Merge pull request #9 from Chefies/feat/old-password-verify

Feat/old password verification
Chefies · Jun 15, 2024 · 8805689 · 8805689
2 parents 876fd53 + 317c177
commit 8805689
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/cefies/models/profile.py b/cefies/models/profile.py
@@ -9,7 +9,8 @@ class ProfileData(BaseModel):
 
 
 class ChangePasswordData(BaseModel):
-    password: Annotated[str, StringConstraints(min_length=8)]
+    new_password: Annotated[str, StringConstraints(min_length=8)]
+    old_password: Annotated[str, StringConstraints(min_length=8)]
 
 
 class EditProfileData(BaseModel):

diff --git a/cefies/routes/profile.py b/cefies/routes/profile.py
@@ -1,14 +1,13 @@
 import asyncio
 from typing import Annotated
 from fastapi import APIRouter, Depends, HTTPException, status
-from fastapi.responses import JSONResponse
 from pydantic import ValidationError
 
 from cefies.models.db.user import User
 from cefies.models.forms.profile import EditProfileForm
 from cefies.models.profile import ProfileData, ChangePasswordData, EditProfileData
 from cefies.models.response import MessageResponse
-from cefies.security import get_current_user, get_password_hash, get_hash_sha256
+from cefies.security import get_current_user, get_password_hash, get_hash_sha256, verify_password
 from cefies.internal import bucket
 
 router = APIRouter(prefix="/profile")
@@ -58,6 +57,12 @@ def change_password(
     user: Annotated[User, Depends(get_current_user)],
     data: ChangePasswordData,
 ) -> MessageResponse:
-    user.password = get_password_hash(data.password)
+    if not verify_password(data.old_password, user.password):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid old password",
+        )
+
+    user.password = get_password_hash(data.new_password)
     user.save()
     return MessageResponse(error=False, message="Password changed")
diff --git a/cefies/security.py b/cefies/security.py
@@ -27,6 +27,10 @@ def authenticate_user(email: str, password: str):
     return cast(User, user)
 
 
+def verify_password(password: str, hashed_password: str):
+    return bcrypt.checkpw(password.encode(), hashed_password.encode())
+
+
 def create_access_token(user_id: str, expires_delta: timedelta = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)):
     expire = datetime.now(timezone.utc) + expires_delta
     encoded_jwt = jwt.encode(