diff options
author | Chocobozzz <me@florianbigard.com> | 2018-09-26 16:28:15 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-09-26 16:28:27 +0200 |
commit | a890d1e0d30851741392e6e7f14acffe685d28e0 (patch) | |
tree | 40f6d0c4643f795670943e176d60b2e85a0fb6e0 | |
parent | be1206bb934c223893a652be5f1f6c911c9c66be (diff) | |
download | PeerTube-a890d1e0d30851741392e6e7f14acffe685d28e0.tar.gz PeerTube-a890d1e0d30851741392e6e7f14acffe685d28e0.tar.zst PeerTube-a890d1e0d30851741392e6e7f14acffe685d28e0.zip |
Check current password on server side
8 files changed, 105 insertions, 33 deletions
diff --git a/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.html b/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.html index 00b6d20fa..ae797d1bc 100644 --- a/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.html +++ b/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.html | |||
@@ -1,14 +1,14 @@ | |||
1 | <div *ngIf="error" class="alert alert-danger">{{ error }}</div> | 1 | <div *ngIf="error" class="alert alert-danger">{{ error }}</div> |
2 | 2 | ||
3 | <form role="form" (ngSubmit)="checkPassword()" [formGroup]="form"> | 3 | <form role="form" (ngSubmit)="changePassword()" [formGroup]="form"> |
4 | 4 | ||
5 | <label i18n for="new-password">Change password</label> | 5 | <label i18n for="new-password">Change password</label> |
6 | <input | 6 | <input |
7 | type="password" id="old-password" i18n-placeholder placeholder="Old password" | 7 | type="password" id="current-password" i18n-placeholder placeholder="Current password" |
8 | formControlName="old-password" [ngClass]="{ 'input-error': formErrors['old-password'] }" | 8 | formControlName="current-password" [ngClass]="{ 'input-error': formErrors['current-password'] }" |
9 | > | 9 | > |
10 | <div *ngIf="formErrors['old-password']" class="form-error"> | 10 | <div *ngIf="formErrors['current-password']" class="form-error"> |
11 | {{ formErrors['old-password'] }} | 11 | {{ formErrors['current-password'] }} |
12 | </div> | 12 | </div> |
13 | 13 | ||
14 | <input | 14 | <input |
diff --git a/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.ts b/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.ts index da0021df9..e5343b33d 100644 --- a/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.ts +++ b/client/src/app/+my-account/my-account-settings/my-account-change-password/my-account-change-password.component.ts | |||
@@ -30,7 +30,7 @@ export class MyAccountChangePasswordComponent extends FormReactive implements On | |||
30 | 30 | ||
31 | ngOnInit () { | 31 | ngOnInit () { |
32 | this.buildForm({ | 32 | this.buildForm({ |
33 | 'old-password': this.userValidatorsService.USER_PASSWORD, | 33 | 'current-password': this.userValidatorsService.USER_PASSWORD, |
34 | 'new-password': this.userValidatorsService.USER_PASSWORD, | 34 | 'new-password': this.userValidatorsService.USER_PASSWORD, |
35 | 'new-confirmed-password': this.userValidatorsService.USER_CONFIRM_PASSWORD | 35 | 'new-confirmed-password': this.userValidatorsService.USER_CONFIRM_PASSWORD |
36 | }) | 36 | }) |
@@ -44,31 +44,26 @@ export class MyAccountChangePasswordComponent extends FormReactive implements On | |||
44 | .subscribe(() => confirmPasswordControl.setErrors({ matchPassword: true })) | 44 | .subscribe(() => confirmPasswordControl.setErrors({ matchPassword: true })) |
45 | } | 45 | } |
46 | 46 | ||
47 | checkPassword () { | 47 | changePassword () { |
48 | this.error = null | 48 | const currentPassword = this.form.value[ 'current-password' ] |
49 | const oldPassword = this.form.value[ 'old-password' ] | 49 | const newPassword = this.form.value[ 'new-password' ] |
50 | 50 | ||
51 | // compare old password | 51 | this.userService.changePassword(currentPassword, newPassword).subscribe( |
52 | this.authService.login(this.user.account.name, oldPassword) | ||
53 | .subscribe( | ||
54 | () => this.changePassword(), | ||
55 | err => { | ||
56 | if (err.message.indexOf('credentials are invalid') !== -1) this.error = this.i18n('Incorrect old password.') | ||
57 | else this.error = err.message | ||
58 | } | ||
59 | ) | ||
60 | |||
61 | } | ||
62 | |||
63 | private changePassword () { | ||
64 | this.userService.changePassword(this.form.value[ 'new-password' ]).subscribe( | ||
65 | () => { | 52 | () => { |
66 | this.notificationsService.success(this.i18n('Success'), this.i18n('Password updated.')) | 53 | this.notificationsService.success(this.i18n('Success'), this.i18n('Password updated.')) |
67 | 54 | ||
