Fix flow issue in POST /users/:id/changePassword

2016-07-25 15:49:38 -04:00 · 2016-07-25 15:49:38 -04:00 · df938dcd0a
commit df938dcd0a
parent 02f79731a9
2 changed files with 21 additions and 14 deletions
--- a/src/main/java/net/frozenorb/apiv3/model/User.java
+++ b/src/main/java/net/frozenorb/apiv3/model/User.java
@ -447,7 +447,7 @@ public final class User {
 				.hashString(input + "$" + id.toString(), Charsets.UTF_8)
 				.toString();

-		return password != null && hashed.equals(password);
+		return password != null && input != null && hashed.equals(password);
 	}

 	public void requiresTotpAuthorization(String ip, SingleResultCallback<RequiresTotpResult> callback) {
--- a/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java
+++ b/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java
@ -28,14 +28,17 @@ public final class POSTUsersIdChangePassword implements Handler<RoutingContext>

 		JsonObject requestBody = ctx.getBodyAsJson();

-		if (user.getPassword() == null) {
-			ErrorUtils.respondInvalidInput(ctx, "User provided does not have password set.");
-			return;
-		}
+		if (requestBody.containsKey("currentPassword")) {
+			if (user.getPassword() == null) {
+				ErrorUtils.respondInvalidInput(ctx, "User provided does not have password set.");
+				return;
+			}

-		boolean authorized = false;
+			if (!user.checkPassword(requestBody.getString("currentPassword"))) {
+				ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
+				return;
+			}

-		if (user.checkPassword(requestBody.getString("currentPassword"))) {
 			RequiresTotpResult requiresTotp = SyncUtils.runBlocking(v -> user.requiresTotpAuthorization(null, v));

 			if (requiresTotp == RequiresTotpResult.REQUIRED_NO_EXEMPTIONS) {
@ -47,18 +50,22 @@ public final class POSTUsersIdChangePassword implements Handler<RoutingContext>
 					return;
 				}
 			}
+		} else if (requestBody.containsKey("passwordResetToken")) {
+			if (user.getPasswordResetToken() == null) {
+				ErrorUtils.respondInvalidInput(ctx, "User provided does not have password reset token set.");
+				return;
+			}
+
+			if (!user.getPasswordResetToken().equals(requestBody.getString("passwordResetToken"))) {
+				ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
+				return;
+			}

-			authorized = true;
-		} else if (user.getPasswordResetToken() != null && user.getPasswordResetToken().equals(requestBody.getString("passwordResetToken"))) {
 			if ((System.currentTimeMillis() - user.getPasswordResetTokenSetAt().toEpochMilli()) > TimeUnit.DAYS.toMillis(2)) {
 				ErrorUtils.respondOther(ctx, 409, "Password reset token is expired.", "passwordTokenExpired", ImmutableMap.of());
 				return;
 			}
-
-			authorized = true;
-		}
-
-		if (!authorized) {
+		} else {
 			ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
 			return;
 		}