Merge pull request #1093 from DeepBlueCLtd/1092_single_logic_for_upda…

…te_change_password 1092 - single logic for update and change password first commit
DeepBlueCLtd · May 1, 2024 · 01739bb · 01739bb
2 parents a904590 + a9ff625
commit 01739bb
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 13 deletions.
diff --git a/_devExtensions/api.js b/_devExtensions/api.js
@@ -15,6 +15,21 @@ const getIp = {
   }
 }
 
+const validateCurrentPassword = (db, userId, currentPassword) => {
+  const query = `SELECT hashed_password FROM _users WHERE id = ?`
+  const user = db.prepare(query).get(userId)
+  if (!user) {
+    throw new Error('User not found')
+  }
+  const isPasswordValid = bcrypt.compareSync(
+    currentPassword,
+    user.hashed_password
+  )
+  if (!isPasswordValid) {
+    throw new Error('Invalid current password')
+  }
+}
+
 const removeOldPasswords = (db, userId) => {
   const deleteQuery = `
     DELETE FROM ${tableName}
@@ -66,17 +81,23 @@ const insertPasswordRecord = {
       const { fields: queryFields } = req.body
       queryFields.createdAt = new Date().toISOString()
 
-      const { userId, password } = queryFields
+      const { userId, currentPassword, password } = queryFields
 
-      await passwordValidationSchema.validate(password)
+      // if currentPassword present, validate it
+      if (currentPassword !== undefined) {
+        validateCurrentPassword(mainDb, userId, currentPassword)
+      }
 
+      await passwordValidationSchema.validate(password)
       checkAgainstLastFivePassowrds(securityDb, userId, password)
       removeOldPasswords(securityDb, userId)
 
       queryFields.password = bcrypt.hashSync(password)
 
       const fields = Object.fromEntries(
-        Object.entries(queryFields).filter(([_, value]) => value !== null)
+        Object.entries(queryFields).filter(
+          ([name, value]) => (value !== null) & (name !== 'currentPassword')
+        )
       )
 
       const fieldsString = Object.keys(fields).join(', ')

diff --git a/src/ChangePassword.tsx b/src/ChangePassword.tsx
@@ -81,7 +81,7 @@ const ChangePassword = ({
             currentPassword,
             userId: user.id as number
           })
-          if (res.status === 200) {
+          if (res.status === 201) {
             setOpenChangePasswordModal(false)
             const res = await deleteUpdateBefore({
               userId: user.id as number
@@ -97,7 +97,7 @@ const ChangePassword = ({
               resource: constants.R_USERS,
               activityType: AuditType.CHANGE_PASSWORD,
               dataId: user.id as number,
-              activityDetail: 'User Password Changed',
+              activityDetail: 'User Password Changed (forced change)',
               securityRelated: true,
               subjectResource: null,
               subjectId: null
@@ -110,7 +110,7 @@ const ChangePassword = ({
             currentPassword,
             userId: user.id as number
           })
-          if (res.status === 200) {
+          if (res.status === 201) {
             setOpenChangePasswordModal(false)
             await audit({
               resource: constants.R_USERS,

diff --git a/src/resources/users/UserShow.tsx b/src/resources/users/UserShow.tsx
@@ -143,8 +143,8 @@ const EditPassword = ({ handleClose, audit }: Props): React.ReactElement => {
           await audit({
             resource: constants.R_USERS,
             activityType: AuditType.EDIT_PASSWORD,
-            dataId: user?.id as number | null,
-            activityDetail: 'Edit User Password',
+            dataId: parseInt(id),
+            activityDetail: 'Edit (other) User Password',
             securityRelated: true,
             subjectResource: null,
             subjectId: null
@@ -520,14 +520,17 @@ export default function UserShow(): React.ReactElement {
     setEditPasswordOpen(false)
   }
 
+  const rolesThatCanEditPassword = ['rco-user', 'rco-power-user']
+
   return (
     <Show
       resource={constants.R_USERS}
       actions={
         <TopToolbar sx={{ display: 'flex', alignItems: 'center' }}>
           <div style={{ flex: 1 }}>
             {hasWriteAccess && <EditButton />}
-            {userDetails?.userRole === 'rco-power-user' ? (
+            {userDetails &&
+            rolesThatCanEditPassword.includes(userDetails.userRole) ? (
               <Button
                 onClick={handleEditPasswordOpen}
                 sx={{ fontSize: '12px' }}>

diff --git a/src/utils/helper.ts b/src/utils/helper.ts
@@ -78,14 +78,15 @@ interface ChangePassword {
 }
 
 export const changeAndUpdatePassword = async ({
+  userId,
   password,
   currentPassword
 }: ChangePassword): Promise<AxiosResponse> => {
-  const res = await axios.put(
+  const res = await axios.post(
     process.env.NODE_ENV === 'development'
-      ? 'http://localhost:8000/api/auth/change-password'
-      : '/api/auth/change-password',
-    { fields: { currentPassword, newPassword: password } }
+      ? 'http://localhost:8000/api/insert-password'
+      : '/api/insert-password',
+    { fields: { userId, currentPassword, password } }
   )
   return res
 }