From d0690622cdb885005444848a7db34bf89151e803 Mon Sep 17 00:00:00 2001 From: Syldexia Date: Mon, 21 May 2018 22:17:34 +0100 Subject: [PATCH 1/2] Added endpoint for changing passwords --- lib/pleroma/web/common_api/utils.ex | 4 +- lib/pleroma/web/router.ex | 1 + .../controllers/util_controller.ex | 25 +++++- .../twitter_api_controller_test.exs | 77 +++++++++++++++++++ 4 files changed, 104 insertions(+), 3 deletions(-) diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index e774743a2..4ac45b592 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -187,9 +187,9 @@ defp shortname(name) do end end - def confirm_current_password(user, params) do + def confirm_current_password(user, password) do with %User{local: true} = db_user <- Repo.get(User, user.id), - true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do + true <- Pbkdf2.checkpw(password, db_user.password_hash) do {:ok, db_user} else _ -> {:error, "Invalid password."} diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 2b5209b75..9389244b1 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -73,6 +73,7 @@ def user_fetcher(username) do scope "/api/pleroma", Pleroma.Web.TwitterAPI do pipe_through(:authenticated_api) post("/follow_import", UtilController, :follow_import) + post("/change_password", UtilController, :change_password) post("/delete_account", UtilController, :delete_account) end diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index 23e7408a0..cc5146566 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -197,8 +197,31 @@ def follow_import(%{assigns: %{user: user}} = conn, %{"list" => list}) do json(conn, "job started") end + def change_password(%{assigns: %{user: user}} = conn, params) do + case CommonAPI.Utils.confirm_current_password(user, params["password"]) do + {:ok, user} -> + with {:ok, _user} <- + User.reset_password(user, %{ + password: params["new_password"], + password_confirmation: params["new_password_confirmation"] + }) do + json(conn, %{status: "success"}) + else + {:error, changeset} -> + {_, {error, _}} = Enum.at(changeset.errors, 0) + json(conn, %{error: "New password #{error}."}) + + _ -> + json(conn, %{error: "Unable to change password."}) + end + + {:error, msg} -> + json(conn, %{error: msg}) + end + end + def delete_account(%{assigns: %{user: user}} = conn, params) do - case CommonAPI.Utils.confirm_current_password(user, params) do + case CommonAPI.Utils.confirm_current_password(user, params["password"]) do {:ok, user} -> Task.start(fn -> User.delete(user) end) json(conn, %{status: "success"}) diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index 02aba0bc8..73443e053 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -8,6 +8,7 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do alias Pleroma.Web.TwitterAPI.NotificationView alias Pleroma.Web.CommonAPI alias Pleroma.Web.TwitterAPI.TwitterAPI + alias Comeonin.Pbkdf2 import Pleroma.Factory @@ -801,6 +802,82 @@ test "Convert newlines to
in bio", %{conn: conn} do assert user.bio == "Hello,
World! I
am a test." end + describe "POST /api/pleroma/change_password" do + setup [:valid_user] + + test "without credentials", %{conn: conn} do + conn = post(conn, "/api/pleroma/change_password") + assert json_response(conn, 403) == %{"error" => "Invalid credentials."} + end + + test "with credentials and invalid password", %{conn: conn, user: current_user} do + conn = + conn + |> with_credentials(current_user.nickname, "test") + |> post("/api/pleroma/change_password", %{ + "password" => "hi", + "new_password" => "newpass", + "new_password_confirmation" => "newpass" + }) + + assert json_response(conn, 200) == %{"error" => "Invalid password."} + end + + test "with credentials, valid password and new password and confirmation not matching", %{ + conn: conn, + user: current_user + } do + conn = + conn + |> with_credentials(current_user.nickname, "test") + |> post("/api/pleroma/change_password", %{ + "password" => "test", + "new_password" => "newpass", + "new_password_confirmation" => "notnewpass" + }) + + assert json_response(conn, 200) == %{ + "error" => "New password does not match confirmation." + } + end + + test "with credentials, valid password and invalid new password", %{ + conn: conn, + user: current_user + } do + conn = + conn + |> with_credentials(current_user.nickname, "test") + |> post("/api/pleroma/change_password", %{ + "password" => "test", + "new_password" => "", + "new_password_confirmation" => "" + }) + + assert json_response(conn, 200) == %{ + "error" => "New password can't be blank." + } + end + + test "with credentials, valid password and matching new password and confirmation", %{ + conn: conn, + user: current_user + } do + conn = + conn + |> with_credentials(current_user.nickname, "test") + |> post("/api/pleroma/change_password", %{ + "password" => "test", + "new_password" => "newpass", + "new_password_confirmation" => "newpass" + }) + + assert json_response(conn, 200) == %{"status" => "success"} + fetched_user = Repo.get(User, current_user.id) + assert Pbkdf2.checkpw("newpass", fetched_user.password_hash) == true + end + end + describe "POST /api/pleroma/delete_account" do setup [:valid_user] From 69aa7c213a8aa1dfa54dbcfdab0c4b10ec415df8 Mon Sep 17 00:00:00 2001 From: Syldexia Date: Mon, 21 May 2018 22:32:28 +0100 Subject: [PATCH 2/2] Fixed test --- test/web/common_api/common_api_utils_test.exs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs index 23cce471f..f39472ee3 100644 --- a/test/web/common_api/common_api_utils_test.exs +++ b/test/web/common_api/common_api_utils_test.exs @@ -21,13 +21,12 @@ test "it adds attachment links to a given text and attachment set" do test "incorrect password given" do {:ok, user} = UserBuilder.insert() - assert Utils.confirm_current_password(user, %{"password" => ""}) == - {:error, "Invalid password."} + assert Utils.confirm_current_password(user, "") == {:error, "Invalid password."} end test "correct password given" do {:ok, user} = UserBuilder.insert() - assert Utils.confirm_current_password(user, %{"password" => "test"}) == {:ok, user} + assert Utils.confirm_current_password(user, "test") == {:ok, user} end end end