Merge pull request #15 from Meevent-pe/feature/password-reset

security(auth): Corregir flujo de verificacion de email y reubicacion de entidad

Author: crlian

src/main/java/com/meevent/webapi/Controller/v1/AuthController.java

@@ -29,16 +29,14 @@ public ResponseEntity<AuthResponse> login(@Valid @RequestBody LoginRequest reque
     }
 
     @PostMapping("/register")
-    public ResponseEntity<AuthResponse> register(@Valid @RequestBody RegisterRequest request) {
-        AuthResponse response = _authService.register(request);
-        return ResponseEntity.status(HttpStatus.CREATED).body(response);
+    public ResponseEntity<String> register(@Valid @RequestBody RegisterRequest request) {
+        _authService.register(request);
+        return ResponseEntity.status(HttpStatus.CREATED).body("Registro exitoso. Revisa tu correo para verificar tu cuenta.");
     }
 
-
     //---new endpoint
     @PostMapping("/verify-email")
-    public ResponseEntity<String> verifyEmail(@RequestParam String token) {
-        _authService.verifyEmail(token);
-        return ResponseEntity.ok("Cuenta verificada exitosamente");
+    public ResponseEntity<AuthResponse> verifyEmail(@RequestParam String token) {
+        return ResponseEntity.ok(_authService.verifyEmail(token));
     }
 }

…ebapi/dto/request/VerificationToken.java …vent/webapi/model/VerificationToken.javasrc/main/java/com/meevent/webapi/dto/request/VerificationToken.java renamed to src/main/java/com/meevent/webapi/model/VerificationToken.java src/main/java/com/meevent/webapi/dto/request/VerificationToken.java renamed to src/main/java/com/meevent/webapi/model/VerificationToken.java

@@ -1,4 +1,4 @@
-package com.meevent.webapi.dto.request;
+package com.meevent.webapi.model;
 
 import java.time.LocalDateTime;
 
@@ -34,7 +34,7 @@ public class VerificationToken {
     private User toUser;
 
     private LocalDateTime expiryDate;
-    
+
     private boolean used = false;
 
     public VerificationToken(String token, User user, int expiryHours) {
@@ -43,4 +43,4 @@ public VerificationToken(String token, User user, int expiryHours) {
         this.expiryDate = LocalDateTime.now().plusHours(expiryHours); /*<---  */
         this.used = false;
     }
-}
+}

src/main/java/com/meevent/webapi/repository/IVerificationTokenRepository.java

@@ -5,7 +5,7 @@
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.stereotype.Repository;
 
-import com.meevent.webapi.dto.request.VerificationToken;
+import com.meevent.webapi.model.VerificationToken;
 
 @Repository
 public interface IVerificationTokenRepository extends JpaRepository<VerificationToken, Long>{

src/main/java/com/meevent/webapi/service/AuthService.java

@@ -3,7 +3,8 @@
 import java.time.LocalDateTime;
 import java.util.UUID;
 
-import org.springframework.scheduling.annotation.Async;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -12,7 +13,7 @@
 
 import com.meevent.webapi.dto.request.LoginRequest;
 import com.meevent.webapi.dto.request.RegisterRequest;
-import com.meevent.webapi.dto.request.VerificationToken;
+import com.meevent.webapi.model.VerificationToken;
 import com.meevent.webapi.dto.response.AuthResponse;
 import com.meevent.webapi.model.AttendeeProfile;
 import com.meevent.webapi.model.City;
@@ -31,6 +32,8 @@
 @RequiredArgsConstructor
 public class AuthService {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(AuthService.class);
+
     private final IMailService mailService; /* <-- Azure service implementation */
     private final IVerificationTokenRepository tokenRepository;
     private final IUserRepository userRepository;
@@ -49,7 +52,13 @@ public AuthResponse login(LoginRequest request) {
                 );
 
         if (!user.getActive()) {
-            throw new IllegalStateException("Account is disabled");
+            LOGGER.warn("Login attempt on disabled account: email={}", request.email());
+            throw new IllegalArgumentException("Invalid credentials");
+        }
+
+        if (user.getVerificationStatus() != UserVerificationStatus.VERIFIED) {
+            LOGGER.warn("Login attempt on unverified account: email={}", request.email());
+            throw new IllegalArgumentException("Invalid credentials");
         }
 
         if (!passwordEncoder.matches(
@@ -68,8 +77,7 @@ public AuthResponse login(LoginRequest request) {
     }
 
