forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchangePassword.js
44 lines (42 loc) · 1.72 KB
/
changePassword.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
/*
* Copyright (c) 2014-2020 Bjoern Kimminich.
* SPDX-License-Identifier: MIT
*/
const utils = require('../lib/utils')
const insecurity = require('../lib/insecurity')
const models = require('../models/index')
const cache = require('../data/datacache')
const challenges = cache.challenges
module.exports = function changePassword () {
return ({ query, headers, connection }, res, next) => {
const currentPassword = query.current
const newPassword = query.new
const repeatPassword = query.repeat
if (!newPassword || newPassword === 'undefined') {
res.status(401).send(res.__('Password cannot be empty.'))
} else if (newPassword !== repeatPassword) {
res.status(401).send(res.__('New and repeated password do not match.'))
} else {
const token = headers.authorization ? headers.authorization.substr('Bearer='.length) : null
const loggedInUser = insecurity.authenticatedUsers.get(token)
if (loggedInUser) {
if (currentPassword && insecurity.hash(currentPassword) !== loggedInUser.data.password) {
res.status(401).send(res.__('Current password is not correct.'))
} else {
models.User.findByPk(loggedInUser.data.id).then(user => {
user.update({ password: newPassword }).then(user => {
utils.solveIf(challenges.changePasswordBenderChallenge, () => { return user.id === 3 && !currentPassword && user.password === insecurity.hash('slurmCl4ssic') })
res.json({ user })
}).catch(error => {
next(error)
})
}).catch(error => {
next(error)
})
}
} else {
next(new Error('Blocked illegal activity by ' + connection.remoteAddress))
}
}
}
}