AMM-118: Add time-based account lockout with auto-unlock

Signed-off-by: Varun Deep Saini <varun.23bcs10048@ms.sst.scaler.com>

Author: Varun Deep Saini

src/main/java/com/iemr/common/controller/users/IEMRAdminController.java

@@ -77,6 +77,7 @@
 @RequestMapping("/user")
 @RestController
 public class IEMRAdminController {
+	private static final String USER_ID_FIELD = "userId";
 	private final Logger logger = LoggerFactory.getLogger(this.getClass().getName());
 	private InputMapper inputMapper = new InputMapper();
 
@@ -583,6 +584,13 @@ public String getLoginResponse(HttpServletRequest request) {
 					throw new IEMRException("Authentication failed. Please log in again.");
 				}
 
+				// Validate the token first
+				Claims claims = jwtUtil.validateToken(jwtToken);
+				if (claims == null) {
+					logger.warn("Authentication failed: invalid or expired token.");
+					throw new IEMRException("Authentication failed. Please log in again.");
+				}
+
 				// Extract user ID from the JWT token
 				String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
@@ -1230,4 +1238,87 @@ public ResponseEntity<?> getUserDetails(@PathVariable("userName") String userNam
 		}
 
 	}
+
+	@Operation(summary = "Unlock user account locked due to failed login attempts")
+	@PostMapping(value = "/unlockUserAccount", produces = MediaType.APPLICATION_JSON, headers = "Authorization")
+	public String unlockUserAccount(@RequestBody String request, HttpServletRequest httpRequest) {
+		OutputResponse response = new OutputResponse();
+		try {
+			Long authenticatedUserId = getAuthenticatedUserId(httpRequest);
+			validateAdminPrivileges(authenticatedUserId);
+			Long userId = parseUserIdFromRequest(request);
+			boolean unlocked = iemrAdminUserServiceImpl.unlockUserAccount(userId);
+			response.setResponse(unlocked ? "User account successfully unlocked" : "User account was not locked");
+		} catch (Exception e) {
+			logger.error("Error unlocking user account: " + e.getMessage(), e);
+			response.setError(e);
+		}
+		return response.toString();
+	}
+
+	@Operation(summary = "Get user account lock status")
+	@PostMapping(value = "/getUserLockStatus", produces = MediaType.APPLICATION_JSON, headers = "Authorization")
+	public String getUserLockStatus(@RequestBody String request, HttpServletRequest httpRequest) {
+		OutputResponse response = new OutputResponse();
+		try {
+			Long authenticatedUserId = getAuthenticatedUserId(httpRequest);
+			validateAdminPrivileges(authenticatedUserId);
+			Long userId = parseUserIdFromRequest(request);
+			String lockStatusJson = iemrAdminUserServiceImpl.getUserLockStatusJson(userId);
+			response.setResponse(lockStatusJson);
+		} catch (Exception e) {
+			logger.error("Error getting user lock status: " + e.getMessage(), e);
+			response.setError(e);
+		}
+		return response.toString();
+	}
+
+	private Long parseUserIdFromRequest(String request) throws IEMRException {
+		try {
+			JsonObject requestObj = JsonParser.parseString(request).getAsJsonObject();
+			if (!requestObj.has(USER_ID_FIELD) || requestObj.get(USER_ID_FIELD).isJsonNull()) {
+				throw new IEMRException(USER_ID_FIELD + " is required");
+			}
+			JsonElement userIdElement = requestObj.get(USER_ID_FIELD);
+			if (!userIdElement.isJsonPrimitive() || !userIdElement.getAsJsonPrimitive().isNumber()) {
+				throw new IEMRException(USER_ID_FIELD + " must be a number");
+			}
+			return userIdElement.getAsLong();
+		} catch (IEMRException e) {
+			throw e;
+		} catch (Exception e) {
+			logger.error("Failed to parse {} from request: {}", USER_ID_FIELD, e.getMessage());
+			throw new IEMRException("Invalid request body");
+		}
+	}
+
+	private Long getAuthenticatedUserId(HttpServletRequest httpRequest) throws IEMRException {
+		String authorization = httpRequest.getHeader("Authorization");
+		if (authorization != null && authorization.contains("Bearer ")) {
+			authorization = authorization.replace("Bearer ", "");
+		}
+		if (authorization == null || authorization.isEmpty()) {
+			throw new IEMRException("Authentication required");
+		}
+		try {
+			String sessionJson = sessionObject.getSessionObject(authorization);
+			if (sessionJson == null || sessionJson.isEmpty()) {
+				throw new IEMRException("Session expired. Please log in again.");
+			}
+			JSONObject session = new JSONObject(sessionJson);
+			return session.getLong("userID");
+		} catch (IEMRException e) {
+			throw e;
+		} catch (Exception e) {
+			logger.error("Authentication failed while extracting user ID: {}", e.getMessage());
+			throw new IEMRException("Authentication failed");
+		}
+	}
+
+	private void validateAdminPrivileges(Long userId) throws IEMRException {
+		if (!iemrAdminUserServiceImpl.hasAdminPrivileges(userId)) {
+			logger.warn("Unauthorized access attempt by userId: {}", userId);
+			throw new IEMRException("Access denied. Admin privileges required.");
+		}
+	}
 }

src/main/java/com/iemr/common/data/users/User.java

@@ -213,6 +213,10 @@ public class User implements Serializable  {
 	@Column(name = "dhistoken")
 	private String dhistoken;
 
+	@Expose
+	@Column(name = "lock_timestamp")
+	private Timestamp lockTimestamp;
+
 	/*
 	 * protected User() { }
 	 */

src/main/java/com/iemr/common/repository/users/IEMRUserRepositoryCustom.java

@@ -75,7 +75,7 @@ UserSecurityQMapping verifySecurityQuestionAnswers(@Param("UserID") Long UserID,
 
 	@Query("SELECT u FROM User u WHERE u.userID=5718")
 	User getAllExistingUsers();
-	
+
 	User findByUserID(Long userID);
 
 }

src/main/java/com/iemr/common/service/users/IEMRAdminUserService.java

@@ -123,6 +123,10 @@ public List<ServiceRoleScreenMapping> getUserServiceRoleMappingForProvider(Integ
 
 	List<User> getUserIdbyUserName(String userName) throws IEMRException;
 
+	boolean unlockUserAccount(Long userId) throws IEMRException;
+
+	String getUserLockStatusJson(Long userId) throws IEMRException;
+
+	boolean hasAdminPrivileges(Long userId) throws IEMRException;
 
-	
 }