From 983078de027cd9843b77ad6b60c656edecd311c1 Mon Sep 17 00:00:00 2001
From: Joseph Milazzo <joseph.v.milazzo@gmail.com>
Date: Sat, 13 Mar 2021 12:28:00 -0600
Subject: [PATCH] Ensure I validate before attempting to update password for
 reset password flow. Send some validation issues back to FE.

---
 API/Controllers/AccountController.cs | 32 ++++++++++++++++++++++++----
 API/Services/CacheService.cs         |  5 +----
 API/Services/Tasks/ScannerService.cs |  2 +-
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/API/Controllers/AccountController.cs b/API/Controllers/AccountController.cs
index d5e362c75..924242c9e 100644
--- a/API/Controllers/AccountController.cs
+++ b/API/Controllers/AccountController.cs
@@ -5,6 +5,7 @@ using System.Threading.Tasks;
 using API.Constants;
 using API.DTOs;
 using API.Entities;
+using API.Errors;
 using API.Extensions;
 using API.Interfaces;
 using API.Interfaces.Services;
@@ -39,18 +40,41 @@ namespace API.Controllers
             _logger = logger;
             _mapper = mapper;
         }
-
-        [Authorize(Policy = "RequireAdminRole")]
+        
         [HttpPost("reset-password")]
         public async Task<ActionResult> UpdatePassword(ResetPasswordDto resetPasswordDto)
         {
             _logger.LogInformation("{UserName} is changing {ResetUser}'s password", User.GetUsername(), resetPasswordDto.UserName);
             var user = await _userManager.Users.SingleAsync(x => x.UserName == resetPasswordDto.UserName);
+            var isAdmin = await _userManager.IsInRoleAsync(user, PolicyConstants.AdminRole);
+
+            if (resetPasswordDto.UserName != User.GetUsername() && !isAdmin) return Unauthorized("You are not permitted to this operation.");
+            
+            // Validate Password
+            foreach (var validator in _userManager.PasswordValidators)
+            {
+                var validationResult = await validator.ValidateAsync(_userManager, user, resetPasswordDto.Password);
+                if (!validationResult.Succeeded)
+                {
+                    return BadRequest(
+                        validationResult.Errors.Select(e => new ApiException(400, e.Code, e.Description)));
+                }
+            }
+            
             var result = await _userManager.RemovePasswordAsync(user);
-            if (!result.Succeeded) return BadRequest("Unable to update password");
+            if (!result.Succeeded)
+            {
+                _logger.LogError("Could not update password");
+                return BadRequest(result.Errors.Select(e => new ApiException(400, e.Code, e.Description)));
+            }
+            
             
             result = await _userManager.AddPasswordAsync(user, resetPasswordDto.Password);
-            if (!result.Succeeded) return BadRequest("Unable to update password");
+            if (!result.Succeeded)
+            {
+                _logger.LogError("Could not update password");
+                return BadRequest(result.Errors.Select(e => new ApiException(400, e.Code, e.Description)));
+            }
             
             _logger.LogInformation("{User}'s Password has been reset", resetPasswordDto.UserName);
             return Ok();
diff --git a/API/Services/CacheService.cs b/API/Services/CacheService.cs
index 4b4f457ee..a5bdb4220 100644
--- a/API/Services/CacheService.cs
+++ b/API/Services/CacheService.cs
@@ -31,13 +31,10 @@ namespace API.Services
 
         public void EnsureCacheDirectory()
         {
-            // TODO: Replace with DirectoryService.ExistOrCreate()
             _logger.LogDebug("Checking if valid Cache directory: {CacheDirectory}", CacheDirectory);
-            var di = new DirectoryInfo(CacheDirectory);
-            if (!di.Exists)
+            if (_directoryService.ExistOrCreate(CacheDirectory))
             {
                 _logger.LogError("Cache directory {CacheDirectory} is not accessible or does not exist. Creating...", CacheDirectory);
-                Directory.CreateDirectory(CacheDirectory);
             }
         }
 
diff --git a/API/Services/Tasks/ScannerService.cs b/API/Services/Tasks/ScannerService.cs
index b09d6d544..3da2dce03 100644
--- a/API/Services/Tasks/ScannerService.cs
+++ b/API/Services/Tasks/ScannerService.cs
@@ -63,7 +63,7 @@ namespace API.Services.Tasks
           _scannedSeries = null;
        }
 
-       [DisableConcurrentExecution(timeoutInSeconds: 360)] 
+       //[DisableConcurrentExecution(timeoutInSeconds: 360)] 
        public void ScanLibrary(int libraryId, bool forceUpdate)
        {
           _forceUpdate = forceUpdate;