDAO.findByName(name) == null, "Name already taken");`
admin panel should force registrations (#323) 2013-06-22 16:08:33 +02:00			`if (StringUtils.isNotBlank(email)) {`
apply formatter 2013-07-25 09:17:33 +02:00			`Preconditions.checkArgument(userDAO.findByEmail(email) == null, "Email already taken");`
admin panel should force registrations (#323) 2013-06-22 16:08:33 +02:00			`}`
registration api (#303) 2013-06-18 12:31:09 +02:00
partial user administration 2013-03-30 09:22:49 +01:00			`User user = new User();`
			`byte[] salt = encryptionService.generateSalt();`
			`user.setName(name);`
added registration on welcome page 2013-04-06 21:38:18 +02:00			`user.setEmail(email);`
use date constructor directly when a calendar is not needed, better performances 2013-06-25 16:57:48 +02:00			`user.setCreated(new Date());`
partial user administration 2013-03-30 09:22:49 +01:00			`user.setSalt(salt);`
			`user.setPassword(encryptionService.getEncryptedPassword(password, salt));`
change role to enum 2013-03-30 19:06:32 +01:00			`for (Role role : roles) {`
partial user administration 2013-03-30 09:22:49 +01:00			`user.getRoles().add(new UserRole(user, role));`
			`}`
hibernate tweaks 2013-06-06 09:54:17 +02:00			`userDAO.saveOrUpdate(user);`
partial user administration 2013-03-30 09:22:49 +01:00			`return user;`
			`}`
allow users to permanently delete their account 2013-05-08 11:15:50 +02:00
			`public void unregister(User user) {`
			`feedCategoryDAO.delete(feedCategoryDAO.findAll(user));`
			`userSettingsDAO.delete(userSettingsDAO.findByUser(user));`
			`userDAO.delete(user);`
			`}`
recover password (wip) 2013-05-20 21:53:13 +02:00
			`public String generateApiKey(User user) {`
apply formatter 2013-07-25 09:17:33 +02:00			`byte[] key = encryptionService.getEncryptedPassword(UUID.randomUUID().toString(), user.getSalt());`
recover password (wip) 2013-05-20 21:53:13 +02:00			`return DigestUtils.sha1Hex(key);`
			`}`
initial commit 2013-03-20 20:33:42 +01:00			`}`