TRUNK-6147 - Secret question/answer are unusable after password change (

openmrs#4183)
JeremieUkundwa · Nov 2, 2022 · 77a44b4 · 77a44b4
1 parent 1bd2dc3
commit 77a44b4
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/api/src/main/java/org/openmrs/api/db/hibernate/HibernateUserDAO.java b/api/src/main/java/org/openmrs/api/db/hibernate/HibernateUserDAO.java
@@ -301,8 +301,10 @@ public void changePassword(User u, String pw) throws DAOException {
  }
 
  log.debug("updating password");
- //update the user with the new password
- String salt = Security.getRandomToken();
+ String salt = getLoginCredential(u).getSalt();
+ if (StringUtils.isBlank(salt)) {
+ salt = Security.getRandomToken();
+ }
  String newHashedPassword = Security.encodeString(pw + salt);
 
  updateUserPassword(newHashedPassword, salt, authUser.getUserId(), new Date(), u.getUserId());
@@ -363,7 +365,7 @@ public void changePassword(String pw, String pw2) throws DAOException {
  log.info("updating password for {}", u.getUsername());
 
  // update the user with the new password
- String salt = Security.getRandomToken();
+ String salt = credentials.getSalt();
  String newHashedPassword = Security.encodeString(pw2 + salt);
  updateUserPassword(newHashedPassword, salt, u.getUserId(), new Date(), u.getUserId());
  }