mycorrhiza/web/password.go

package web

import (
	"fmt"
	"mime"
	"net/http"
	"reflect"

	"github.com/bouncepaw/mycorrhiza/internal/user"
	"github.com/bouncepaw/mycorrhiza/util"
	"github.com/bouncepaw/mycorrhiza/web/viewutil"
)

func handlerUserChangePassword(w http.ResponseWriter, rq *http.Request) {
	u := user.FromRequest(rq)
	// TODO: is there a better way?
	if reflect.DeepEqual(u, user.EmptyUser()) || u == nil {
		util.HTTP404Page(w, "404 page not found")
		return
	}

	f := util.FormDataFromRequest(rq, []string{"current_password", "password", "password_confirm"})
	currentPassword := f.Get("current_password")

	if user.CredentialsOK(u.Name, currentPassword) {
		password := f.Get("password")
		passwordConfirm := f.Get("password_confirm")
		// server side validation
		if password == "" {
			err := fmt.Errorf("passwords should not be empty")
			f = f.WithError(err)
		}
		if password == passwordConfirm {
			previousPassword := u.Password // for rollback
			if err := u.ChangePassword(password); err != nil {
				f = f.WithError(err)
			} else {
				if err := user.SaveUserDatabase(); err != nil {
					u.Password = previousPassword
					f = f.WithError(err)
				} else {
					http.Redirect(w, rq, "/", http.StatusSeeOther)
					return
				}
			}
		} else {
			err := fmt.Errorf("passwords do not match")
			f = f.WithError(err)
		}
	} else {
		// TODO: handle first attempt different
		err := fmt.Errorf("incorrect password")
		f = f.WithError(err)
	}

	if f.HasError() {
		w.WriteHeader(http.StatusBadRequest)
	}
	w.Header().Set("Content-Type", mime.TypeByExtension(".html"))

	_ = pageChangePassword.RenderTo(
		viewutil.MetaFrom(w, rq),
		map[string]any{
			"Form": f,
			"U":    u,
		},
	)
}
New templates #117 (#236) Didn't have the chance to migrate //all// templates just yet. We'll get there. * Implement yet another template system * Move orphans to the new system and fix a bug in it * Link orphans in the admin panel * Move the backlink handlers to the web package * Move auth routing to web * Move /user-list to the new system * Move change password and translate it * Move stuff * Move admin-related stuff to the web * Move a lot of files into internal dir Outside of it are web and stuff that needs further refactoring * Fix static not loading and de-qtpl tree * Move tree to internal * Keep the globe on the same line #230 * Revert "Keep the globe on the same line #230" This reverts commit ae78e5e459b1e980ba89bf29e61f75c0625ed2c7. * Migrate templates from hypview: delete, edit, start empty and existing WIP The delete media view was removed, I didn't even know it still existed as a GET. A rudiment. * Make views multi-file and break compilation * Megarefactoring of hypha views * Auth-related stuffs * Fix some of those weird imports * Migrate cat views * Fix cat js * Lower standards * Internalize trauma 2024-09-07 21:22:41 +03:00			`package web`
implement user facing password change page similar to the admin password change, but with a few changes: - require current password verification the following still included: - empty password check - confirm password check 2023-11-27 14:55:46 +01:00
			`import (`
			`"fmt"`
			`"mime"`
			`"net/http"`
			`"reflect"`
Migrate from log to slog #109 (#255) * Migrate httpd.go * Migrate history and main * Migrate hypview * Migrate interwiki * Migrate misc * Migrate utils * Migrate backlinks * Migrate categories * Reformat some imports * Migrate hyphae * Migrate migration * Reformat more imports * Migrate user * Migrate shroom * Migrate viewutil * Migrate web * Migrate others * Migrate main * Wording concerns 2024-09-07 23:55:39 +03:00
			`"github.com/bouncepaw/mycorrhiza/internal/user"`
			`"github.com/bouncepaw/mycorrhiza/util"`
			`"github.com/bouncepaw/mycorrhiza/web/viewutil"`
implement user facing password change page similar to the admin password change, but with a few changes: - require current password verification the following still included: - empty password check - confirm password check 2023-11-27 14:55:46 +01:00			`)`

