Cutlery/Kyoo
1
0
Fork 0
mirror of https://github.com/zoriya/Kyoo.git synced 2025-11-21 05:53:11 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix change password api

Browse Source
This commit is contained in:
Zoe Roux 2025-11-09 16:34:54 +01:00
parent d42062679a
commit 5a37327e63
No known key found for this signature in database
3 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
auth/shell.nix
View File

@ -10,6 +10,6 @@ pkgs.mkShell {
postgresql_15 postgresql_15
pgformatter pgformatter
# to run tests # to run tests
# hurl hurl
]; ];
} }

11
auth/tests/change-password.hurl
View File

@ -26,7 +26,16 @@ jwt: jsonpath "$.token"
PATCH {{host}}/users/me/password PATCH {{host}}/users/me/password
Authorization: Bearer {{jwt}} Authorization: Bearer {{jwt}}
{ {
"password": "new-password" "oldPassword": "invalid-one",
"newPassword": "wont-be-changed"
}
HTTP 403
PATCH {{host}}/users/me/password
Authorization: Bearer {{jwt}}
{
"oldPassword": "password-login-user",
"newPassword": "new-password"
} }
HTTP 204 HTTP 204

30
auth/users.go
View File

@ -59,7 +59,8 @@ type EditUserDto struct {
} }
type EditPasswordDto struct { type EditPasswordDto struct {
Password string `json:"password" validate:"required" example:"password1234"` OldPassword string `json:"oldPassword" validate:"required" example:"password1234"`
NewPassword string `json:"newPassword" validate:"required" example:"password1234"`
} }
func MapDbUser(user *dbc.User) User { func MapDbUser(user *dbc.User) User {
@ -182,7 +183,7 @@ func (h *Handler) GetMe(c echo.Context) error {
if err != nil { if err != nil {
return err return err
} }
dbuser, err := h.db.GetUser(context.Background(), dbc.GetUserParams{ dbuser, err := h.db.GetUser(c.Request().Context(), dbc.GetUserParams{
UseId: true, UseId: true,
Id: id, Id: id,
}) })
@ -406,6 +407,10 @@ func (h *Handler) ChangePassword(c echo.Context) error {
if err != nil { if err != nil {
return err return err
} }
user, err := h.db.GetUser(c.Request().Context(), dbc.GetUserParams{
UseId: true,
Id: uid,
})
sid, err := GetCurrentSessionId(c) sid, err := GetCurrentSessionId(c)
if err != nil { if err != nil {
@ -421,13 +426,26 @@ func (h *Handler) ChangePassword(c echo.Context) error {
return err return err
} }
match, err := argon2id.ComparePasswordAndHash(
req.OldPassword,
*user[0].User.Password,
)
if err != nil {
return err
}
if !match {
return echo.NewHTTPError(http.StatusForbidden, "Invalid password")
}
pass, err := argon2id.CreateHash(req.NewPassword, argon2id.DefaultParams)
if err != nil {
return err
}
_, err = h.db.UpdateUser(context.Background(), dbc.UpdateUserParams{ _, err = h.db.UpdateUser(context.Background(), dbc.UpdateUserParams{
Id: uid, Id: uid,
Password: &req.Password, Password: &pass,
}) })
if err == pgx.ErrNoRows { if err != nil {
return echo.NewHTTPError(http.StatusNotFound, "Invalid token, user not found")
} else if err != nil {
return err return err
} }