Add a password reset api

2025-07-09 03:04:20 -04:00 · 2024-01-10 21:01:15 +01:00 · 2024-01-10 21:01:15 +01:00 · 6407579dd6
commit 6407579dd6
parent da4b877b0d
2 changed files with 65 additions and 0 deletions
--- a/back/src/Kyoo.Authentication/Models/DTO/PasswordResetRequest.cs
+++ b/back/src/Kyoo.Authentication/Models/DTO/PasswordResetRequest.cs
@ -0,0 +1,38 @@
+// Kyoo - A portable and vast media library solution.
+// Copyright (c) Kyoo.
+//
+// See AUTHORS.md and LICENSE file in the project root for full license information.
+//
+// Kyoo is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// any later version.
+//
+// Kyoo is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Kyoo. If not, see <https://www.gnu.org/licenses/>.
+
+using System.ComponentModel.DataAnnotations;
+
+namespace Kyoo.Authentication.Models.DTO;
+
+/// <summary>
+/// A model only used on password resets.
+/// </summary>
+public class PasswordResetRequest
+{
+	/// <summary>
+	/// The old password
+	/// </summary>
+	public string OldPassword { get; set; }
+
+	/// <summary>
+	/// The new password
+	/// </summary>
+	[MinLength(4, ErrorMessage = "The password must have at least {1} characters")]
+	public string NewPassword { get; set; }
+}
--- a/back/src/Kyoo.Authentication/Views/AuthApi.cs
+++ b/back/src/Kyoo.Authentication/Views/AuthApi.cs
@ -185,6 +185,31 @@ namespace Kyoo.Authentication.Views
 			}
 		}

+		/// <summary>
+		/// Reset your password
+		/// </summary>
+		/// <remarks>
+		/// Change your password.
+		/// </remarks>
+		/// <param name="request">The old and new password</param>
+		/// <returns>Your account info.</returns>
+		/// <response code="403">The old password is invalid.</response>
+		[HttpPost("password-reset")]
+		[UserOnly]
+		[ProducesResponseType(StatusCodes.Status200OK)]
+		[ProducesResponseType(StatusCodes.Status403Forbidden, Type = typeof(RequestError))]
+		public async Task<ActionResult<User>> ResetPassword([FromBody] PasswordResetRequest request)
+		{
+			User user = await _users.Get(User.GetIdOrThrow());
+			if (!BCryptNet.Verify(request.OldPassword, user.Password))
+				return Forbid(new RequestError("The old password is invalid."));
+			return await _users.Patch(user.Id, (user) =>
+			{
+				user.Password = BCryptNet.HashPassword(request.NewPassword);
+				return user;
+			});
+		}
+
 		/// <summary>
 		/// Get authenticated user.
 		/// </summary>
@ -262,6 +287,8 @@ namespace Kyoo.Authentication.Views
 			{
 				if (patch.Id.HasValue && patch.Id != userId)
 					throw new ArgumentException("Can't edit your user id.");
+				if (patch.ContainsKey(nameof(Abstractions.Models.User.Password)))
+					throw new ArgumentException("Can't edit your password via a PATCH. Use /auth/password-reset");
 				return await _users.Patch(userId, patch.Apply);
 			}
 			catch (ItemNotFoundException)