fix(go): reject empty/same passwd on init change
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
surtur 2023-09-04 11:28:23 +02:00
parent 047471e6d4
commit f4bd798821
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
3 changed files with 54 additions and 4 deletions

@ -5,6 +5,7 @@ package handlers
import (
"context"
"errors"
"net/http"
moduser "git.dotya.ml/mirre-mt/pcmt/modules/user"
@ -70,6 +71,24 @@ func InitialPasswordChange() echo.HandlerFunc {
if err != nil {
c.Logger().Errorf("error changing initial user password: %q", err)
switch {
case errors.Is(err, moduser.ErrPasswordEmpty):
return renderErrorPage(
c,
http.StatusBadRequest,
http.StatusText(http.StatusBadRequest),
err.Error(),
)
case errors.Is(err, moduser.ErrNewPasswordCannotEqual):
return renderErrorPage(
c,
http.StatusBadRequest,
http.StatusText(http.StatusBadRequest)+" - the new password needs to be different from the original",
err.Error(),
)
}
return renderErrorPage(
c,
http.StatusInternalServerError,

@ -6,8 +6,10 @@ package user
import "errors"
var (
ErrUsersAlreadyPresent = errors.New("don't call CreateFirst when there already are another users")
ErrUserNotFound = errors.New("user not found")
ErrFailedToQueryUser = errors.New("failed to query user")
ErrBadUUID = errors.New("invalid uuid")
ErrUsersAlreadyPresent = errors.New("don't call CreateFirst when there already are another users")
ErrUserNotFound = errors.New("user not found")
ErrFailedToQueryUser = errors.New("failed to query user")
ErrBadUUID = errors.New("invalid uuid")
ErrPasswordEmpty = errors.New("password was empty")
ErrNewPasswordCannotEqual = errors.New("the new password cannot be the same as the old one")
)

@ -120,6 +120,19 @@ func QueryUserByID(ctx context.Context, client *ent.Client, strID string) (*ent.
return nil, ErrBadUUID
}
return QueryUserByUUID(ctx, client, id)
}
// QueryUserByUUID returns user for the provided ID, and nil if err == nil, nil
// and err otherwise.
func QueryUserByUUID(ctx context.Context, client *ent.Client, id uuid.UUID) (*ent.User, error) {
slogger := ctx.Value(CtxKey{}).(*slogging.Slogger)
log := *slogger
log.Logger = log.Logger.With(
slog.Group("pcmt extra", slog.String("module", "modules/user")),
)
u, err := client.User.
Query().
Where(user.IDEQ(id)).
@ -171,6 +184,22 @@ func ChangePassFirstLogin(ctx context.Context, client *ent.Client, id uuid.UUID,
return nil
}
if password == "" {
return ErrPasswordEmpty
}
{
u, err := QueryUserByUUID(ctx, client, id)
if err != nil {
return err
}
equal := passwd.Compare(u.Password, password)
if equal {
return ErrNewPasswordCannotEqual
}
}
var digest []byte
digest, err = passwd.GetHash(password)