diff --git a/src/api/private/auth/auth.controller.ts b/src/api/private/auth/auth.controller.ts index b2f0b3bc7..b003b70ce 100644 --- a/src/api/private/auth/auth.controller.ts +++ b/src/api/private/auth/auth.controller.ts @@ -9,10 +9,10 @@ import { ConflictException, Controller, Delete, - NotFoundException, Post, Put, Req, + UnauthorizedException, UseGuards, } from '@nestjs/common'; import { Session } from 'express-session'; @@ -70,6 +70,10 @@ export class AuthController { @Body() changePasswordDto: UpdatePasswordDto, ): Promise { try { + await this.identityService.loginWithLocalIdentity( + user, + changePasswordDto.currentPassword, + ); await this.identityService.updateLocalPassword( user, changePasswordDto.newPassword, @@ -77,7 +81,9 @@ export class AuthController { return; } catch (e) { if (e instanceof NotInDBError) { - throw new NotFoundException(e.message); + throw new UnauthorizedException( + 'Verifying your identity with the current password did not work.', + ); } throw e; } diff --git a/src/identity/local/update-password.dto.ts b/src/identity/local/update-password.dto.ts index bfe473b32..abc379276 100644 --- a/src/identity/local/update-password.dto.ts +++ b/src/identity/local/update-password.dto.ts @@ -6,6 +6,8 @@ import { IsString } from 'class-validator'; export class UpdatePasswordDto { + @IsString() + currentPassword: string; @IsString() newPassword: string; } diff --git a/test/private-api/auth.e2e-spec.ts b/test/private-api/auth.e2e-spec.ts index c1976f219..8a14b281c 100644 --- a/test/private-api/auth.e2e-spec.ts +++ b/test/private-api/auth.e2e-spec.ts @@ -112,6 +112,7 @@ describe('Auth', () => { it('works', async () => { // Change password const changePasswordDto: UpdatePasswordDto = { + currentPassword: password, newPassword: newPassword, }; await request(testSetup.app.getHttpServer()) @@ -133,6 +134,7 @@ describe('Auth', () => { cookie = response.get('Set-Cookie')[0]; // Reset password const changePasswordBackDto: UpdatePasswordDto = { + currentPassword: newPassword, newPassword: password, }; await request(testSetup.app.getHttpServer()) @@ -146,6 +148,7 @@ describe('Auth', () => { testSetup.configService.get('authConfig').local.enableLogin = false; // Try to change password const changePasswordDto: UpdatePasswordDto = { + currentPassword: password, newPassword: newPassword, }; await request(testSetup.app.getHttpServer()) @@ -177,6 +180,29 @@ describe('Auth', () => { .send(JSON.stringify(loginOldPasswordDto)) .expect(201); }); + it('fails, when old password is wrong', async () => { + // Try to change password + const changePasswordDto: UpdatePasswordDto = { + currentPassword: 'wrong', + newPassword: newPassword, + }; + await request(testSetup.app.getHttpServer()) + .put('/api/private/auth/local') + .set('Content-Type', 'application/json') + .set('Cookie', cookie) + .send(JSON.stringify(changePasswordDto)) + .expect(401); + // old password still does work for login + const loginOldPasswordDto: LoginDto = { + password: password, + username: username, + }; + await request(testSetup.app.getHttpServer()) + .post('/api/private/auth/local/login') + .set('Content-Type', 'application/json') + .send(JSON.stringify(loginOldPasswordDto)) + .expect(201); + }); }); describe('POST /auth/local/login', () => { diff --git a/test/private-api/register-and-login.e2e-spec.ts b/test/private-api/register-and-login.e2e-spec.ts index e84520fef..82e75c675 100644 --- a/test/private-api/register-and-login.e2e-spec.ts +++ b/test/private-api/register-and-login.e2e-spec.ts @@ -114,6 +114,7 @@ describe('Register and Login', () => { .set('Content-Type', 'application/json') .send( JSON.stringify({ + currentPassword: PASSWORD, newPassword: 'newPassword', }), )