68 | this.form.reset() | 55 | this.form.reset() |
56 | this.error = null | ||
69 | }, | 57 | }, |
70 | 58 | ||
71 | err => this.error = err.message | 59 | err => { |
60 | if (err.status === 401) { | ||
61 | this.error = this.i18n('You current password is invalid.') | ||
62 | return | ||
63 | } | ||
64 | |||
65 | this.error = err.message | ||
66 | } | ||
72 | ) | 67 | ) |
73 | } | 68 | } |
74 | } | 69 | } |
diff --git a/client/src/app/shared/users/user.service.ts b/client/src/app/shared/users/user.service.ts index fad5b0980..bd5cd45d4 100644 --- a/client/src/app/shared/users/user.service.ts +++ b/client/src/app/shared/users/user.service.ts | |||
@@ -17,9 +17,10 @@ export class UserService { | |||
17 | ) { | 17 | ) { |
18 | } | 18 | } |
19 | 19 | ||
20 | changePassword (newPassword: string) { | 20 | changePassword (currentPassword: string, newPassword: string) { |
21 | const url = UserService.BASE_USERS_URL + 'me' | 21 | const url = UserService.BASE_USERS_URL + 'me' |
22 | const body: UserUpdateMe = { | 22 | const body: UserUpdateMe = { |
23 | currentPassword, | ||
23 | password: newPassword | 24 | password: newPassword |
24 | } | 25 | } |
25 | 26 | ||
diff --git a/server/controllers/api/users/me.ts b/server/controllers/api/users/me.ts index ff3a87b7f..591ec6b25 100644 --- a/server/controllers/api/users/me.ts +++ b/server/controllers/api/users/me.ts | |||
@@ -87,7 +87,7 @@ meRouter.get('/me/videos/:videoId/rating', | |||
87 | 87 | ||
88 | meRouter.put('/me', | 88 | meRouter.put('/me', |
89 | authenticate, | 89 | authenticate, |
90 | usersUpdateMeValidator, | 90 | asyncMiddleware(usersUpdateMeValidator), |
91 | asyncRetryTransactionMiddleware(updateMe) | 91 | asyncRetryTransactionMiddleware(updateMe) |
92 | ) | 92 | ) |
93 | 93 | ||
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index d3ba1ae23..61297120a 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -22,6 +22,7 @@ import { Redis } from '../../lib/redis' | |||
22 | import { UserModel } from '../../models/account/user' | 22 | import { UserModel } from '../../models/account/user' |
23 | import { areValidationErrors } from './utils' | 23 | import { areValidationErrors } from './utils' |
24 | import { ActorModel } from '../../models/activitypub/actor' | 24 | import { ActorModel } from '../../models/activitypub/actor' |
25 | import { comparePassword } from '../../helpers/peertube-crypto' | ||
25 | 26 | ||
26 | const usersAddValidator = [ | 27 | const usersAddValidator = [ |
27 | body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'), | 28 | body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'), |
@@ -137,15 +138,31 @@ const usersUpdateValidator = [ | |||
137 | const usersUpdateMeValidator = [ | 138 | const usersUpdateMeValidator = [ |
138 | body('displayName').optional().custom(isUserDisplayNameValid).withMessage('Should have a valid display name'), | 139 | body('displayName').optional().custom(isUserDisplayNameValid).withMessage('Should have a valid display name'), |
139 | body('description').optional().custom(isUserDescriptionValid).withMessage('Should have a valid description'), | 140 | body('description').optional().custom(isUserDescriptionValid).withMessage('Should have a valid description'), |
141 | body('currentPassword').optional().custom(isUserPasswordValid).withMessage('Should have a valid current password'), | ||
140 | body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'), | 142 | body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'), |
141 | body('email').optional().isEmail().withMessage('Should have a valid email attribute'), | 143 | body('email').optional().isEmail().withMessage('Should have a valid email attribute'), |
142 | body('nsfwPolicy').optional().custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'), | 144 | body('nsfwPolicy').optional().custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'), |
143 | body('autoPlayVideo').optional().custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'), | 145 | body('autoPlayVideo').optional().custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'), |
144 | 146 | ||
145 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 147 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
146 | // TODO: Add old password verification | ||
147 | logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') }) | 148 | logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') }) |
148 | 149 | ||
150 | if (req.body.password) { | ||
151 | if (!req.body.currentPassword) { | ||
