Add update user password endpoint

BrunoQuaresma · BrunoQuaresma · commit 2fe171618e56 · 2022-05-05T13:10:42.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -240,6 +240,7 @@ func New(options *Options) (http.Handler, func()) {
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 					r.Put("/suspend", api.putUserSuspend)
+					r.Put("/password", api.putUserPassword)
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
 					// These roles apply to the site wide permissions.
diff --git a/coderd/users.go b/coderd/users.go
@@ -360,6 +360,64 @@ func (api *api) putUserSuspend(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(rw, http.StatusOK, convertUser(suspendedUser, organizations))
 }
 
+func (api *api) putUserPassword(rw http.ResponseWriter, r *http.Request) {
+	user := httpmw.UserParam(r)
+
+	var params codersdk.UpdateUserHashedPasswordRequest
+	if !httpapi.Read(rw, r, &params) {
+		return
+	}
+
+	// Check if the password is correct
+	equal, err := userpassword.Compare(string(user.HashedPassword), params.Password)
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("compare: %s", err.Error()),
+		})
+	}
+	if !equal {
+		// This message is the same as above to remove ease in detecting whether
+		// users are registered or not. Attackers still could with a timing attack.
+		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+			Message: "invalid email or password",
+		})
+		return
+	}
+
+	// Check if the new password and the confirmation match
+	if params.NewPassword != params.ConfirmNewPassword {
+		errors := []httpapi.Error{
+			{
+				Field:  "confirm_new_password",
+				Detail: "The value does not match the new password",
+			},
+		}
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: fmt.Sprintf("The new password and the new password confirmation don't match"),
+			Errors:  errors,
+		})
+		return
+	}
+
+	// Hash password and update it in the database
+	hashedPassword, hashError := userpassword.Hash(params.NewPassword)
+	if hashError != nil {
+		xerrors.Errorf("hash password: %w", hashError)
+		return
+	}
+	databaseError := api.Database.UpdateUserHashedPassword(r.Context(), database.UpdateUserHashedPasswordParams{
+		HashedPassword: []byte(hashedPassword),
+	})
+	if databaseError != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("put user password: %s", err.Error()),
+		})
+		return
+	}
+
+	httpapi.Write(rw, http.StatusNoContent, nil)
+}
+
 func (api *api) userRoles(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -72,6 +72,12 @@ type UpdateUserProfileRequest struct {
 	Username string `json:"username" validate:"required,username"`
 }
 
+type UpdateUserHashedPasswordRequest struct {
+	Password           string `json:"password" validate:"required"`
+	NewPassword        string `json:"new_password" validate:"required"`
+	ConfirmNewPassword string `json:"confirm_new_password" validate:"required"`
+}
+
 type UpdateRoles struct {
 	Roles []string `json:"roles" validate:"required"`
 }

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,12 @@ type UpdateUserProfileRequest struct {`
`72`	`72`	Username string `json:"username" validate:"required,username"`
`73`	`73`	`}`
`74`	`74`
	`75`	`+type UpdateUserHashedPasswordRequest struct {`
	`76`	+ Password string `json:"password" validate:"required"`
	`77`	+ NewPassword string `json:"new_password" validate:"required"`
	`78`	+ ConfirmNewPassword string `json:"confirm_new_password" validate:"required"`
	`79`	`+}`
	`80`	`+`
`75`	`81`	`type UpdateRoles struct {`
`76`	`82`	Roles []string `json:"roles" validate:"required"`
`77`	`83`	`}`