tenseleyflow/shithub / 82087a7

+			r.Get("/settings/password", h.settingsPasswordForm)

+			r.Post("/settings/password", h.settingsPasswordSubmit)

+	//nolint:gosec // G101 false positive: HTML fixture, not a credential.

+	pwTpl := `{{ define "page" }}<h1>Password</h1>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/password" method=POST><input name=csrf_token value="{{.CSRFToken}}">RECENT={{.RecentAuthOK}};</form>{{ end }}`

+		"settings/password.html":     {Data: []byte(pwTpl)},

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"net/http"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/password"

+	"github.com/tenseleyFlow/shithub/internal/passwords"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// settingsPasswordForm renders GET /settings/password.

+func (h *Handlers) settingsPasswordForm(w http.ResponseWriter, r *http.Request) {

+	h.renderPasswordForm(w, r, "", "")

+}

+

+// settingsPasswordSubmit handles POST /settings/password.

+//

+// Flow:

+//  1. Recent-2FA gate (handlers/auth/tokens.go::recentAuthOK semantics).

+//     Skipped for users without 2FA enrolled.

+//  2. Verify the current password.

+//  3. Validate the new password against the same rules as signup.

+//  4. Hash + UpdateUserPassword + bump session_epoch (the bump invalidates

+//     all OTHER sessions on the account; the current session sticks

+//     because we re-issue its cookie below).

+//  5. Audit-log + (later) email notification.

+func (h *Handlers) settingsPasswordSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	current := r.PostFormValue("current_password")

+	next := r.PostFormValue("new_password")

+	confirm := r.PostFormValue("confirm_password")

+

+	if !h.recentAuthOK(r) {

+		h.renderPasswordForm(w, r,

+			"Confirm 2FA recently before changing your password: sign in again with your authenticator code.",

+			"")

+		return

+	}

+

+	row, err := h.q.GetUserByID(r.Context(), h.d.Pool, user.ID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "password: load user", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	ok, err := password.Verify(current, row.PasswordHash)

+	if err != nil || !ok {

+		h.renderPasswordForm(w, r, "Current password is incorrect.", "")

+		return

+	}

+

+	if msg := validateNewPassword(next, confirm); msg != "" {

+		h.renderPasswordForm(w, r, msg, "")

+		return

+	}

+	if next == current {

+		h.renderPasswordForm(w, r, "Pick a password different from your current one.", "")

+		return

+	}

+

+	hash, err := hashPassword(next, h.d.Argon2)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "password: hash", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "password: begin", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+

+	if err := h.q.UpdateUserPassword(r.Context(), tx, usersdb.UpdateUserPasswordParams{

+		ID: user.ID, PasswordHash: hash, PasswordAlgo: "argon2id-v1",

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "password: update", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := h.q.BumpUserSessionEpoch(r.Context(), tx, user.ID); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "password: bump epoch", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "password: commit", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := h.d.Audit.Record(r.Context(), h.d.Pool, user.ID,

+		audit.ActionPasswordChanged, audit.TargetUser, user.ID, map[string]any{

+			"via": "settings",

+		}); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "password: audit", "error", err)

+	}

+

+	h.renderPasswordForm(w, r, "", "Password updated. Other sessions have been signed out.")

+}

+

+func (h *Handlers) renderPasswordForm(w http.ResponseWriter, r *http.Request, errMsg, successMsg string) {

+	h.renderPage(w, r, "settings/password", map[string]any{

+		"Title":          "Password",

+		"CSRFToken":      middleware.CSRFTokenForRequest(r),

+		"SettingsActive": "password",

+		"RecentAuthOK":   h.recentAuthOK(r),

+		"Error":          errMsg,

+		"Success":        successMsg,

+	})

+}

+

+// validateNewPassword enforces signup parity for the chosen new password.

+func validateNewPassword(next, confirm string) string {

+	if len(next) < 10 {

+		return "Password must be at least 10 characters."

+	}

+	if next != confirm {

+		return "New password and confirmation don't match."

+	}

+	if passwords.IsCommon(next) {

+		return "That password is too common. Please choose another."

+	}

+	return ""

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"io"

+	"net/http"

+	"net/url"

+	"strings"

+	"testing"

+)

+

+const (

+	//nolint:gosec // G101 false positive: test fixture, not a real credential.

+	pwOriginal = "correct horse battery staple"

+	//nolint:gosec // G101 false positive: test fixture, not a real credential.

