From d30a4fe158787fc6b280c2c4431f348a4d24ce87 Mon Sep 17 00:00:00 2001 From: AdrianBalunan Date: Thu, 16 Apr 2026 15:20:39 +0200 Subject: [PATCH] Fix: hashing isn't one way. Get matching email row first, then check if password is correct. --- .../team6/database/Readers/UserSelect.java | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/helpmehelpapplication/src/main/java/ntnu/systemutvikling/team6/database/Readers/UserSelect.java b/helpmehelpapplication/src/main/java/ntnu/systemutvikling/team6/database/Readers/UserSelect.java index ad79f8e..a33ad33 100644 --- a/helpmehelpapplication/src/main/java/ntnu/systemutvikling/team6/database/Readers/UserSelect.java +++ b/helpmehelpapplication/src/main/java/ntnu/systemutvikling/team6/database/Readers/UserSelect.java @@ -70,13 +70,13 @@ public boolean isEmailTaken(String email){ * user_password}; the {@code user_name} column is not yet included in the WHERE clause, which may * be a bug. * - * @param username the plain-text username to look up + * @param email the email to look up * @param password the plain-text password; hashed internally before the query runs * @return the matching {@link User} with settings and inbox populated, or {@code null} if no * match is found * @throws RuntimeException if a {@link SQLException} occurs while executing the query */ - public User getUserFromDBUsernameAndPassword(String email, String password) { + public User getUserFromDBEmailAndPassword(String email, String password) { PasswordHasher hasher = new PasswordHasher(); String hashedpassword = hasher.getHashPassword(password); @@ -88,23 +88,30 @@ public User getUserFromDBUsernameAndPassword(String email, String password) { """ SELECT u.UUID_User, u.user_name, u.user_email, u.user_password, u.role, - s.User_UUID_User, s.isAnonymous, s.language, s.lightmode, + s.UUID_user, s.isAnonymous, s.language, s.lightmode, m.UUID_message, m.message_title, m.message_content, m.message_date, m.sender_user_id, m.sender_charity_id, m.user_id FROM User u - LEFT JOIN Settings s ON u.UUID_User = s.User_UUID_user + LEFT JOIN Settings s ON u.UUID_User = s.UUID_user LEFT JOIN Messages m ON u.UUID_User = m.user_id - WHERE u.user_email = ? AND u.user_password = ?; + WHERE u.user_email = ?; """; PreparedStatement stmt = conn.prepareStatement(sql_query); stmt.setString(1, email); - stmt.setString(2, hashedpassword); + + ResultSet rs = stmt.executeQuery(); - String lastUserid = null; while (rs.next()) { String userId = rs.getString("UUID_User"); - if (lastUserid == null || !userId.equals(lastUserid)) { + System.out.println(rs.getString("user_name")); + + if (user == null) { + String storedHash = rs.getString("user_password"); + + if (!new PasswordHasher().isValidPassword(password, storedHash)){ + return null; + } user = new User( userId, @@ -121,7 +128,6 @@ public User getUserFromDBUsernameAndPassword(String email, String password) { user.setSettings(settings); } user.setInbox(new Inbox()); - lastUserid = userId; } String messageId = rs.getString("UUID_message"); if (messageId != null) {