mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 14:44:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(auth): password change requires old password

Browse source 
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit is contained in:
Erik Michelson 2021-12-28 01:46:40 +01:00 committed by David Mehren
parent 20b0ded223
commit 277e2fb1ca
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
4 changed files with 37 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/api/private/auth/auth.controller.ts
View file

@ -9,10 +9,10 @@ import {
ConflictException,
Controller,
Delete,
NotFoundException,
Post,
Put,
Req,
UnauthorizedException,
UseGuards,
} from '@nestjs/common';
import { Session } from 'express-session';
@ -70,6 +70,10 @@ export class AuthController {
@Body() changePasswordDto: UpdatePasswordDto,
): Promise<void> {
try {
await this.identityService.loginWithLocalIdentity(
user,
changePasswordDto.currentPassword,
);
await this.identityService.updateLocalPassword(
user,
changePasswordDto.newPassword,
@ -77,7 +81,9 @@ export class AuthController {
return;
} catch (e) {
if (e instanceof NotInDBError) {
throw new NotFoundException(e.message);
throw new UnauthorizedException(
'Verifying your identity with the current password did not work.',
);
}
throw e;
}