TwitterAPI: Make change_password require body params instead of query

Backport of: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3503
This commit is contained in:
Haelwenn (lanodan) Monnier 2021-08-10 19:42:03 +02:00
parent 8baaa36a16
commit 3961422f85
No known key found for this signature in database
GPG key ID: D5B7A8E43C997DEE
4 changed files with 61 additions and 63 deletions

View file

@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Fixed ### Fixed
- MastodonAPI: Stream out Create activities - MastodonAPI: Stream out Create activities
- MRF ObjectAgePolicy: Fix pattern matching on "published" - MRF ObjectAgePolicy: Fix pattern matching on "published"
- TwitterAPI: Make `change_password` require params on body instead of query
## 2.4.0 - 2021-08-08 ## 2.4.0 - 2021-08-08

View file

@ -8,6 +8,8 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
alias Pleroma.Web.ApiSpec.Schemas.ApiError alias Pleroma.Web.ApiSpec.Schemas.ApiError
alias Pleroma.Web.ApiSpec.Schemas.BooleanLike alias Pleroma.Web.ApiSpec.Schemas.BooleanLike
import Pleroma.Web.ApiSpec.Helpers
def open_api_operation(action) do def open_api_operation(action) do
operation = String.to_existing_atom("#{action}_operation") operation = String.to_existing_atom("#{action}_operation")
apply(__MODULE__, operation, []) apply(__MODULE__, operation, [])
@ -63,17 +65,7 @@ def change_password_operation do
summary: "Change account password", summary: "Change account password",
security: [%{"oAuth" => ["write:accounts"]}], security: [%{"oAuth" => ["write:accounts"]}],
operationId: "UtilController.change_password", operationId: "UtilController.change_password",
parameters: [ requestBody: request_body("Parameters", change_password_request(), required: true),
Operation.parameter(:password, :query, :string, "Current password", required: true),
Operation.parameter(:new_password, :query, :string, "New password", required: true),
Operation.parameter(
:new_password_confirmation,
:query,
:string,
"New password, confirmation",
required: true
)
],
responses: %{ responses: %{
200 => 200 =>
Operation.response("Success", "application/json", %Schema{ Operation.response("Success", "application/json", %Schema{
@ -86,6 +78,23 @@ def change_password_operation do
} }
end end
defp change_password_request do
%Schema{
title: "ChangePasswordRequest",
description: "POST body for changing the account's passowrd",
type: :object,
required: [:password, :new_password, :new_password_confirmation],
properties: %{
password: %Schema{type: :string, description: "Current password"},
new_password: %Schema{type: :string, description: "New password"},
new_password_confirmation: %Schema{
type: :string,
description: "New password, confirmation"
}
}
}
end
def change_email_operation do def change_email_operation do
%Operation{ %Operation{
tags: ["Account credentials"], tags: ["Account credentials"],

View file

@ -81,17 +81,13 @@ def update_notificaton_settings(%{assigns: %{user: user}} = conn, params) do
end end
end end
def change_password(%{assigns: %{user: user}} = conn, %{ def change_password(%{assigns: %{user: user}, body_params: body_params} = conn, %{}) do
password: password, case CommonAPI.Utils.confirm_current_password(user, body_params.password) do
new_password: new_password,
new_password_confirmation: new_password_confirmation
}) do
case CommonAPI.Utils.confirm_current_password(user, password) do
{:ok, user} -> {:ok, user} ->
with {:ok, _user} <- with {:ok, _user} <-
User.reset_password(user, %{ User.reset_password(user, %{
password: new_password, password: body_params.new_password,
password_confirmation: new_password_confirmation password_confirmation: body_params.new_password_confirmation
}) do }) do
json(conn, %{status: "success"}) json(conn, %{status: "success"})
else else

View file

@ -356,15 +356,12 @@ test "without permissions", %{conn: conn} do
conn = conn =
conn conn
|> assign(:token, nil) |> assign(:token, nil)
|> post( |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_password?#{ |> post("/api/pleroma/change_password", %{
URI.encode_query(%{ "password" => "hi",
password: "hi", "new_password" => "newpass",
new_password: "newpass", "new_password_confirmation" => "newpass"
new_password_confirmation: "newpass"
}) })
}"
)
assert json_response_and_validate_schema(conn, 403) == %{ assert json_response_and_validate_schema(conn, 403) == %{
"error" => "Insufficient permissions: write:accounts." "error" => "Insufficient permissions: write:accounts."
@ -373,16 +370,13 @@ test "without permissions", %{conn: conn} do
test "with proper permissions and invalid password", %{conn: conn} do test "with proper permissions and invalid password", %{conn: conn} do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_password?#{ |> post("/api/pleroma/change_password", %{
URI.encode_query(%{ "password" => "hi",
password: "hi", "new_password" => "newpass",
new_password: "newpass", "new_password_confirmation" => "newpass"
new_password_confirmation: "newpass"
}) })
}"
)
assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."} assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."}
end end
@ -392,16 +386,13 @@ test "with proper permissions, valid password and new password and confirmation
conn: conn conn: conn
} do } do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_password?#{ |> post("/api/pleroma/change_password", %{
URI.encode_query(%{ "password" => "test",
password: "test", "new_password" => "newpass",
new_password: "newpass", "new_password_confirmation" => "notnewpass"
new_password_confirmation: "notnewpass"
}) })
}"
)
assert json_response_and_validate_schema(conn, 200) == %{ assert json_response_and_validate_schema(conn, 200) == %{
"error" => "New password does not match confirmation." "error" => "New password does not match confirmation."
@ -412,12 +403,13 @@ test "with proper permissions, valid password and invalid new password", %{
conn: conn conn: conn
} do } do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_password?#{ |> post("/api/pleroma/change_password", %{
URI.encode_query(%{password: "test", new_password: "", new_password_confirmation: ""}) password: "test",
}" new_password: "",
) new_password_confirmation: ""
})
assert json_response_and_validate_schema(conn, 200) == %{ assert json_response_and_validate_schema(conn, 200) == %{
"error" => "New password can't be blank." "error" => "New password can't be blank."
@ -429,15 +421,15 @@ test "with proper permissions, valid password and matching new password and conf
user: user user: user
} do } do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_password?#{ |> post(
URI.encode_query(%{ "/api/pleroma/change_password",
%{
password: "test", password: "test",
new_password: "newpass", new_password: "newpass",
new_password_confirmation: "newpass" new_password_confirmation: "newpass"
}) }
}"
) )
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"} assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}