Implemented validation to ensure each OTP device has a unique label #38657
Conversation
b98ce83 to
e11ef12
Compare
|
Additional Update:
Please find validated screenshots:
Thanks! |
|
Hi @ahus1, I've made two commits to this draft PR and would really appreciate it if you could take a look whenever you get a chance. Please let me know if you have any feedback, suggestions, or improvements you'd like to see. I'd be happy to incorporate them. Thank you for your time |
e0e429d to
a1b5f99
Compare
There was a problem hiding this comment.
Thank you for the pull request. I pushed one more commit to suggest a change that doesn't make as many assumptions about the type of exceptions thrown, as there might be other exceptions appearing in other places.
I also see that you reformatted parts of the code, so the indentation has changed. Please revert those changes as they make it hard to review the changes on GitHub.
|
|
||
| if (userLabel == null || userLabel.trim().isEmpty()) { | ||
| throw new ErrorResponseException("missingDeviceName", "Please specify the device name", Status.BAD_REQUEST); | ||
| } | ||
|
|
There was a problem hiding this comment.
As this is also used for all credentials including passwords, having an error message that is specific for a device name isn't a good fit here.
There was a problem hiding this comment.
Hi @ahus1, I have updated the error to:
throw new ErrorResponseException("missingCredentialLabel", "Credential label must not be empty", Status.BAD_REQUEST);
Please let me know if this looks good or if you’d prefer a different message/key. Thanks!
|
Another hint: Please avoid to merge the main branch into the PR, instead rebase the pull request when needed. This makes it again simpler to review. |
|
@SaikrishnaPavuluri - please don't merge the main branch into your PR, as this makes it difficult to review. Rebasing should only be done when there are conflicts or a maintainer asks you to rebase. This avoid unnecessary CI runs and unnecessary notifications to maintainers. |
There was a problem hiding this comment.
In a previous review I commented the following, which hasn't been addressed yet:
I also see that you reformatted parts of the code, so the indentation has changed. Please revert those changes as they make it hard to review the changes on GitHub.
The functional changes look good, please now add a test case that validates the new behavior. Maybe you can extend an existing test, maybe you need to write a new test. Let me know if you need pointers.
|
@ahus1 |
I have fixed the indentation issues and pushed the updated commit. Thanks a lot for your guidance I will be careful with formatting in future contributions to avoid this again. |
Hi @ahus1 |
|
@SaikrishnaPavuluri - I've read your comment, but allow for some more time to get back to you. |
|
Ok, KC 26.2 has been released, and as the dust settles, here's my reply. Sebastian and me recorded a session in Keycloak Hour of Code. See https://www.youtube.com/watch?v=gX9BWk-AiqE&list=PLFoHXRSurvbHNojMgLsn76-tdm13carIh&index=4&t=14s&ab_channel=AlexanderSchwartz for the video. And you find links including the script in the description of the video. I hope this is helpful. Please let me know if you have questions. |
I will try to complete this by the end of the week. Thanks |
|
Hi @ahus1, I have added test cases in the latest commit for setCredentialUserLabel, createCredential, and updateCredential to validate behavior with empty and duplicate device labels. I also looked for a test class covering the processAction() method in UpdateTotp, but couldn’t find one. Please let me know if it exists elsewhere. Thanks! |
|
Hi @ahus1 |
… unique name Signed-off-by: Saikrishna <saikrishnap@optimeyes.ai>
…tCredentialUserLabel (UserResource) Signed-off-by: Saikrishna <saikrishnap@optimeyes.ai>
Closes keycloak#38465 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
…Credential and updateCredential (duplicate label) Signed-off-by: Saikrishna <saikrishnap@optimeyes.ai> Fix indentation issues Completed review changes and reverted formatting
Closes keycloak#38465 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
beada4b to
3abafb0
Compare
|
I found a place in Let's look at the test results once the tests complete. |
Closes keycloak#38465 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Closes keycloak#38465 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Closes keycloak#38465 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Thank you for the code and the test, the build is now green and the tests are stable. Unfortunately the changes broke some existing tests which I didn't foresee, and it also touched some browser-only tests that are difficult to reproduce locally. I'm now marking it ready for review and have someone else from the team look at it as well. When you look at my commits, please take a moment to review them. Given the documentation above, I hope it is sufficient to run a single test locally, and possibly even debug it. While running all tests locally is very time consuming and better handled by the GitHub actions, running a single test locally is a great skill that allows you to iterate faster when developing tests. If the documentation isn't sufficient, please let me know and we'll look into enhancing it. |
|
@mposolda - this PR looks good to me, and the error messages shown to the users when they try to have a credential with the same label are IMHO descriptive. As this touches the core-clients area, please give it a review as well. As this is a first-time contribution, I'm willing to give a helping hand where needed. Thanks! |
@ahus1 I’m truly grateful for all the detailed feedback and support you’ve given me throughout my first contribution. Your guidance has been invaluable not only in understanding development and debugging, but also in helping me navigate the codebase with more confidence. The video you and Sebastian shared was fantastic and really helped clarify many concepts. I’m happy to have a mentor like you and excited to keep learning, contributing, and growing. Your encouragement motivates me to take on more challenges. I’ll definitely take your advice and spend time understanding the tests better so it helps me in future contributions. I’d really appreciate a review of this PR when time permits. As this is my first contribution, I’m eager to learn and grow with your guidance. It’s a privilege to collaborate with such experienced contributors, and I’m open to any suggestions or improvements you may have. |
|
@SaikrishnaPavuluri - thank you for sharing this, and kudos so @srose for preparing the recordings! |
There was a problem hiding this comment.
Thanks @SaikrishnaPavuluri and @ahus1! Changes LGTM. I was thinking about adding some note in the upgrading guide. But I understand that this is more a bug than something else. Approved.
Closes #38465
### Summary of Changes
This PR enhances the OTP credential creation process by improving duplicate device validation and error handling.
Changes in JpaUserCredentialStore and JpaUserFederatedStorageProvider
Added duplicate credential validation for both create and update methods.
Ensured that users cannot register an OTP device with the same name multiple times.
Introduced validateDuplicateUserCredential to handle duplicate detection.
### Enhancements in createOTPCredential (CredentialHelper.java)
Changed return type from boolean to Map<String, Boolean> for more detailed status tracking:
isDeviceDuplicate: true if a duplicate OTP device exists.
isOTPCreationSuccess: true if OTP credential creation was successful.
Handled ModelDuplicateException to prevent duplicate device registrations.
### Updates in processAction() (UpdateTotp class)
Now checks isDeviceDuplicate before proceeding with OTP creation.
If a duplicate device is detected, it shows an error message:
"Device already exists with the same name"
"Invalid TOTP"
Additional Update:
Added duplicate and empty device name validation in setCredentialUserLabel method (UserResource class).
This ensures users cannot update a userlabel (i.e device name) to a blank value or a label that already exists.
### Feedback & Review Request
This is my first contribution to Keycloak, and I would appreciate any feedback on the implementation, approach, or any best practices I might have missed.
Please find the validated screenshot after implementation
Let me know if any improvements or additional changes are needed. Thanks! 🙌