// ChangePassword changes the password from the logged in user.
//
// It reads the request body in JSON format. The JSON in the request body
// should contain two attributes:
//
// - old: the old password
// - new: the new password
//
// This handler will return 403 if the password didn't match the user, or 412
// if the new password is invalid.
func ChangePassword(w http.ResponseWriter, r *http.Request, u *auth.User) error {
var body map[string]string
err := json.NewDecoder(r.Body).Decode(&body)
if err != nil {
return &errors.Http{
Code: http.StatusBadRequest,
Message: "Invalid JSON.",
}
}
if body["old"] == "" || body["new"] == "" {
return &errors.Http{
Code: http.StatusBadRequest,
Message: "Both the old and the new passwords are required.",
}
}
if !u.Login(body["old"]) {
return &errors.Http{
Code: http.StatusForbidden,
Message: "The given password didn't match the user's current password.",
}
}
if !validation.ValidateLength(body["new"], passwordMinLen, passwordMaxLen) {
return &errors.Http{
Code: http.StatusPreconditionFailed,
Message: passwordError,
}
}
u.Password = body["new"]
u.HashPassword()
return u.Update()
}
func createUser(w http.ResponseWriter, r *http.Request) error {
var u auth.User
err := json.NewDecoder(r.Body).Decode(&u)
if err != nil {
return &errors.HTTP{Code: http.StatusBadRequest, Message: err.Error()}
}
if !validation.ValidateEmail(u.Email) {
return &errors.HTTP{Code: http.StatusBadRequest, Message: emailError}
}
if !validation.ValidateLength(u.Password, passwordMinLen, passwordMaxLen) {
return &errors.HTTP{Code: http.StatusBadRequest, Message: passwordError}
}
gURL := repository.ServerURL()
c := gandalf.Client{Endpoint: gURL}
if _, err := c.NewUser(u.Email, keyToMap(u.Keys)); err != nil {
return fmt.Errorf("Failed to create user in the git server: %s", err)
}
if err := u.Create(); err == nil {
rec.Log(u.Email, "create-user")
if limit, err := config.GetUint("quota:apps-per-user"); err == nil {
quota.Create(u.Email, uint(limit))
}
w.WriteHeader(http.StatusCreated)
return nil
}
if _, err = auth.GetUserByEmail(u.Email); err == nil {
err = &errors.HTTP{Code: http.StatusConflict, Message: "This email is already registered"}
}
return err
}
func Login(w http.ResponseWriter, r *http.Request) error {
var pass map[string]string
err := json.NewDecoder(r.Body).Decode(&pass)
if err != nil {
return &errors.Http{Code: http.StatusBadRequest, Message: "Invalid JSON"}
}
password, ok := pass["password"]
if !ok {
msg := "You must provide a password to login"
return &errors.Http{Code: http.StatusBadRequest, Message: msg}
}
if !validation.ValidateLength(password, passwordMinLen, passwordMaxLen) {
return &errors.Http{Code: http.StatusPreconditionFailed, Message: passwordError}
}
u := auth.User{Email: r.URL.Query().Get(":email")}
if !validation.ValidateEmail(u.Email) {
return &errors.Http{Code: http.StatusPreconditionFailed, Message: emailError}
}
err = u.Get()
if err != nil {
return &errors.Http{Code: http.StatusNotFound, Message: "User not found"}
}
if u.Login(password) {
t, _ := u.CreateToken()
fmt.Fprintf(w, `{"token":"%s"}`, t.Token)
return nil
}
msg := "Authentication failed, wrong password"
return &errors.Http{Code: http.StatusUnauthorized, Message: msg}
}
func CreateUser(w http.ResponseWriter, r *http.Request) error {
var u auth.User
err := json.NewDecoder(r.Body).Decode(&u)
if err != nil {
return &errors.Http{Code: http.StatusBadRequest, Message: err.Error()}
}
if !validation.ValidateEmail(u.Email) {
return &errors.Http{Code: http.StatusPreconditionFailed, Message: emailError}
}
if !validation.ValidateLength(u.Password, passwordMinLen, passwordMaxLen) {
return &errors.Http{Code: http.StatusPreconditionFailed, Message: passwordError}
}
gUrl := repository.GitServerUri()
c := gandalf.Client{Endpoint: gUrl}
if _, err := c.NewUser(u.Email, keyToMap(u.Keys)); err != nil {
return fmt.Errorf("Failed to create user in the git server: %s", err)
}
if err := u.Create(); err == nil {
w.WriteHeader(http.StatusCreated)
return nil
}
if u.Get() == nil {
err = &errors.Http{Code: http.StatusConflict, Message: "This email is already registered"}
}
return err
}
func (u *User) CheckPassword(password string) error {
if !validation.ValidateLength(password, passwordMinLen, passwordMaxLen) {
return &errors.ValidationError{Message: passwordError}
}
if bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password)) == nil {
return nil
}
return AuthenticationFailure{}
}
func (u *User) CheckPassword(password string) error {
if !validation.ValidateLength(password, passwordMinLen, passwordMaxLen) {
return &errors.ValidationError{Message: passwordError}
}
// BUG(fss): this is temporary code, for a migration phase in the
// hashing algorithm. In the future we should just use
// bcrypt.CompareHashAndPassword, and drop the old hash checking and
// update stuff.
if bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password)) == nil {
return nil
}
hashedPassword := hashPassword(password)
if u.Password == hashedPassword {
if bcryptPassword, err := bcrypt.GenerateFromPassword([]byte(password), cost); err == nil {
u.Password = string(bcryptPassword)
u.Update()
}
return nil
}
return AuthenticationFailure{}
}
// ChangePassword changes the password from the logged in user.
//
// It reads the request body in JSON format. The JSON in the request body
// should contain two attributes:
//
// - old: the old password
// - new: the new password
//
// This handler will return 403 if the password didn't match the user, or 400
// if the new password is invalid.
func changePassword(w http.ResponseWriter, r *http.Request, t *auth.Token) error {
var body map[string]string
err := json.NewDecoder(r.Body).Decode(&body)
if err != nil {
return &errors.HTTP{
Code: http.StatusBadRequest,
Message: "Invalid JSON.",
}
}
if body["old"] == "" || body["new"] == "" {
return &errors.HTTP{
Code: http.StatusBadRequest,
Message: "Both the old and the new passwords are required.",
}
}
u, err := t.User()
if err != nil {
return err
}
if err := u.CheckPassword(body["old"]); err != nil {
return &errors.HTTP{
Code: http.StatusForbidden,
Message: "The given password didn't match the user's current password.",
}
}
if !validation.ValidateLength(body["new"], passwordMinLen, passwordMaxLen) {
return &errors.HTTP{
Code: http.StatusBadRequest,
Message: passwordError,
}
}
rec.Log(u.Email, "change-password")
u.Password = body["new"]
u.HashPassword()
return u.Update()
}
