Skip to content

Commit

Permalink
Fix: hashing isn't one way. Get matching email row first, then check …
Browse files Browse the repository at this point in the history
…if password is correct.
  • Loading branch information
AdrianBalunan committed Apr 16, 2026
1 parent 9c82906 commit d30a4fe
Showing 1 changed file with 15 additions and 9 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,13 @@ public boolean isEmailTaken(String email){
* user_password}; the {@code user_name} column is not yet included in the WHERE clause, which may
* be a bug.
*
* @param username the plain-text username to look up
* @param email the email to look up
* @param password the plain-text password; hashed internally before the query runs
* @return the matching {@link User} with settings and inbox populated, or {@code null} if no
* match is found
* @throws RuntimeException if a {@link SQLException} occurs while executing the query
*/
public User getUserFromDBUsernameAndPassword(String email, String password) {
public User getUserFromDBEmailAndPassword(String email, String password) {
PasswordHasher hasher = new PasswordHasher();
String hashedpassword = hasher.getHashPassword(password);

Expand All @@ -88,23 +88,30 @@ public User getUserFromDBUsernameAndPassword(String email, String password) {
"""
SELECT
u.UUID_User, u.user_name, u.user_email, u.user_password, u.role,
s.User_UUID_User, s.isAnonymous, s.language, s.lightmode,
s.UUID_user, s.isAnonymous, s.language, s.lightmode,
m.UUID_message, m.message_title, m.message_content, m.message_date, m.sender_user_id, m.sender_charity_id, m.user_id
FROM User u
LEFT JOIN Settings s ON u.UUID_User = s.User_UUID_user
LEFT JOIN Settings s ON u.UUID_User = s.UUID_user
LEFT JOIN Messages m ON u.UUID_User = m.user_id
WHERE u.user_email = ? AND u.user_password = ?;
WHERE u.user_email = ?;
""";
PreparedStatement stmt = conn.prepareStatement(sql_query);
stmt.setString(1, email);
stmt.setString(2, hashedpassword);



ResultSet rs = stmt.executeQuery();

String lastUserid = null;
while (rs.next()) {
String userId = rs.getString("UUID_User");
if (lastUserid == null || !userId.equals(lastUserid)) {
System.out.println(rs.getString("user_name"));

if (user == null) {
String storedHash = rs.getString("user_password");

if (!new PasswordHasher().isValidPassword(password, storedHash)){
return null;
}
user =
new User(
userId,
Expand All @@ -121,7 +128,6 @@ public User getUserFromDBUsernameAndPassword(String email, String password) {
user.setSettings(settings);
}
user.setInbox(new Inbox());
lastUserid = userId;
}
String messageId = rs.getString("UUID_message");
if (messageId != null) {
Expand Down

0 comments on commit d30a4fe

Please sign in to comment.