fix: Correct change password on client

* Add additional checks on server to prevent 500
* Add tests for param checks

test/api/v3/integration/user/auth/PUT-user_update_password.test.js

@@ -50,4 +50,43 @@ describe('PUT /user/auth/update-password', async () => {
       message: t('wrongPassword'),
     });
   });
+
+  it('returns an error when password is missing', async () => {
+    let body = {
+      newPassword,
+      confirmPassword: newPassword,
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
+
+  it('returns an error when newPassword is missing', async () => {
+    let body = {
+      password,
+      confirmPassword: newPassword,
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
+
+  it('returns an error when confirmPassword is missing', async () => {
+    let body = {
+      password,
+      newPassword,
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
 });

website/server/controllers/api-v3/auth.js

@@ -352,18 +352,27 @@ api.updatePassword = {
 
     if (!user.auth.local.hashed_password) throw new BadRequest(res.t('userHasNoLocalRegistration'));
 
-    let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
-    if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
-
     req.checkBody({
       password: {
-        notEmpty: {errorMessage: res.t('missingNewPassword')},
-      },
-      newPassword: {
         notEmpty: {errorMessage: res.t('missingPassword')},
       },
+      newPassword: {
+        notEmpty: {errorMessage: res.t('missingNewPassword')},
+      },
+      confirmPassword: {
+        notEmpty: {errorMessage: res.t('missingNewPassword')},
+      },
     });
 
+    let validationErrors = req.validationErrors();
+
+    if (validationErrors) {
+      throw validationErrors;
+    }
+
+    let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
+    if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
+
     if (req.body.newPassword !== req.body.confirmPassword) throw new NotAuthorized(res.t('passwordConfirmationMatch'));
 
     user.auth.local.hashed_password = passwordUtils.encrypt(req.body.newPassword, user.auth.local.salt); // eslint-disable-line camelcase

website/views/options/settings.jade

@@ -183,11 +183,11 @@ script(type='text/ng-template', id='partials/options.settings.settings.html')
               h5=env.t('changePass')
               form(ng-submit='changeUser("password", passwordUpdates)', ng-show='user.auth.local', name='changePassword', novalidate)
                 .form-group
-                  input.form-control(type='password', placeholder=env.t('oldPass'), ng-model='passwordUpdates.oldPassword', required)
+                  input.form-control(type='password', placeholder=env.t('oldPass'), ng-model='passwordUpdates.password', required)
                 .form-group
                   input.form-control(type='password', placeholder=env.t('newPass'), ng-model='passwordUpdates.newPassword', required)
                 .form-group
-                  input.form-control(type='password', placeholder=env.t('confirmPass'), ng-model='passwordUpdates.confirmNewPassword', required)
+                  input.form-control(type='password', placeholder=env.t('confirmPass'), ng-model='passwordUpdates.confirmPassword', required)
                 input.btn.btn-default(type='submit', ng-disabled='changePassword.$invalid', value=env.t('submit'))