PasswordMgmtService#
com.palmyralabs.palmyra.ext.usermgmt.service.PasswordMgmtService
Overview#
Full-surface password lifecycle SPI — verify a credential, reset as admin, change as the user, force-change without the old password. Implementations typically also implement PasswordVerificationService for consumers that only need the verify operation.
Methods#
| Method | Signature |
|---|---|
isValid |
boolean isValid(UserPasswordModel model, String password) — validate against an already-loaded user model (no extra DB round-trip) |
verifyPassword |
boolean verifyPassword(String loginName, String password) throws Exception — login-time verification by login name |
resetPassword |
boolean resetPassword(ResetPasswordRequest request) — admin-driven reset flow (typically delivers a reset token / temporary password) |
changePassword |
boolean changePassword(ChangePasswordRequest request) — end-user self-service; requires old password in the request |
forceChangePassword |
boolean forceChangePassword(String loginName, String newPassword) — bypasses the old-password check; admin / force-rotate flow |
Design note#
isValid(UserPasswordModel, String) is the seam that lets LocalDBAuthenticationProvider pre-load the user model once and re-use it, avoiding a second findByLoginName call inside verifyPassword.
Example — admin-forced rotation#
@Service
@RequiredArgsConstructor
public class AdminUserAdmin {
private final PasswordMgmtService passwords;
public void forceRotate(String loginName) {
String temp = generateRandomPassword();
passwords.forceChangePassword(loginName, temp);
mailer.sendTemporaryCredential(loginName, temp);
}
}Example — end-user change#
@PostMapping("/auth/password")
public ResponseEntity<?> change(@RequestBody ChangePasswordRequest req) {
boolean ok = passwords.changePassword(req);
return ok
? ResponseEntity.noContent().build()
: ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}