152 | return res.status(400) | ||
153 | .send({ error: 'currentPassword parameter is missing.' }) | ||
154 | .end() | ||
155 | } | ||
156 | |||
157 | const user: UserModel = res.locals.oauth.token.User | ||
158 | |||
159 | if (await user.isPasswordMatch(req.body.currentPassword) !== true) { | ||
160 | return res.status(401) | ||
161 | .send({ error: 'currentPassword is invalid.' }) | ||
162 | .end() | ||
163 | } | ||
164 | } | ||
165 | |||
149 | if (areValidationErrors(req, res)) return | 166 | if (areValidationErrors(req, res)) return |
150 | 167 | ||
151 | return next() | 168 | return next() |
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts index 95903c8a5..cbfa0c137 100644 --- a/server/tests/api/check-params/users.ts +++ b/server/tests/api/check-params/users.ts | |||
@@ -254,6 +254,7 @@ describe('Test users API validators', function () { | |||
254 | 254 | ||
255 | it('Should fail with a too small password', async function () { | 255 | it('Should fail with a too small password', async function () { |
256 | const fields = { | 256 | const fields = { |
257 | currentPassword: 'my super password', | ||
257 | password: 'bla' | 258 | password: 'bla' |
258 | } | 259 | } |
259 | 260 | ||
@@ -262,12 +263,31 @@ describe('Test users API validators', function () { | |||
262 | 263 | ||
263 | it('Should fail with a too long password', async function () { | 264 | it('Should fail with a too long password', async function () { |
264 | const fields = { | 265 | const fields = { |
266 | currentPassword: 'my super password', | ||
265 | password: 'super'.repeat(61) | 267 | password: 'super'.repeat(61) |
266 | } | 268 | } |
267 | 269 | ||
268 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields }) | 270 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields }) |
269 | }) | 271 | }) |
270 | 272 | ||
273 | it('Should fail without the current password', async function () { | ||
274 | const fields = { | ||
275 | currentPassword: 'my super password', | ||
276 | password: 'super'.repeat(61) | ||
277 | } | ||
278 | |||
279 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields }) | ||
280 | }) | ||
281 | |||
282 | it('Should fail with an invalid current password', async function () { | ||
283 | const fields = { | ||
284 | currentPassword: 'my super password fail', | ||
285 | password: 'super'.repeat(61) | ||
286 | } | ||
287 | |||
288 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields, statusCodeExpected: 401 }) | ||
289 | }) | ||
290 | |||
271 | it('Should fail with an invalid NSFW policy attribute', async function () { | 291 | it('Should fail with an invalid NSFW policy attribute', async function () { |
272 | const fields = { | 292 | const fields = { |
273 | nsfwPolicy: 'hello' | 293 | nsfwPolicy: 'hello' |
@@ -286,6 +306,7 @@ describe('Test users API validators', function () { | |||
286 | 306 | ||
287 | it('Should fail with an non authenticated user', async function () { | 307 | it('Should fail with an non authenticated user', async function () { |
288 | const fields = { | 308 | const fields = { |
309 | currentPassword: 'my super password', | ||
289 | password: 'my super password' | 310 | password: 'my super password' |
290 | } | 311 | } |
291 | 312 | ||
@@ -300,8 +321,9 @@ describe('Test users API validators', function () { | |||
300 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields }) | 321 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields }) |
301 | }) | 322 | }) |
302 | 323 | ||
303 | it('Should succeed with the correct params', async function () { | 324 | it('Should succeed to change password with the correct params', async function () { |
304 | const fields = { | 325 | const fields = { |
326 | currentPassword: 'my super password', | ||
305 | password: 'my super password', | 327 | password: 'my super password', |
306 | nsfwPolicy: 'blur', | 328 | nsfwPolicy: 'blur', |
307 | autoPlayVideo: false, | 329 | autoPlayVideo: false, |
@@ -310,6 +332,16 @@ describe('Test users API validators', function () { | |||
310 | 332 | ||
311 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields, statusCodeExpected: 204 }) | 333 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields, statusCodeExpected: 204 }) |
312 | }) | 334 | }) |
335 | |||
336 | it('Should succeed without password change with the correct params', async function () { | ||
337 | const fields = { | ||
338 | nsfwPolicy: 'blur', | ||
339 | autoPlayVideo: false, | ||
340 | email: 'super_email@example.com' | ||
341 | } | ||
342 | |||
