Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: change own password confirmation #3894

Merged
merged 7 commits into from
Jun 5, 2023
Merged

feat: change own password confirmation #3894

merged 7 commits into from
Jun 5, 2023

Conversation

kwasniew
Copy link
Contributor

@kwasniew kwasniew commented May 29, 2023
edited

About the changes

When changing your own password you should specify the old password. I decided to place old password field above the new one.

Show new password error:
Screenshot 2023-05-29 at 16 10 51

Show old password error:
Screenshot 2023-05-29 at 16 10 41

Important files

Discussion points

@vercel
Copy link

vercel bot commented May 29, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
unleash-monorepo-frontend ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 5, 2023 9:45am
1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
unleash-docs ⬜️ Ignored (Inspect) Jun 5, 2023 9:45am

@kwasniew kwasniew requested review from andreas-unleash, sjaanus, nunogois and chriswk and removed request for andreas-unleash June 5, 2023 07:18
kwasniew
kwasniew commented Jun 5, 2023
View reviewed changes
src/lib/routes/admin-api/user/user.ts
const { password, confirmPassword } = req.body;
if (password === confirmPassword) {
const { password, confirmPassword, oldPassword } = req.body;
if (password === confirmPassword && oldPassword != null) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be part of the service but didn't want to change too many things in this PR

kwasniew
kwasniew commented Jun 5, 2023
View reviewed changes
src/lib/services/user-service.ts
@@ -362,6 +362,22 @@ class UserService {
await this.resetTokenService.expireExistingTokensForUser(userId);
}

async changePasswordWithVerification(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delegates to changePassword but performs extra check of old password hash

kwasniew
kwasniew commented Jun 5, 2023
View reviewed changes
src/lib/services/user-service.ts
const currentPasswordHash = await this.store.getPasswordHash(userId);
const match = await bcrypt.compare(oldPassword, currentPasswordHash);
if (!match) {
throw new PasswordMismatch(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this results in 401 in the error translation layer

kwasniew
kwasniew commented Jun 5, 2023
View reviewed changes
src/lib/routes/admin-api/user/user.ts
user.id,
password,
oldPassword,
);
res.status(200).end();
} else {
res.status(400).end();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if we shouldn't make it 401 to be more precise

@kwasniew @nunogois
Update frontend/src/component/user/Profile/PasswordTab/PasswordTab.tsx
28127f0 
Co-authored-by: Nuno Góis <github@nunogois.com>
nunogois
nunogois reviewed Jun 5, 2023
View reviewed changes
src/lib/routes/admin-api/user/user.ts
const { password, confirmPassword } = req.body;
if (password === confirmPassword) {
const { password, confirmPassword, oldPassword } = req.body;
if (password === confirmPassword && oldPassword != null) {
Copy link
Member

@nunogois nunogois Jun 5, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it doesn't hurt to check for truthy here instead of != null so we can cover undefined and empty strings as well. But I'm guessing undefined is converted to null anyways.

Suggested change
if (password === confirmPassword && oldPassword != null) {
if (password === confirmPassword && oldPassword) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part was test-driven and missing oldPassword is turned into null as you mentioned so I'd rather stick to the original version since I can't even trigger a test scenario for undefined to test it.

nunogois
nunogois approved these changes Jun 5, 2023
View reviewed changes
Copy link
Member

@nunogois nunogois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kwasniew kwasniew merged commit 5ec59c6 into main Jun 5, 2023
17 checks passed
@kwasniew kwasniew deleted the change-own-password-confirmation branch June 5, 2023 09:58
Tymek
Tymek reviewed Jun 5, 2023
View reviewed changes
src/lib/services/user-service.ts
async changePasswordWithVerification(
userId: number,
newPassword: string,
oldPassword: string,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expected also a check of newPassword !== oldPassword, but since we don't have any 'password expiration'/'force password change' this should be OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tymek Tymek Tymek left review comments

@nunogois nunogois nunogois approved these changes

@sjaanus sjaanus Awaiting requested review from sjaanus

@chriswk chriswk Awaiting requested review from chriswk

Assignees

@kwasniew kwasniew

Labels
None yet
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kwasniew @Tymek @nunogois