TiddlyWiki5/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/change-user-password.js

/*\
title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/change-password.js
type: application/javascript
module-type: mws-route

POST /change-user-password

\*/
(function () {

/*jslint node: true, browser: true */
/*global $tw: false */
"use strict";
var authenticator = require("$:/plugins/tiddlywiki/multiwikiserver/auth/authentication.js").Authenticator;

exports.method = "POST";

exports.path = /^\/change-user-password\/?$/;

exports.bodyFormat = "www-form-urlencoded";

exports.csrfDisable = true;

exports.handler = function (request, response, state) {
  if(!state.authenticatedUser) {
    response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
    response.end("Unauthorized");
    return;
  }
  var auth = authenticator(state.server.sqlTiddlerDatabase);

  var userId = state.data.userId;
  var newPassword = state.data.newPassword;
  var confirmPassword = state.data.confirmPassword;
  var currentUserId = state.authenticatedUser.user_id;

  var hasPermission = ($tw.utils.parseInt(userId, 10) === currentUserId) || state.authenticatedUser.isAdmin;

  if(!hasPermission) {
    response.writeHead(403, "Forbidden", { "Content-Type": "text/plain" });
    response.end("Forbidden");
    return;
  }

  if(newPassword !== confirmPassword) {
    response.setHeader("Set-Cookie", "flashMessage=New passwords do not match; Path=/; HttpOnly; Max-Age=5");
    response.writeHead(302, { "Location": "/admin/users/" + userId });
    response.end();
    return;
  }

  var userData = state.server.sqlTiddlerDatabase.getUser(userId);

  if(!userData) {
    response.setHeader("Set-Cookie", "flashMessage=User not found; Path=/; HttpOnly; Max-Age=5");
    response.writeHead(302, { "Location": "/admin/users/" + userId });
    response.end();
    return;
  }

  var newHash = auth.hashPassword(newPassword);
  var result = state.server.sqlTiddlerDatabase.updateUserPassword(userId, newHash);

  response.setHeader("Set-Cookie", `flashMessage=${result.message}; Path=/; HttpOnly; Max-Age=5`);
  response.writeHead(302, { "Location": "/admin/users/" + userId });
  response.end();
};

}());
MWS authentication (#8596) * mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment 2024-10-30 18:59:44 +01:00			`/*\`
			`title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/change-password.js`
			`type: application/javascript`
			`module-type: mws-route`

			`POST /change-user-password`

			`\*/`
			`(function () {`

			`/jslint node: true, browser: true /`
			`/global $tw: false /`
			`"use strict";`
			`var authenticator = require("$:/plugins/tiddlywiki/multiwikiserver/auth/authentication.js").Authenticator;`

			`exports.method = "POST";`

			`exports.path = /^\/change-user-password\/?$/;`

			`exports.bodyFormat = "www-form-urlencoded";`

			`exports.csrfDisable = true;`

			`exports.handler = function (request, response, state) {`
			`if(!state.authenticatedUser) {`
			`response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });`
			`response.end("Unauthorized");`
			`return;`
			`}`
			`var auth = authenticator(state.server.sqlTiddlerDatabase);`

Add user profile management and account deletion functionality (#8712) * mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality 2024-10-30 19:38:21 +01:00			`var userId = state.data.userId;`
MWS authentication (#8596) * mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment 2024-10-30 18:59:44 +01:00			`var newPassword = state.data.newPassword;`
			`var confirmPassword = state.data.confirmPassword;`
Add user profile management and account deletion functionality (#8712) * mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality 2024-10-30 19:38:21 +01:00			`var currentUserId = state.authenticatedUser.user_id;`

			`var hasPermission = ($tw.utils.parseInt(userId, 10) === currentUserId) \|\| state.authenticatedUser.isAdmin;`

			`if(!hasPermission) {`
			`response.writeHead(403, "Forbidden", { "Content-Type": "text/plain" });`
			`response.end("Forbidden");`
			`return;`
			`}`
MWS authentication (#8596) * mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment 2024-10-30 18:59:44 +01:00
			`if(newPassword !== confirmPassword) {`
			`response.setHeader("Set-Cookie", "flashMessage=New passwords do not match; Path=/; HttpOnly; Max-Age=5");`
			`response.writeHead(302, { "Location": "/admin/users/" + userId });`
			`response.end();`
			`return;`
			`}`

			`var userData = state.server.sqlTiddlerDatabase.getUser(userId);`

			`if(!userData) {`
			`response.setHeader("Set-Cookie", "flashMessage=User not found; Path=/; HttpOnly; Max-Age=5");`
			`response.writeHead(302, { "Location": "/admin/users/" + userId });`
			`response.end();`
			`return;`
			`}`

			`var newHash = auth.hashPassword(newPassword);`
			`var result = state.server.sqlTiddlerDatabase.updateUserPassword(userId, newHash);`

			response.setHeader("Set-Cookie", `flashMessage=${result.message}; Path=/; HttpOnly; Max-Age=5`);
			`response.writeHead(302, { "Location": "/admin/users/" + userId });`
			`response.end();`
			`};`

			`}());`