From df938dcd0a011a10df0305bad0aca14a1c4dcd10 Mon Sep 17 00:00:00 2001
From: Colin McDonald <cmcdonald.main@gmail.com>
Date: Mon, 25 Jul 2016 15:49:38 -0400
Subject: [PATCH] Fix flow issue in POST /users/:id/changePassword

---
 .../java/net/frozenorb/apiv3/model/User.java  |  2 +-
 .../users/POSTUsersIdChangePassword.java      | 33 +++++++++++--------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/src/main/java/net/frozenorb/apiv3/model/User.java b/src/main/java/net/frozenorb/apiv3/model/User.java
index 28b016d..8688367 100644
--- a/src/main/java/net/frozenorb/apiv3/model/User.java
+++ b/src/main/java/net/frozenorb/apiv3/model/User.java
@@ -447,7 +447,7 @@ public final class User {
 				.hashString(input + "$" + id.toString(), Charsets.UTF_8)
 				.toString();
 
-		return password != null && hashed.equals(password);
+		return password != null && input != null && hashed.equals(password);
 	}
 
 	public void requiresTotpAuthorization(String ip, SingleResultCallback<RequiresTotpResult> callback) {
diff --git a/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java b/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java
index 0dc22b1..2c7aaf2 100644
--- a/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java
+++ b/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java
@@ -28,14 +28,17 @@ public final class POSTUsersIdChangePassword implements Handler<RoutingContext>
 
 		JsonObject requestBody = ctx.getBodyAsJson();
 
-		if (user.getPassword() == null) {
-			ErrorUtils.respondInvalidInput(ctx, "User provided does not have password set.");
-			return;
-		}
+		if (requestBody.containsKey("currentPassword")) {
+			if (user.getPassword() == null) {
+				ErrorUtils.respondInvalidInput(ctx, "User provided does not have password set.");
+				return;
+			}
 
-		boolean authorized = false;
+			if (!user.checkPassword(requestBody.getString("currentPassword"))) {
+				ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
+				return;
+			}
 
-		if (user.checkPassword(requestBody.getString("currentPassword"))) {
 			RequiresTotpResult requiresTotp = SyncUtils.runBlocking(v -> user.requiresTotpAuthorization(null, v));
 
 			if (requiresTotp == RequiresTotpResult.REQUIRED_NO_EXEMPTIONS) {
@@ -47,18 +50,22 @@ public final class POSTUsersIdChangePassword implements Handler<RoutingContext>
 					return;
 				}
 			}
+		} else if (requestBody.containsKey("passwordResetToken")) {
+			if (user.getPasswordResetToken() == null) {
+				ErrorUtils.respondInvalidInput(ctx, "User provided does not have password reset token set.");
+				return;
+			}
+
+			if (!user.getPasswordResetToken().equals(requestBody.getString("passwordResetToken"))) {
+				ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
+				return;
+			}
 
-			authorized = true;
-		} else if (user.getPasswordResetToken() != null && user.getPasswordResetToken().equals(requestBody.getString("passwordResetToken"))) {
 			if ((System.currentTimeMillis() - user.getPasswordResetTokenSetAt().toEpochMilli()) > TimeUnit.DAYS.toMillis(2)) {
 				ErrorUtils.respondOther(ctx, 409, "Password reset token is expired.", "passwordTokenExpired", ImmutableMap.of());
 				return;
 			}
-
-			authorized = true;
-		}
-
-		if (!authorized) {
+		} else {
 			ErrorUtils.respondInvalidInput(ctx, "Could not authorize password change.");
 			return;
 		}