summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJannik Schönartz2019-02-26 03:46:36 +0100
committerJannik Schönartz2019-02-26 03:46:36 +0100
commitcf1b40542c41b3c78e83650e4e73e596c85ff160 (patch)
treed10d2f5061815e95fc56e43f1675eb127416e255
parent[webapp/groups] fix wrong tabbar color (diff)
downloadbas-cf1b40542c41b3c78e83650e4e73e596c85ff160.tar.gz
bas-cf1b40542c41b3c78e83650e4e73e596c85ff160.tar.xz
bas-cf1b40542c41b3c78e83650e4e73e596c85ff160.zip
[account] Fix for the changePassword method
User upadate changes didn't hashed the new password correctly changePassword from promises reworked to async / await (much cleaner) Check weather the usertable is empty is now a get request and not mixed in the post request
-rw-r--r--server/api/authentication.js13
-rw-r--r--server/api/users.js18
-rw-r--r--server/lib/authentication.js68
-rw-r--r--webapp/src/components/AccountModule.vue2
-rw-r--r--webapp/src/components/StartPageSetup.vue4
-rw-r--r--webapp/src/components/UserModuleEdit.vue8
6 files changed, 73 insertions, 40 deletions
diff --git a/server/api/authentication.js b/server/api/authentication.js
index 18158ce..60b04f9 100644
--- a/server/api/authentication.js
+++ b/server/api/authentication.js
@@ -5,6 +5,14 @@ var express = require('express')
var noAuthRouter = express.Router()
var authentication = require(path.join(__appdir, 'lib', 'authentication'))
+// Setup method for checking if setup is possible.
+noAuthRouter.get('/setup', (req, res) => {
+ db.user.findAll().then(users => {
+ if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
+ else res.send({ status: 'SUCCESS' })
+ })
+})
+
noAuthRouter.post('/token', (req, res) => {
authentication.loginToken(req, res)
})
@@ -20,9 +28,8 @@ noAuthRouter.post('/logout', (req, res) => {
// Setup method for creating the initial root account.
noAuthRouter.post('/setup', (req, res) => {
db.user.findAll().then(users => {
- if (users.length > 0) res.status(500).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
- else if (req.body.username) return authentication.signup(req, res)
- else res.send({ status: 'SUCCESS' })
+ if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
+ else authentication.signup(req, res)
})
})
diff --git a/server/api/users.js b/server/api/users.js
index 663f88e..c5eb822 100644
--- a/server/api/users.js
+++ b/server/api/users.js
@@ -71,7 +71,17 @@ router.postAsync(['/', '/:id'], async (req, res) => {
else {
let user
user = await db.user.findOne({ where: { id: req.params.id } })
- if (user) await user.update(req.body)
+ if (user) {
+ await user.update({
+ username: req.body.username,
+ name: req.body.name,
+ email: req.body.email
+ })
+
+ if (req.body.password) {
+ return authentication.changePassword(req, res)
+ }
+ }
res.status(200).end()
}
}
@@ -79,7 +89,11 @@ router.postAsync(['/', '/:id'], async (req, res) => {
// Post request for changing the password.
router.post('/:id/password', (req, res) => {
- authentication.changePassword(req, res)
+ // Check if passwords are set.
+ if (req.body.passwordCurrent && req.body.password) {
+ if (req.body.passwordCurrent === req.body.password) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' })
+ return authentication.changePassword(req, res)
+ } else res.status(400).send({ auth: false, status: 'PASSWORD_MISSING', error_message: 'This service requires the current and the new password.' })
})
// Post request for chaning the user info. (name, email)
diff --git a/server/lib/authentication.js b/server/lib/authentication.js
index b9c87d1..9a91850 100644
--- a/server/lib/authentication.js
+++ b/server/lib/authentication.js
@@ -54,11 +54,15 @@ async function signup (req, res) {
var userPassword = Buffer.from(params.password)
// Register user
- const hash = await pwd.hash(userPassword)
- // if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ try {
+ var hash = await pwd.hash(userPassword)
+ } catch (error) {
+ return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ }
// Saving the non improved hash and creating the user in the db.
const newUser = await db.user.create({ username: params.username, password: hash, email: params.email, name: params.name })
+
// TODO: Username could also be used because those are unique as well.
var userId = newUser.id
@@ -77,34 +81,38 @@ function logout (req, res) {
// Maybe use express-jwt and use the rewoke function.
}
-function changePassword (req, res) {
- // Check if the new password is different.
- if (req.body.passwordCurrent === req.body.passwordNew) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' })
-
+async function changePassword (req, res) {
// 1. Get the user and verify it's existence.
- db.user.findOne({ where: { id: req.params.id } }).then(user => {
- if (user) {
- const pwCurrent = Buffer.from(req.body.passwordCurrent)
- const pwNew = Buffer.from(req.body.passwordNew)
- // 2. Verify the current hast with the provided current password.
- verifyHash(res, pwCurrent, Buffer.from(user.password), user.id, () => {
- // 3. Check if the new provided password fullfills the requirements
- if (validatePassword(req.body.passwordNew)) {
- // 4. Calculate the new password hash.
