feat: change password (#35)

* refactor: implement factories for testing * add additional factories * change protection for dropFields * prevent timed attacks on login * use switch instead of else-if * API implementation for changing password * add change-password dialog
2022-10-09 09:23:21 -08:00 · 2022-10-09 09:23:21 -08:00 · a6d2fd45df
commit a6d2fd45df
parent a6e3989aee
19 changed files with 458 additions and 149 deletions
--- a/backend/internal/repo/repo_users.go
+++ b/backend/internal/repo/repo_users.go
@ -121,3 +121,7 @@ func (e *UserRepository) GetSuperusers(ctx context.Context) ([]*ent.User, error)

 	return users, nil
 }
+
+func (r *UserRepository) ChangePassword(ctx context.Context, UID uuid.UUID, pw string) error {
+	return r.db.User.UpdateOneID(UID).SetPassword(pw).Exec(ctx)
+}
--- a/backend/internal/services/service_user.go
+++ b/backend/internal/services/service_user.go
@ -142,7 +142,13 @@ func (svc *UserService) createToken(ctx context.Context, userId uuid.UUID) (User
 func (svc *UserService) Login(ctx context.Context, username, password string) (UserAuthTokenDetail, error) {
 	usr, err := svc.repos.Users.GetOneEmail(ctx, username)

-	if err != nil || !hasher.CheckPasswordHash(password, usr.PasswordHash) {
+	if err != nil {
+		// SECURITY: Perform hash to ensure response times are the same
+		hasher.CheckPasswordHash("not-a-real-password", "not-a-real-password")
+		return UserAuthTokenDetail{}, ErrorInvalidLogin
+	}
+
+	if !hasher.CheckPasswordHash(password, usr.PasswordHash) {
 		return UserAuthTokenDetail{}, ErrorInvalidLogin
 	}

@ -190,3 +196,29 @@ func (svc *UserService) NewInvitation(ctx Context, uses int, expiresAt time.Time

 	return token.Raw, nil
 }
+
+func (svc *UserService) ChangePassword(ctx Context, current string, new string) (ok bool) {
+	usr, err := svc.repos.Users.GetOneId(ctx, ctx.UID)
+	if err != nil {
+		return false
+	}
+
+	if !hasher.CheckPasswordHash(current, usr.PasswordHash) {
+		log.Err(errors.New("current password is incorrect")).Msg("Failed to change password")
+		return false
+	}
+
+	hashed, err := hasher.HashPassword(new)
+	if err != nil {
+		log.Err(err).Msg("Failed to hash password")
+		return false
+	}
+
+	err = svc.repos.Users.ChangePassword(ctx.Context, ctx.UID, hashed)
+	if err != nil {
+		log.Err(err).Msg("Failed to change password")
+		return false
+	}
+
+	return true
+}