			`func handlerUserChangePassword(w http.ResponseWriter, rq *http.Request) {`
			`u := user.FromRequest(rq)`
			`// TODO: is there a better way?`
			`if reflect.DeepEqual(u, user.EmptyUser()) \|\| u == nil {`
			`util.HTTP404Page(w, "404 page not found")`
			`return`
			`}`

			`f := util.FormDataFromRequest(rq, []string{"current_password", "password", "password_confirm"})`
			`currentPassword := f.Get("current_password")`

			`if user.CredentialsOK(u.Name, currentPassword) {`
			`password := f.Get("password")`
			`passwordConfirm := f.Get("password_confirm")`
			`// server side validation`
			`if password == "" {`
			`err := fmt.Errorf("passwords should not be empty")`
			`f = f.WithError(err)`
			`}`
			`if password == passwordConfirm {`
			`previousPassword := u.Password // for rollback`
			`if err := u.ChangePassword(password); err != nil {`
			`f = f.WithError(err)`
			`} else {`
			`if err := user.SaveUserDatabase(); err != nil {`
			`u.Password = previousPassword`
			`f = f.WithError(err)`
			`} else {`
			`http.Redirect(w, rq, "/", http.StatusSeeOther)`
			`return`
			`}`
			`}`
			`} else {`
			`err := fmt.Errorf("passwords do not match")`
			`f = f.WithError(err)`
			`}`
			`} else {`
New templates #117 (#236) Didn't have the chance to migrate //all// templates just yet. We'll get there. * Implement yet another template system * Move orphans to the new system and fix a bug in it * Link orphans in the admin panel * Move the backlink handlers to the web package * Move auth routing to web * Move /user-list to the new system * Move change password and translate it * Move stuff * Move admin-related stuff to the web * Move a lot of files into internal dir Outside of it are web and stuff that needs further refactoring * Fix static not loading and de-qtpl tree * Move tree to internal * Keep the globe on the same line #230 * Revert "Keep the globe on the same line #230" This reverts commit ae78e5e459b1e980ba89bf29e61f75c0625ed2c7. * Migrate templates from hypview: delete, edit, start empty and existing WIP The delete media view was removed, I didn't even know it still existed as a GET. A rudiment. * Make views multi-file and break compilation * Megarefactoring of hypha views * Auth-related stuffs * Fix some of those weird imports * Migrate cat views * Fix cat js * Lower standards * Internalize trauma 2024-09-07 21:22:41 +03:00			`// TODO: handle first attempt different`
implement user facing password change page similar to the admin password change, but with a few changes: - require current password verification the following still included: - empty password check - confirm password check 2023-11-27 14:55:46 +01:00			`err := fmt.Errorf("incorrect password")`
			`f = f.WithError(err)`
			`}`

			`if f.HasError() {`
			`w.WriteHeader(http.StatusBadRequest)`
			`}`
			`w.Header().Set("Content-Type", mime.TypeByExtension(".html"))`

New templates #117 (#236) Didn't have the chance to migrate //all// templates just yet. We'll get there. * Implement yet another template system * Move orphans to the new system and fix a bug in it * Link orphans in the admin panel * Move the backlink handlers to the web package * Move auth routing to web * Move /user-list to the new system * Move change password and translate it * Move stuff * Move admin-related stuff to the web * Move a lot of files into internal dir Outside of it are web and stuff that needs further refactoring * Fix static not loading and de-qtpl tree * Move tree to internal * Keep the globe on the same line #230 * Revert "Keep the globe on the same line #230" This reverts commit ae78e5e459b1e980ba89bf29e61f75c0625ed2c7. * Migrate templates from hypview: delete, edit, start empty and existing WIP The delete media view was removed, I didn't even know it still existed as a GET. A rudiment. * Make views multi-file and break compilation * Megarefactoring of hypha views * Auth-related stuffs * Fix some of those weird imports * Migrate cat views * Fix cat js * Lower standards * Internalize trauma 2024-09-07 21:22:41 +03:00			`_ = pageChangePassword.RenderTo(`
			`viewutil.MetaFrom(w, rq),`
			`map[string]any{`
			`"Form": f,`
			`"U": u,`
			`},`
			`)`
implement user facing password change page similar to the admin password change, but with a few changes: - require current password verification the following still included: - empty password check - confirm password check 2023-11-27 14:55:46 +01:00			`}`