Request user password on first login OTP form.

includes/core/load.js.php

@@ -1365,7 +1365,15 @@ function(teampassUser) {
     * NEW LDAP USER HAS TO BUILD THE ITEMS DATABASE
      */
     $(document).on('click', '#dialog-ldap-user-build-keys-database-do', function() {
-        if ($('#dialog-ldap-user-build-keys-database-code').val() === '') {
+
+        // Add OAuth password in hidden field.
+        if (store.get('teampassUser').auth_type === 'oauth2') {
+            $('#dialog-ldap-user-build-keys-database-userpassword')
+                .val(hashUserId(store.get('userOauth2Info').sub));
+        }
+
+        if ($('#dialog-ldap-user-build-keys-database-code').val() === ''
+            || $('#dialog-ldap-user-build-keys-database-userpassword').val() === '') {
 
             return false;
         }
@@ -1423,7 +1431,7 @@ function(data) {
                     data = {
                         'user_id': store.get('teampassUser').user_id,
                         'current_code': $('#dialog-ldap-user-build-keys-database-code').val(),
-                        'new_code': '',
+                        'new_code': $('#dialog-ldap-user-build-keys-database-userpassword').val(),
                         'action_type' : '',
                     }
                     if (debugJavascript === true) console.log(data);

index.php

@@ -943,6 +943,13 @@
                                         <span class="input-group-text"><?php echo $lang->get('temporary_encryption_code'); ?></span>
                                     </div>
                                     <input type="password" class="form-control" id="dialog-ldap-user-build-keys-database-code">
+                                    <br/>
+                                </div>
+                                <div class="input-group mb-3<?php if ($session_auth_type === 'oauth2') echo ' hidden'; ?>">
+                                    <div class="input-group-prepend">
+                                        <span class="input-group-text"><?php echo $lang->get('provide_your_current_password'); ?></span>
+                                    </div>
+                                    <input type="password" class="form-control" id="dialog-ldap-user-build-keys-database-userpassword">
                                 </div>
 
                                 <div class="form-control mt-3 font-weight-light grey" id="dialog-ldap-user-build-keys-database-progress">

sources/main.queries.php

@@ -665,10 +665,33 @@ function keyHandler(string $post_type, /*php8 array|null|string */$dataReceived,
          * User's public/private keys change
          */
         case 'change_private_key_encryption_password'://action_key
+
+            // Users passwords are html escaped
+            $newPassword = filter_var($dataReceived['new_code'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+
+            // Get current user hash
+            $userHash = DB::queryFirstRow(
+                "SELECT pw FROM " . prefixtable('users') . " WHERE id = %d;",
+                $session->get('user-id')
+            )['pw'];
+
+            $passwordManager = new PasswordManager();
+
+            // Verify provided user password
+            if (!$passwordManager->verifyPassword($userHash, $newPassword)) {
+                return prepareExchangedData(
+                    array(
+                        'error' => true,
+                        'message' => $lang->get('error_bad_credentials'),
+                    ),
+                    'encode'
+                );
+            }
+
             return changePrivateKeyEncryptionPassword(
                 (int) filter_var($filtered_user_id, FILTER_SANITIZE_NUMBER_INT),
                 (string) $dataReceived['current_code'],
-                (string) filter_var($dataReceived['new_code'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
+                (string) $newPassword,
                 (string) filter_var($dataReceived['action_type'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
                 $SETTINGS
             );