343 | await makePutBodyRequest({ url: server.url, path: path + 'me', token: userAccessToken, fields, statusCodeExpected: 204 }) | ||
344 | }) | ||
313 | }) | 345 | }) |
314 | 346 | ||
315 | describe('When updating my avatar', function () { | 347 | describe('When updating my avatar', function () { |
diff --git a/server/tests/api/users/users.ts b/server/tests/api/users/users.ts index c0dd587ee..8b9c6b455 100644 --- a/server/tests/api/users/users.ts +++ b/server/tests/api/users/users.ts | |||
@@ -4,10 +4,34 @@ import * as chai from 'chai' | |||
4 | import 'mocha' | 4 | import 'mocha' |
5 | import { User, UserRole } from '../../../../shared/index' | 5 | import { User, UserRole } from '../../../../shared/index' |
6 | import { | 6 | import { |
7 | createUser, flushTests, getBlacklistedVideosList, getMyUserInformation, getMyUserVideoQuotaUsed, getMyUserVideoRating, | 7 | blockUser, |
8 | getUserInformation, getUsersList, getUsersListPaginationAndSort, getVideosList, killallServers, login, makePutBodyRequest, rateVideo, | 8 | createUser, |
9 | registerUser, removeUser, removeVideo, runServer, ServerInfo, testImage, updateMyAvatar, updateMyUser, updateUser, uploadVideo, userLogin, | 9 | deleteMe, |
10 | deleteMe, blockUser, unblockUser, updateCustomSubConfig | 10 | flushTests, |
11 | getBlacklistedVideosList, | ||
12 | getMyUserInformation, | ||
13 | getMyUserVideoQuotaUsed, | ||
14 | getMyUserVideoRating, | ||
15 | getUserInformation, | ||
16 | getUsersList, | ||
17 | getUsersListPaginationAndSort, | ||
18 | getVideosList, | ||
19 | killallServers, | ||
20 | login, | ||
21 | makePutBodyRequest, | ||
22 | rateVideo, | ||
23 | registerUser, | ||
24 | removeUser, | ||
25 | removeVideo, | ||
26 | runServer, | ||
27 | ServerInfo, | ||
28 | testImage, | ||
29 | unblockUser, | ||
30 | updateMyAvatar, | ||
31 | updateMyUser, | ||
32 | updateUser, | ||
33 | uploadVideo, | ||
34 | userLogin | ||
11 | } from '../../utils/index' | 35 | } from '../../utils/index' |
12 | import { follow } from '../../utils/server/follows' | 36 | import { follow } from '../../utils/server/follows' |
13 | import { setAccessTokensToServers } from '../../utils/users/login' | 37 | import { setAccessTokensToServers } from '../../utils/users/login' |
@@ -302,6 +326,7 @@ describe('Test users', function () { | |||
302 | await updateMyUser({ | 326 | await updateMyUser({ |
303 | url: server.url, | 327 | url: server.url, |
304 | accessToken: accessTokenUser, | 328 | accessToken: accessTokenUser, |
329 | currentPassword: 'super password', | ||
305 | newPassword: 'new password' | 330 | newPassword: 'new password' |
306 | }) | 331 | }) |
307 | user.password = 'new password' | 332 | user.password = 'new password' |
diff --git a/server/tests/utils/users/users.ts b/server/tests/utils/users/users.ts index cd1b07701..41d8ce265 100644 --- a/server/tests/utils/users/users.ts +++ b/server/tests/utils/users/users.ts | |||
@@ -162,6 +162,7 @@ function unblockUser (url: string, userId: number | string, accessToken: string, | |||
162 | function updateMyUser (options: { | 162 | function updateMyUser (options: { |
163 | url: string | 163 | url: string |
164 | accessToken: string, | 164 | accessToken: string, |
165 | currentPassword?: string, | ||
165 | newPassword?: string, | 166 | newPassword?: string, |
166 | nsfwPolicy?: NSFWPolicyType, | 167 | nsfwPolicy?: NSFWPolicyType, |
167 | email?: string, | 168 | email?: string, |
@@ -172,6 +173,7 @@ function updateMyUser (options: { | |||
172 | const path = '/api/v1/users/me' | 173 | const path = '/api/v1/users/me' |
173 | 174 | ||
174 | const toSend = {} | 175 | const toSend = {} |
176 | if (options.currentPassword !== undefined && options.currentPassword !== null) toSend['currentPassword'] = options.currentPassword | ||
175 | if (options.newPassword !== undefined && options.newPassword !== null) toSend['password'] = options.newPassword | 177 | if (options.newPassword !== undefined && options.newPassword !== null) toSend['password'] = options.newPassword |
176 | if (options.nsfwPolicy !== undefined && options.nsfwPolicy !== null) toSend['nsfwPolicy'] = options.nsfwPolicy | 178 | if (options.nsfwPolicy !== undefined && options.nsfwPolicy !== null) toSend['nsfwPolicy'] = options.nsfwPolicy |
177 | if (options.autoPlayVideo !== undefined && options.autoPlayVideo !== null) toSend['autoPlayVideo'] = options.autoPlayVideo | 179 | if (options.autoPlayVideo !== undefined && options.autoPlayVideo !== null) toSend['autoPlayVideo'] = options.autoPlayVideo |