fix: username or password error mesage shown with failed attempt (#265)

vishwab1 · web-flow · commit c8db2251fc16 · 2025-07-08T16:59:30.000+05:30
diff --git a/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java b/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
@@ -620,10 +620,10 @@ public String forgetPassword(
 
 			if (mUsers == null || mUsers.size() <= 0) {
 				logger.error("User not found");
-				throw new IEMRException("If the username is valid, you will be asked a security question");
+				throw new IEMRException("If the username is registered, you will be asked a security question");
 			} else if (mUsers.size() > 1) {
 				logger.error("More than 1 user found");
-				throw new IEMRException("If the username is valid, you will be asked a security question");
+				throw new IEMRException("If the username is registered, you will be asked a security question");
 
 			} else if (mUsers.size() == 1) {
 				List<Map<String, String>> quesAnsList = new ArrayList<>();
diff --git a/src/main/java/com/iemr/common/service/users/IEMRAdminUserServiceImpl.java b/src/main/java/com/iemr/common/service/users/IEMRAdminUserServiceImpl.java
@@ -220,16 +220,19 @@ public void setValidator(Validator validator) {
 		this.validator = validator;
 	}
 
+	private void checkUserAccountStatus(User user) throws IEMRException {
+		if (user.getDeleted()) {
+			throw new IEMRException("Your account is locked or de-activated. Please contact administrator");
+		} else if (user.getStatusID() > 2) {
+			throw new IEMRException("Your account is not active. Please contact administrator");
+		}
+	}
+
 	@Override
 	public List<User> userAuthenticate(String userName, String password) throws Exception {
 		List<User> users = iEMRUserRepositoryCustom.findByUserNameNew(userName);
 		if (users.size() != 1) {
 			throw new IEMRException("Invalid username or password");
-		} else {
-			if (users.get(0).getDeleted())
-				throw new IEMRException("Your account is locked or de-activated. Please contact administrator");
-			else if (users.get(0).getStatusID() > 2)
-				throw new IEMRException("Your account is not active. Please contact administrator");
 		}
 		int failedAttempt = 0;
 		if (failedLoginAttempt != null)
@@ -241,6 +244,7 @@ else if (users.get(0).getStatusID() > 2)
 			int validatePassword;
 			validatePassword = securePassword.validatePassword(password, user.getPassword());
 			if (validatePassword == 1) {
+				checkUserAccountStatus(user);
 				int iterations = 1001;
 				char[] chars = password.toCharArray();
 				byte[] salt = getSalt();
@@ -254,29 +258,37 @@ else if (users.get(0).getStatusID() > 2)
 				iEMRUserRepositoryCustom.save(user);
 
 			} else if (validatePassword == 2) {
+				checkUserAccountStatus(user);
 				iEMRUserRepositoryCustom.save(user);
 
 			} else if (validatePassword == 3) {
+				checkUserAccountStatus(user);
 				iEMRUserRepositoryCustom.save(user);
 			} else if (validatePassword == 0) {
-				if (user.getFailedAttempt() + 1 >= failedAttempt) {
+				if (user.getFailedAttempt() + 1 < failedAttempt) {
+					user.setFailedAttempt(user.getFailedAttempt() + 1);
+					user = iEMRUserRepositoryCustom.save(user);
+					logger.warn("User Password Wrong");
+					throw new IEMRException("Invalid username or password");
+				} else if (user.getFailedAttempt() + 1 >= failedAttempt) {
 					user.setFailedAttempt(user.getFailedAttempt() + 1);
 					user.setDeleted(true);
 					user = iEMRUserRepositoryCustom.save(user);
 					logger.warn("User Account has been locked after reaching the limit of {} failed login attempts.",
 							ConfigProperties.getInteger("failedLoginAttempt"));
 
 					throw new IEMRException(
-							"Your account has been locked due to multiple failed login attempts. Please contact administrator.");
+							"Invalid username or password. Please contact administrator.");
 				} else {
 					user.setFailedAttempt(user.getFailedAttempt() + 1);
 					user = iEMRUserRepositoryCustom.save(user);
 					logger.warn("Failed login attempt {} of {} for a user account.",
 							user.getFailedAttempt(), ConfigProperties.getInteger("failedLoginAttempt"));
 					throw new IEMRException(
-							"Your account has been locked due to multiple failed login attempts. Please contact administrator.");
+							"Invalid username or password. Please contact administrator.");
 				}
 			} else {
+				checkUserAccountStatus(user);
 				if (user.getFailedAttempt() != 0) {
 					user.setFailedAttempt(0);
 					user = iEMRUserRepositoryCustom.save(user);
@@ -310,11 +322,6 @@ public User superUserAuthenticate(String userName, String password) throws Excep
 
 		if (users.size() != 1) {
 			throw new IEMRException("Invalid username or password");
-		} else {
-			if (users.get(0).getDeleted())
-				throw new IEMRException("Your account is locked or de-activated. Please contact administrator");
-			else if (users.get(0).getStatusID() > 2)
-				throw new IEMRException("Your account is not active. Please contact administrator");
 		}
 		int failedAttempt = 0;
 		if (failedLoginAttempt != null)
@@ -326,6 +333,7 @@ else if (users.get(0).getStatusID() > 2)
 			int validatePassword;
 			validatePassword = securePassword.validatePassword(password, user.getPassword());
 			if (validatePassword == 1) {
+				checkUserAccountStatus(user);
 				int iterations = 1001;
 				char[] chars = password.toCharArray();
 				byte[] salt = getSalt();
@@ -339,27 +347,34 @@ else if (users.get(0).getStatusID() > 2)
 				iEMRUserRepositoryCustom.save(user);
 
 			} else if (validatePassword == 2) {
+				checkUserAccountStatus(user);
 				iEMRUserRepositoryCustom.save(user);
 
 			} else if (validatePassword == 0) {
-				if (user.getFailedAttempt() + 1 >= failedAttempt) {
+				if (user.getFailedAttempt() + 1 < failedAttempt) {
+					user.setFailedAttempt(user.getFailedAttempt() + 1);
+					user = iEMRUserRepositoryCustom.save(user);
+					logger.warn("User Password Wrong");
+					throw new IEMRException("Invalid username or password");
+				} else if (user.getFailedAttempt() + 1 >= failedAttempt) {
 					user.setFailedAttempt(user.getFailedAttempt() + 1);
 					user.setDeleted(true);
 					user = iEMRUserRepositoryCustom.save(user);
 					logger.warn("User Account has been locked after reaching the limit of {} failed login attempts.",
 							ConfigProperties.getInteger("failedLoginAttempt"));
 
 					throw new IEMRException(
-							"Your account has been locked due to multiple failed login attempts. Please contact administrator.");
+							"Invalid username or password. Please contact administrator.");
 				} else {
 					user.setFailedAttempt(user.getFailedAttempt() + 1);
 					user = iEMRUserRepositoryCustom.save(user);
 					logger.warn("Failed login attempt {} of {} for a user account.",
 							user.getFailedAttempt(), ConfigProperties.getInteger("failedLoginAttempt"));
 					throw new IEMRException(
-							"Your account has been locked due to multiple failed login attempts. Please contact administrator.");
+							"Invalid username or password. Please contact administrator.");
 				}
 			} else {
+				checkUserAccountStatus(user);
 				if (user.getFailedAttempt() != 0) {
 					user.setFailedAttempt(0);
 					user = iEMRUserRepositoryCustom.save(user);
