From ac77ceb75fdc5f9f88289d1e5a1efeb8a26028be Mon Sep 17 00:00:00 2001
From: Blade Barringer <blade@crookedneighbor.com>
Date: Mon, 23 May 2016 23:30:37 -0500
Subject: [PATCH] fix: Correct change password on client

* Add additional checks on server to prevent 500
* Add tests for param checks
---
 .../auth/PUT-user_update_password.test.js     | 39 +++++++++++++++++++
 website/server/controllers/api-v3/auth.js     | 21 +++++++---
 website/views/options/settings.jade           |  4 +-
 3 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
index bcc1ac25d3..6821e18d3e 100644
--- a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
+++ b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
@@ -50,4 +50,43 @@ describe('PUT /user/auth/update-password', async () => {
       message: t('wrongPassword'),
     });
   });
+
+  it('returns an error when password is missing', async () => {
+    let body = {
+      newPassword,
+      confirmPassword: newPassword,
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
+
+  it('returns an error when newPassword is missing', async () => {
+    let body = {
+      password,
+      confirmPassword: newPassword,
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
+
+  it('returns an error when confirmPassword is missing', async () => {
+    let body = {
+      password,
+      newPassword,
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
 });
diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js
index f8eabf4c82..8e641f74e5 100644
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -352,18 +352,27 @@ api.updatePassword = {
 
     if (!user.auth.local.hashed_password) throw new BadRequest(res.t('userHasNoLocalRegistration'));
 
-    let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
-    if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
-
     req.checkBody({
       password: {
-        notEmpty: {errorMessage: res.t('missingNewPassword')},
-      },
-      newPassword: {
         notEmpty: {errorMessage: res.t('missingPassword')},
       },
+      newPassword: {
+        notEmpty: {errorMessage: res.t('missingNewPassword')},
+      },
+      confirmPassword: {
+        notEmpty: {errorMessage: res.t('missingNewPassword')},
+      },
     });
 
+    let validationErrors = req.validationErrors();
+
+    if (validationErrors) {
+      throw validationErrors;
+    }
+
+    let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
+    if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
+
     if (req.body.newPassword !== req.body.confirmPassword) throw new NotAuthorized(res.t('passwordConfirmationMatch'));
 
     user.auth.local.hashed_password = passwordUtils.encrypt(req.body.newPassword, user.auth.local.salt); // eslint-disable-line camelcase
diff --git a/website/views/options/settings.jade b/website/views/options/settings.jade
index 34c4dff0ca..754dd8dcda 100644
--- a/website/views/options/settings.jade
+++ b/website/views/options/settings.jade
@@ -183,11 +183,11 @@ script(type='text/ng-template', id='partials/options.settings.settings.html')
               h5=env.t('changePass')
               form(ng-submit='changeUser("password", passwordUpdates)', ng-show='user.auth.local', name='changePassword', novalidate)
                 .form-group
-                  input.form-control(type='password', placeholder=env.t('oldPass'), ng-model='passwordUpdates.oldPassword', required)
+                  input.form-control(type='password', placeholder=env.t('oldPass'), ng-model='passwordUpdates.password', required)
                 .form-group
                   input.form-control(type='password', placeholder=env.t('newPass'), ng-model='passwordUpdates.newPassword', required)
                 .form-group
-                  input.form-control(type='password', placeholder=env.t('confirmPass'), ng-model='passwordUpdates.confirmNewPassword', required)
+                  input.form-control(type='password', placeholder=env.t('confirmPass'), ng-model='passwordUpdates.confirmPassword', required)
                 input.btn.btn-default(type='submit', ng-disabled='changePassword.$invalid', value=env.t('submit'))