     @Transactional
-    @Async
-    public AuthResponse register(RegisterRequest request) {
+    public void register(RegisterRequest request) {
 
         if (userRepository.existsByEmailIgnoreCase(request.email())) {
             throw new IllegalArgumentException("Email is already registered");
@@ -97,16 +105,15 @@ public AuthResponse register(RegisterRequest request) {
         user.setVerificationStatus(UserVerificationStatus.PENDING); /* <--- change form not_verified to ---> pending */
 
         userRepository.save(user);
+        LOGGER.info("User registered successfully: email={}", user.getEmail());
 
         String tokenValue = UUID.randomUUID().toString();
         VerificationToken token = new VerificationToken(tokenValue, user, 1); /*<--- An hour to expire the token */
         tokenRepository.save(token);
         String subject = "Verifica tu cuenta en Meevent";
         String message = "¡Hola! Gracias por registrarte. Haz clic en el siguiente enlace para verificar tu cuenta: ";
 
-        String verificationLink = tokenValue;
-
-        mailService.sendVerificationEmail(user.getEmail(), subject, message, verificationLink);
+        mailService.sendVerificationEmail(user.getEmail(), subject, message, tokenValue);
 
         City city = cityRepository.findById(request.cityId())
                 .orElseThrow(()
@@ -123,35 +130,36 @@ public AuthResponse register(RegisterRequest request) {
         attendeeProfile.setPhoneE164(phoneE164);
 
         attendeeProfileRepository.save(attendeeProfile);
-
-        UserDetails userDetails
-                = userDetailsService.loadUserByUsername(user.getEmail());
-
-        return new AuthResponse(
-                jwtService.generateToken(userDetails)
-        );
     }
 
     @Transactional
-    public void verifyEmail(String tokenValue) {
+    public AuthResponse verifyEmail(String tokenValue) {
         VerificationToken token = tokenRepository.findByToken(tokenValue)
-                .orElseThrow(() -> new RuntimeException("Token no encontrado"));
+                .orElseThrow(() -> {
+                    LOGGER.warn("Verification attempt with unknown token");
+                    return new RuntimeException("Token invalido o expirado");
+                });
 
         if (token.isUsed()) {
-            throw new RuntimeException("Este token ya ha sido utilizado");
+            LOGGER.warn("Verification attempt with used token: tokenId={}", token.getId());
+            throw new RuntimeException("Token invalido o expirado");
         }
 
         if (token.getExpiryDate().isBefore(LocalDateTime.now())) {
-            throw new RuntimeException("El token ha expirado");
+            LOGGER.warn("Verification attempt with expired token: tokenId={}", token.getId());
+            throw new RuntimeException("Token invalido o expirado");
         }
 
         // User updated
         User user = token.getToUser();
         user.setVerificationStatus(UserVerificationStatus.VERIFIED);
         userRepository.save(user);
 
-        // Change state of token from PENDING to USED creo 
+        // Change state of token from PENDING to USED creo
         token.setUsed(true);
         tokenRepository.save(token);
+
+        UserDetails userDetails = userDetailsService.loadUserByUsername(user.getEmail());
+        return new AuthResponse(jwtService.generateToken(userDetails));
     }
 }

src/main/resources/application.properties

@@ -1 +1 @@
-spring.profiles.active=${PROFILE}
+spring.profiles.active=${PROFILE:dev}