+	pwNew = "tr0ub4dor & 3 horseshoes"

+)

+

+func loginPasswordUser(t *testing.T, name string) *client {

+	t.Helper()

+	httpsrv, captor := newTestServer(t, false)

+	cli := newClient(t, httpsrv)

+	mustSignup(t, cli, name, name+"@example.com", pwOriginal)

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {name},

+		"password":   {pwOriginal},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("login: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+	return cli

+}

+

+func TestPasswordChange_Roundtrip(t *testing.T) {

+	t.Parallel()

+	cli := loginPasswordUser(t, "pwa")

+	csrf := cli.extractCSRF(t, "/settings/password")

+	resp := cli.post(t, "/settings/password", url.Values{

+		"csrf_token":       {csrf},

+		"current_password": {pwOriginal},

+		"new_password":     {pwNew},

+		"confirm_password": {pwNew},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Password updated") {

+		t.Fatalf("expected success, got: %s", body)

+	}

+}

+

+func TestPasswordChange_RejectsWrongCurrent(t *testing.T) {

+	t.Parallel()

+	cli := loginPasswordUser(t, "pwb")

+	csrf := cli.extractCSRF(t, "/settings/password")

+	resp := cli.post(t, "/settings/password", url.Values{

+		"csrf_token":       {csrf},

+		"current_password": {"not-the-right-password"},

+		"new_password":     {pwNew},

+		"confirm_password": {pwNew},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Current password is incorrect") {

+		t.Fatalf("expected incorrect-current error, got: %s", body)

+	}

+}

+

+func TestPasswordChange_RejectsMismatch(t *testing.T) {

+	t.Parallel()

+	cli := loginPasswordUser(t, "pwc")

+	csrf := cli.extractCSRF(t, "/settings/password")

+	resp := cli.post(t, "/settings/password", url.Values{

+		"csrf_token":       {csrf},

+		"current_password": {pwOriginal},

+		"new_password":     {pwNew},

+		"confirm_password": {pwNew + "X"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	// HTML-escaping turns "don't" into "don't", so we check for the

+	// stable substring "and confirmation".

+	if !strings.Contains(string(body), "and confirmation") {

+		t.Fatalf("expected confirmation mismatch error, got: %s", body)

+	}

+}

+

+func TestPasswordChange_RejectsTooShort(t *testing.T) {

+	t.Parallel()

+	cli := loginPasswordUser(t, "pwd")

+	csrf := cli.extractCSRF(t, "/settings/password")

+	resp := cli.post(t, "/settings/password", url.Values{

+		"csrf_token":       {csrf},

+		"current_password": {pwOriginal},

+		"new_password":     {"short"},

+		"confirm_password": {"short"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "at least 10") {

+		t.Fatalf("expected too-short error, got: %s", body)

+	}

+}

+

+func TestPasswordChange_RejectsCommon(t *testing.T) {

+	t.Parallel()

+	cli := loginPasswordUser(t, "pwe")

+	csrf := cli.extractCSRF(t, "/settings/password")

+	resp := cli.post(t, "/settings/password", url.Values{

+		"csrf_token":       {csrf},

+		"current_password": {pwOriginal},

+		"new_password":     {"qwertyuiop"}, // 10-char common-list entry

+		"confirm_password": {"qwertyuiop"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "too common") {

+		t.Fatalf("expected too-common error, got: %s", body)

+	}

+}

+

+func TestPasswordChange_OriginalNoLongerWorks(t *testing.T) {

+	t.Parallel()

+	cli := loginPasswordUser(t, "pwf")

+	csrf := cli.extractCSRF(t, "/settings/password")

+	resp := cli.post(t, "/settings/password", url.Values{

+		"csrf_token":       {csrf},

+		"current_password": {pwOriginal},

+		"new_password":     {pwNew},

+		"confirm_password": {pwNew},

+	})

+	_ = resp.Body.Close()

+

+	// New session, attempt login with the OLD password — must fail.

+	cli2 := newClient(t, cli.srv)

+	csrf = cli2.extractCSRF(t, "/login")

+	resp = cli2.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"pwf"},

+		"password":   {pwOriginal},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	if resp.StatusCode == http.StatusSeeOther {

+		t.Fatalf("expected old password to fail; login succeeded")

+	}

+}

+{{ define "page" -}}

+<div class="shithub-settings-page">

+  {{ template "settings-nav" . }}

+  <div class="shithub-settings-content">

+    <h1>Password</h1>

+

+    {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}

+    {{ with .Success }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+

+    <section class="shithub-settings-section">

+      <h2>Change password</h2>

+      <p>Make it long, unique, and stored in a password manager. Picking a new password signs out all your other sessions.</p>

+

+      {{ if not .RecentAuthOK }}

+        <p class="shithub-flash shithub-flash-error" role="alert">

+          Confirm 2FA before changing your password. <a href="/login">Sign in again</a> with your authenticator code.

+        </p>

+      {{ end }}

+

+      <form method="POST" action="/settings/password" novalidate>

+        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+        <label>

+          <span>Current password</span>

+          <input type="password" name="current_password" required autocomplete="current-password">

+        </label>

+        <label>

+          <span>New password</span>

+          <input type="password" name="new_password" required minlength="10" autocomplete="new-password">

+          <small>At least 10 characters. Long passphrases beat short cryptic ones.</small>

+        </label>

+        <label>

+          <span>Confirm new password</span>

+          <input type="password" name="confirm_password" required minlength="10" autocomplete="new-password">

+        </label>

+        <button type="submit" class="shithub-button shithub-button-primary">Update password</button>

+      </form>

+    </section>

+  </div>

+</div>

+{{- end }}