tovi
/
Envelope


								package Auth


								import (

									"encoding/json"

									"io/ioutil"

									"net/http"


									"git.tovijaeschke.xyz/tovi/Capsule/Backend/Database"

									"git.tovijaeschke.xyz/tovi/Capsule/Backend/Models"

								)


								type rawChangePassword struct {

									OldPassword        string `json:"old_password"`

									NewPassword        string `json:"new_password"`

									NewPasswordConfirm string `json:"new_password_confirm"`

									PrivateKey         string `json:"private_key"`

								}


								// ChangePassword handle change password action

								func ChangePassword(w http.ResponseWriter, r *http.Request) {

									var (

										user           Models.User

										changePassword rawChangePassword

										requestBody    []byte

										err            error

									)


									user, err = CheckCookieCurrentUser(w, r)

									if err != nil {

										// Don't bother showing an error here, as the middleware handles auth

										return

									}


									requestBody, err = ioutil.ReadAll(r.Body)

									if err != nil {

										http.Error(w, "Error", http.StatusInternalServerError)

										return

									}


									err = json.Unmarshal(requestBody, &changePassword)

									if err != nil {

										http.Error(w, "Error", http.StatusInternalServerError)

										return

									}


									if !CheckPasswordHash(changePassword.OldPassword, user.Password) {

										http.Error(w, "Invalid Current Password", http.StatusForbidden)

										return

									}


									// This should never occur, due to frontend validation

									if changePassword.NewPassword != changePassword.NewPasswordConfirm {

										http.Error(w, "Invalid New Password", http.StatusUnprocessableEntity)

										return

									}


									user.Password, err = HashPassword(changePassword.NewPassword)

									if err != nil {

										http.Error(w, "Error", http.StatusInternalServerError)

										return

									}


									// Private key doesn't change at this point, is just re-encrypted with the new password

									user.AsymmetricPrivateKey = changePassword.PrivateKey


									err = Database.UpdateUser(

										user.ID.String(),

										&user,

									)

									if err != nil {

										http.Error(w, "Error", http.StatusInternalServerError)

										return

									}


									w.WriteHeader(http.StatusNoContent)

								}