fix(api): change user password update flow (#2247)

* fix(api): change password update flow

* feat(update-password): add current password confirmation

api/http/handler/users/handler.go

@@ -26,7 +26,7 @@ type Handler struct {
 }
 
 // NewHandler creates a handler to manage user operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter) *Handler {
 	h := &Handler{
 		Router: mux.NewRouter(),
 	}
@@ -43,7 +43,7 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	h.Handle("/users/{id}/memberships",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.userMemberships))).Methods(http.MethodGet)
 	h.Handle("/users/{id}/passwd",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.userPassword))).Methods(http.MethodPost)
+		rateLimiter.LimitAccess(bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.userUpdatePassword)))).Methods(http.MethodPut)
 	h.Handle("/users/admin/check",
 		bouncer.PublicAccess(httperror.LoggerHandler(h.adminCheck))).Methods(http.MethodGet)
 	h.Handle("/users/admin/init",

api/http/handler/users/user_password.go

@@ -1,57 +0,0 @@
-package users
-
-import (
-	"net/http"
-
-	"github.com/asaskevich/govalidator"
-	"github.com/portainer/portainer"
-	httperror "github.com/portainer/portainer/http/error"
-	"github.com/portainer/portainer/http/request"
-	"github.com/portainer/portainer/http/response"
-)
-
-type userPasswordPayload struct {
-	Password string
-}
-
-func (payload *userPasswordPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Password) {
-		return portainer.Error("Invalid password")
-	}
-	return nil
-}
-
-type userPasswordResponse struct {
-	Valid bool `json:"valid"`
-}
-
-// POST request on /api/users/:id/passwd
-func (handler *Handler) userPassword(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	userID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid user identifier route variable", err}
-	}
-
-	var payload userPasswordPayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	var password = payload.Password
-
-	u, err := handler.UserService.User(portainer.UserID(userID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a user with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a user with the specified identifier inside the database", err}
-	}
-
-	valid := true
-	err = handler.CryptoService.CompareHashAndData(u.Password, password)
-	if err != nil {
-		valid = false
-	}
-
-	return response.JSON(w, &userPasswordResponse{Valid: valid})
-}

api/http/handler/users/user_update_password.go

@@ -0,0 +1,74 @@
+package users
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+type userUpdatePasswordPayload struct {
+	Password    string
+	NewPassword string
+}
+
+func (payload *userUpdatePasswordPayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Password) {
+		return portainer.Error("Invalid current password")
+	}
+	if govalidator.IsNull(payload.NewPassword) {
+		return portainer.Error("Invalid new password")
+	}
+	return nil
+}
+
+// PUT request on /api/users/:id/passwd
+func (handler *Handler) userUpdatePassword(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	userID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid user identifier route variable", err}
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+	}
+
+	if tokenData.Role != portainer.AdministratorRole && tokenData.ID != portainer.UserID(userID) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update user", portainer.ErrUnauthorized}
+	}
+
+	var payload userUpdatePasswordPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	user, err := handler.UserService.User(portainer.UserID(userID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a user with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a user with the specified identifier inside the database", err}
+	}
+
+	err = handler.CryptoService.CompareHashAndData(user.Password, payload.Password)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Specified password do not match actual password", portainer.ErrUnauthorized}
+	}
+
+	user.Password, err = handler.CryptoService.Hash(payload.NewPassword)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to hash user password", portainer.ErrCryptoHashFailure}
+	}
+
+	err = handler.UserService.UpdateUser(user.ID, user)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user changes inside the database", err}
+	}
+
+	return response.Empty(w)
+}