diff options
Diffstat (limited to 'internal/processing/user')
| -rw-r--r-- | internal/processing/user/password.go | 31 | ||||
| -rw-r--r-- | internal/processing/user/password_test.go | 2 |
2 files changed, 26 insertions, 7 deletions
diff --git a/internal/processing/user/password.go b/internal/processing/user/password.go index 244a5d349..68bc8ddb5 100644 --- a/internal/processing/user/password.go +++ b/internal/processing/user/password.go @@ -28,22 +28,41 @@ import ( // PasswordChange processes a password change request for the given user. func (p *Processor) PasswordChange(ctx context.Context, user *gtsmodel.User, oldPassword string, newPassword string) gtserror.WithCode { + // Ensure provided oldPassword is the correct current password. if err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte(oldPassword)); err != nil { + err := gtserror.Newf("%w", err) return gtserror.NewErrorUnauthorized(err, "old password was incorrect") } - if err := validate.NewPassword(newPassword); err != nil { + // Ensure new password is strong enough. + if err := validate.Password(newPassword); err != nil { return gtserror.NewErrorBadRequest(err, err.Error()) } - newPasswordHash, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost) - if err != nil { - return gtserror.NewErrorInternalError(err, "error hashing password") + // Ensure new password is different from old password. + if newPassword == oldPassword { + const help = "new password cannot be the same as previous password" + err := gtserror.New(help) + return gtserror.NewErrorBadRequest(err, help) } - user.EncryptedPassword = string(newPasswordHash) + // Hash the new password. + encryptedPassword, err := bcrypt.GenerateFromPassword( + []byte(newPassword), + bcrypt.DefaultCost, + ) + if err != nil { + err := gtserror.Newf("%w", err) + return gtserror.NewErrorInternalError(err) + } - if err := p.state.DB.UpdateUser(ctx, user, "encrypted_password"); err != nil { + // Set new password on user. + user.EncryptedPassword = string(encryptedPassword) + if err := p.state.DB.UpdateUser( + ctx, user, + "encrypted_password", + ); err != nil { + err := gtserror.Newf("db error updating user: %w", err) return gtserror.NewErrorInternalError(err) } diff --git a/internal/processing/user/password_test.go b/internal/processing/user/password_test.go index 785f742b5..ee30558c6 100644 --- a/internal/processing/user/password_test.go +++ b/internal/processing/user/password_test.go @@ -54,7 +54,7 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordIncorrectOld() { user := suite.testUsers["local_account_1"] errWithCode := suite.user.PasswordChange(context.Background(), user, "ooooopsydoooopsy", "verygoodnewpassword") - suite.EqualError(errWithCode, "crypto/bcrypt: hashedPassword is not the hash of the given password") + suite.EqualError(errWithCode, "PasswordChange: crypto/bcrypt: hashedPassword is not the hash of the given password") suite.Equal(http.StatusUnauthorized, errWithCode.Code()) suite.Equal("Unauthorized: old password was incorrect", errWithCode.Safe()) |