java - 5分钟后自动令牌过期Java
问题描述
我正在尝试创建一种更安全的方法来在没有任何框架的情况下使用 Java Web 和 HSQLDB 重置忘记的密码。
我创建了一个表单,用户可以在其中插入他的电子邮件,如果电子邮件在数据库中,它将自动发送一封带有密码重置链接的电子邮件。该链接有一个特定的令牌,当每个用户单击接收电子邮件的按钮时,该令牌会为他们创建。这个令牌被插入到数据库中,同时也是它创建时的时间戳。
如果令牌达到 5 分钟的限制时间,我正在尝试从数据库中删除令牌,但它不起作用。 有没有办法做到这一点?谢谢你。
我的桌子:
CREATE TABLE user (
id bigint identity NOT NULL,
username varchar(50) NOT NULL,
email varchar(50) NOT NULL,
password varchar(50) NOT NULL,
attempts int DEFAULT 3,
state varchar(50) DEFAULT 'Active’,
reset_token uuid,
time_token TIMESTAMP,
PRIMARY KEY (id)
);
令牌生成器:
public class TokenGenerator {
public static String UniqueToken() {
String token = UUID.randomUUID().toString();
return token;
}}
我的班级ForgotPasswordHandler.java:
public class ForgotPasswordHandler {
private static PreparedStatement ps = null;
private static ResultSet rs = null;
private static Connection con = DBConnectionManager.getConnection();
//Creates a token for the user when it clicks on submit for forgot password
public static void CreateToken (String email) {
try
{
if (con == null){
System.out.println("Failed connection");
}else{
String token = TokenGenerator.UniqueToken();
PreparedStatement ps = con.prepareStatement(
"UPDATE user SET reset_token = ?, time_token = ? WHERE email = ?");
ps.setString(1,token);
ps.setTimestamp(2,new Timestamp(new Date().getTime()));
ps.setString(3, email);
ps.executeUpdate();
ps.close();
}}
catch (Exception e) {
e.printStackTrace(System.out);
}
}
//This is where I'm having trouble to delete the actual token after 5 minutes.
public static void DeleteToken() {
try
{
if (con == null){
System.out.println("Failed Connection");
}else{
PreparedStatement ps = con.prepareStatement(
"UPDATE user SET reset_token = NULL WHERE time_token < NOW() - INTERVAL 5 MINUTE");
ps.executeUpdate();
ps.close();
}}
catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
我的 Servlet ForgotPassword.java:
public class ForgotPassword extends HttpServlet {
private static final long serialVersionUID = 1L;
private String host;
private String port;
private String email;
private String name;
private String pass;
public void init() {
// reads SMTP server setting from web.xml file
ServletContext context = getServletContext();
host = context.getInitParameter("host");
port = context.getInitParameter("port");
email = context.getInitParameter("email");
name = context.getInitParameter("name");
pass = context.getInitParameter("pass");
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//verify if emails exists in db
String email = request.getParameter("email");
if(!UserReset.EmailCheck(email)) {
String message = "This email isn't in our database";
request.setAttribute("message", message);
request.getRequestDispatcher("reset.jsp").forward(request, response);
} else {
String recipient = request.getParameter("email");
String subject = "Your Password has been reset";
String token = TokenGenerator.UniqueToken();
ForgotPasswordHandler.CreateToken(email);
ForgotPasswordHandler.DeleteToken();
String url = "http://localhost:8080/login/reset-password.jsp?token=" + token;
UserReset.RefreshState(email);
//Builds email message and sends it
String content = "Hello, please change your password in this link:" + url;
content += "\nObrigado!";
String message = "";
try {
EmailSender.sendEmail(host, port, email, name, pass,
recipient, subject, content);
message = "Please verify your email.";
} catch (Exception ex) {
ex.printStackTrace();
message = "Ops, an error occured: " + ex.getMessage();
} finally {
request.setAttribute("message", message);
request.getRequestDispatcher("reset.jsp").forward(request, response);
}
}
}
}
解决方案
您可能不应该主动删除令牌。只记录下token的时间,然后当新的query进来的时候,获取create time,查看是在5分钟以内。
推荐阅读
- c# - 有没有办法只登录一次然后跳过登录进行下一次测试?
- angular - 不能通过 useClass 在提供的类中使用 @Inject()
- javascript - Angular 7:如何使用croppie或任何其他cropper
- javascript - 单击切换按钮时,折叠菜单未关闭
- spark-cassandra-connector - java.lang.ClassCastException:com.datastax.driver.core.DefaultResultSetFuture 无法转换为 shade.com.datastax
- r - 使用来自某些变量的多个参数压缩数据框
- elasticsearch - 如何使用 C# NEST HighLevel 在 elasticsearch 中过滤多个文件和值?
- c# - 本地时间特定单元测试失败
- c++ - 推导返回类型
- asp.net-mvc - AccessToken 不得长于 4K