- pwd.hash(pwNew, (err, hash) => {
- if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
- // 5. Write the hash in the db
- user.update({ password: hash }).then(() => {
- // 6. Verify & improving the hash.
- verifyHash(res, pwNew, hash, user.id, () => {
- res.status(200).send({ auth: true, status: 'VALID' })
- })
- })
- })
- } else res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
- })
- } else res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
- })
+ let user = await db.user.findOne({ where: { id: req.params.id } })
+ if (!user) return res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
+
+ const pwNew = Buffer.from(req.body.password)
+
+ // 2. Only if the current password is set we have to check if it's valid.
+ // This is because root can set passwords witout having the old ones.
+ // But the authentication if you can call this function without the currentPasswords needs to be in the API.
+ if (req.body.passwordCurrent) {
+ // Verify the current hast with the provided current password.
+ const pwCurrent = Buffer.from(req.body.passwordCurrent)
+ await verifyHash(res, pwCurrent, Buffer.from(user.password), user.id)
+ }
+
+ // 3. Check if the new provided password fullfills the requirements
+ if (!validatePassword(req.body.password)) return res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
+
+ // 4. Calculate the new password hash.
+ try {
+ var hash = await pwd.hash(pwNew)
+ } catch (error) {
+ return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ }
+
+ // 5. Write the hash in the dbW
+ await user.update({ password: hash })
+
+ // 6. Verify & improving the hash.
+ await verifyHash(res, pwNew, hash, user.id)
+ res.status(200).send({ auth: true, status: 'VALID' })
}
// Middleware function.
@@ -185,7 +193,7 @@ function verifyUser (res, username, password, callback) {
}
// The verify hash function from the secure-passwords with error handling.
-function verifyHash (res, password, hash, userId, callback) {
+function verifyHash (res, password, hash, userId, callback = () => {}) {
// Check if the hash in the database fullfills the requirements needed for pwd.verify.
// Hash will be a Buffer of length SecurePassword.HASH_BYTES.
if (hash.length !== securePassword.HASH_BYTES) return res.status(401).send({ auth: false, status: 'DATABASE_HASH_INVALID', error_message: 'The hash in the database is corrupted.' })
diff --git a/webapp/src/components/AccountModule.vue b/webapp/src/components/AccountModule.vue
index 013f916..f24da2c 100644
--- a/webapp/src/components/AccountModule.vue
+++ b/webapp/src/components/AccountModule.vue
@@ -315,7 +315,7 @@ export default {
},
submitPassword () {
if (this.$refs.passwordForm.validate()) {
- this.$http.post('/api/users/' + this.user.id + '/password', { passwordCurrent: this.passwordCurrent, passwordNew: this.passwordNew }).then(response => {
+ this.$http.post('/api/users/' + this.user.id + '/password', { passwordCurrent: this.passwordCurrent, password: this.passwordNew }).then(response => {
this.cancelEditPassword()
this.$snackbar({ color: 'success', text: this.$t('passwordChanged') })
}).catch(error => {
diff --git a/webapp/src/components/StartPageSetup.vue b/webapp/src/components/StartPageSetup.vue
index 8d41f81..36ad648 100644
--- a/webapp/src/components/StartPageSetup.vue
+++ b/webapp/src/components/StartPageSetup.vue
@@ -72,12 +72,14 @@ export default {
},
beforeRouteEnter (to, from, next) {
// If there are already users in the db, redirect to the login page.
- Vue.prototype.$http.post('/api/authentication/setup').then(result => {
+ Vue.prototype.$http.get('/api/authentication/setup').then(result => {
if (result.data.status !== 'SUCCESS') {
next({ name: 'login' })
} else {
next()
}
+ }).catch(() => {
+ next({ name: 'login' })
})
}
}
diff --git a/webapp/src/components/UserModuleEdit.vue b/webapp/src/components/UserModuleEdit.vue
index 924a109..e989c11 100644
--- a/webapp/src/components/UserModuleEdit.vue
+++ b/webapp/src/components/UserModuleEdit.vue
@@ -3,12 +3,14 @@
"en": {
"titleExisting": "Edit user",
"titleNew": "Create user",
- "userCreated": "User was successfully created."
+ "userCreated": "User was successfully created.",
+ "userUpdated": "User was successfully updated."
},
"de": {
"titleExisting": "Benutzer bearbeiten",
"titleNew": "Benutzer erstellen",
- "userCreated": "Benutzer wurde erfolgreich erstellt."
+ "userCreated": "Benutzer wurde erfolgreich erstellt.",
+ "userUpdated": "Benutzer wurde erfolgreich aktualisiert."
}
}
</i18n>
@@ -67,7 +69,7 @@ export default {
}).then(response => {
this.$store.dispatch('users/loadData')
this.setDialog({ show: false })
- this.$snackbar({ color: 'success', text: this.$t('userCreated') })
+ this.$snackbar({ color: 'success', text: this.dialog.info.id ? this.$t('userUpdated') : this.$t('userCreated') })
}).catch(error => {
if (error.response.data.status === 'USER_ALREADY_EXISTS') {
this.$refs.editComponent.setUsernameTakenError()