feat: change password (#35)

* refactor: implement factories for testing * add additional factories * change protection for dropFields * prevent timed attacks on login * use switch instead of else-if * API implementation for changing password * add change-password dialog
2025-07-06 02:28:35 +00:00 · 2022-10-09 09:23:21 -08:00 · 2022-10-09 09:23:21 -08:00 · a6d2fd45df
commit a6d2fd45df
parent a6e3989aee
19 changed files with 458 additions and 149 deletions
--- a/backend/app/api/v1/v1_ctrl_auth.go
+++ b/backend/app/api/v1/v1_ctrl_auth.go
@ -36,7 +36,8 @@ func (ctrl *V1Controller) HandleAuthLogin() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		loginForm := &LoginForm{}

-		if r.Header.Get("Content-Type") == server.ContentFormUrlEncoded {
+		switch r.Header.Get("Content-Type") {
+		case server.ContentFormUrlEncoded:
 			err := r.ParseForm()
 			if err != nil {
 				server.Respond(w, http.StatusBadRequest, server.Wrap(err))
@ -46,7 +47,7 @@ func (ctrl *V1Controller) HandleAuthLogin() http.HandlerFunc {

 			loginForm.Username = r.PostFormValue("username")
 			loginForm.Password = r.PostFormValue("password")
-		} else if r.Header.Get("Content-Type") == server.ContentJSON {
+		case server.ContentJSON:
 			err := server.Decode(r, loginForm)

 			if err != nil {
@ -54,7 +55,7 @@ func (ctrl *V1Controller) HandleAuthLogin() http.HandlerFunc {
 				server.Respond(w, http.StatusBadRequest, server.Wrap(err))
 				return
 			}
-		} else {
+		default:
 			server.Respond(w, http.StatusBadRequest, errors.New("invalid content type"))
 			return
 		}
@ -67,7 +68,7 @@ func (ctrl *V1Controller) HandleAuthLogin() http.HandlerFunc {
 		newToken, err := ctrl.svc.User.Login(r.Context(), loginForm.Username, loginForm.Password)

 		if err != nil {
-			server.RespondError(w, http.StatusUnauthorized, err)
+			server.RespondError(w, http.StatusInternalServerError, err)
 			return
 		}

--- a/backend/app/api/v1/v1_ctrl_user.go
+++ b/backend/app/api/v1/v1_ctrl_user.go
@ -119,3 +119,37 @@ func (ctrl *V1Controller) HandleUserSelfDelete() http.HandlerFunc {
 		server.Respond(w, http.StatusNoContent, nil)
 	}
 }
+
+type (
+	ChangePassword struct {
+		Current string `json:"current,omitempty"`
+		New     string `json:"new,omitempty"`
+	}
+)
+
+// HandleUserSelfChangePassword godoc
+// @Summary   Updates the users password
+// @Tags      User
+// @Success   204
+// @Param     payload  body  ChangePassword  true  "Password Payload"
+// @Router    /v1/users/change-password [PUT]
+// @Security  Bearer
+func (ctrl *V1Controller) HandleUserSelfChangePassword() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var cp ChangePassword
+		err := server.Decode(r, &cp)
+		if err != nil {
+			log.Err(err).Msg("user failed to change password")
+		}
+
+		ctx := services.NewContext(r.Context())
+
+		ok := ctrl.svc.User.ChangePassword(ctx, cp.Current, cp.New)
+		if !ok {
+			server.RespondError(w, http.StatusInternalServerError, err)
+			return
+		}
+
+		server.Respond(w, http.StatusNoContent, nil)
+	}
+}