From 983078de027cd9843b77ad6b60c656edecd311c1 Mon Sep 17 00:00:00 2001 From: Joseph Milazzo Date: Sat, 13 Mar 2021 12:28:00 -0600 Subject: [PATCH] Ensure I validate before attempting to update password for reset password flow. Send some validation issues back to FE. --- API/Controllers/AccountController.cs | 32 ++++++++++++++++++++++++---- API/Services/CacheService.cs | 5 +---- API/Services/Tasks/ScannerService.cs | 2 +- 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/API/Controllers/AccountController.cs b/API/Controllers/AccountController.cs index d5e362c75..924242c9e 100644 --- a/API/Controllers/AccountController.cs +++ b/API/Controllers/AccountController.cs @@ -5,6 +5,7 @@ using System.Threading.Tasks; using API.Constants; using API.DTOs; using API.Entities; +using API.Errors; using API.Extensions; using API.Interfaces; using API.Interfaces.Services; @@ -39,18 +40,41 @@ namespace API.Controllers _logger = logger; _mapper = mapper; } - - [Authorize(Policy = "RequireAdminRole")] + [HttpPost("reset-password")] public async Task UpdatePassword(ResetPasswordDto resetPasswordDto) { _logger.LogInformation("{UserName} is changing {ResetUser}'s password", User.GetUsername(), resetPasswordDto.UserName); var user = await _userManager.Users.SingleAsync(x => x.UserName == resetPasswordDto.UserName); + var isAdmin = await _userManager.IsInRoleAsync(user, PolicyConstants.AdminRole); + + if (resetPasswordDto.UserName != User.GetUsername() && !isAdmin) return Unauthorized("You are not permitted to this operation."); + + // Validate Password + foreach (var validator in _userManager.PasswordValidators) + { + var validationResult = await validator.ValidateAsync(_userManager, user, resetPasswordDto.Password); + if (!validationResult.Succeeded) + { + return BadRequest( + validationResult.Errors.Select(e => new ApiException(400, e.Code, e.Description))); + } + } + var result = await _userManager.RemovePasswordAsync(user); - if (!result.Succeeded) return BadRequest("Unable to update password"); + if (!result.Succeeded) + { + _logger.LogError("Could not update password"); + return BadRequest(result.Errors.Select(e => new ApiException(400, e.Code, e.Description))); + } + result = await _userManager.AddPasswordAsync(user, resetPasswordDto.Password); - if (!result.Succeeded) return BadRequest("Unable to update password"); + if (!result.Succeeded) + { + _logger.LogError("Could not update password"); + return BadRequest(result.Errors.Select(e => new ApiException(400, e.Code, e.Description))); + } _logger.LogInformation("{User}'s Password has been reset", resetPasswordDto.UserName); return Ok(); diff --git a/API/Services/CacheService.cs b/API/Services/CacheService.cs index 4b4f457ee..a5bdb4220 100644 --- a/API/Services/CacheService.cs +++ b/API/Services/CacheService.cs @@ -31,13 +31,10 @@ namespace API.Services public void EnsureCacheDirectory() { - // TODO: Replace with DirectoryService.ExistOrCreate() _logger.LogDebug("Checking if valid Cache directory: {CacheDirectory}", CacheDirectory); - var di = new DirectoryInfo(CacheDirectory); - if (!di.Exists) + if (_directoryService.ExistOrCreate(CacheDirectory)) { _logger.LogError("Cache directory {CacheDirectory} is not accessible or does not exist. Creating...", CacheDirectory); - Directory.CreateDirectory(CacheDirectory); } } diff --git a/API/Services/Tasks/ScannerService.cs b/API/Services/Tasks/ScannerService.cs index b09d6d544..3da2dce03 100644 --- a/API/Services/Tasks/ScannerService.cs +++ b/API/Services/Tasks/ScannerService.cs @@ -63,7 +63,7 @@ namespace API.Services.Tasks _scannedSeries = null; } - [DisableConcurrentExecution(timeoutInSeconds: 360)] + //[DisableConcurrentExecution(timeoutInSeconds: 360)] public void ScanLibrary(int libraryId, bool forceUpdate) { _forceUpdate = forceUpdate;