change password possible

2023-07-23 12:21:12 +02:00 · 2023-07-23 12:21:12 +02:00 · 4c198e4113
commit 4c198e4113
parent 82a232a20f
5 changed files with 102 additions and 89 deletions
--- a/README.md
+++ b/README.md
@ -4,47 +4,51 @@ My own homepage, bocken.org (new.bocken.org for now), built with svelte-kit.
 ## TODO
 ### General
- [] Admin user management
+- [ ] Admin user management
- [] upload/change pfp
+- [ ] upload/change pfp
 - [x] registration only with minimal permissions
- [] logout without /logout page
+- [ ] logout without /logout page
- [] no DB request for every Layout change if session already got the username once
+- [ ] no DB request for every Layout change if session already got the username once
- [] preferences page
+- [ ] preferences page
- [] change password
+- [x] change password
- [] fail2ban integration
+- [ ] fail2ban integration
 - [ ] dark mode 
 ### Rezepte
- [] nutrition facts
+- [ ] nutrition facts
- [] verify randomize arrays based on day
+- [ ] verify randomize arrays based on day
- [] notes for next time
+- [ ] notes for next time
 ### Abrechnungen
- [] DB setup
+- [ ] DB setup
- [] create new entries
+- [ ] create new entries
- [] delete entries
+- [ ] delete entries
- [] edit entries
+- [ ] edit entries
- [] upload img
+- [ ] upload img
 ### Flims
- [] Calendar layout
+- [ ] Calendar layout
- [] DB setup
+- [ ] DB setup
- [] create new entries
+- [ ] create new entries
- [] delete entries
+- [ ] delete entries
- [] edit entries
+- [ ] edit entries
 ### Glaube
- [] just keep it as MD rendering for now?
+- [ ] just keep it as MD rendering for now?
- [] DB setup
+- [ ] DB setup
- [] Google Speech to Text API integration?
+- [ ] Google Speech to Text API integration?
- [] Gebete
+- [ ] Gebete
 ### Outside of this sveltekit project but planned to run on the server as well
 #### E-Mail
- [] emailwiz setup
+- [ ] emailwiz setup
- [] fail2ban
+- [ ] fail2ban
 ### Dendrite
- [] setup dendrite
+- [ ] setup dendrite
- [] OAuth? -> Everything OAuth or OpenID?
+- [ ] OAuth? -> Everything OAuth or OpenID?
- [] Serve some web-frontend -> Just element?
+- [ ] Serve some web-frontend -> Just element?
 ### Gitea
 - [ ] consistent theming
--- a/src/lib/components/UserHeader.svelte
+++ b/src/lib/components/UserHeader.svelte
@ -130,7 +130,7 @@ h2{
 	<div id=options class="speech top" hidden>
 			<h2>{username}</h2>
 			<ul>
-				<!--<li><a href="/settings">Einstellungen</a></li>-->
+				<li><a href="/settings" >Einstellungen</a></li>
 				<li><a href="/logout" >Log Out</a></li>
 			</ul>
 		</div>
--- a/src/routes/(main)/settings/+page.server.ts
+++ b/src/routes/(main)/settings/+page.server.ts
@ -10,36 +10,26 @@ export const load: PageServerLoad = async ({ locals }) => {
 export const actions: Actions = {
 	change_password: async (event) => {
-		const data = await event.fetch.request.formData()
+    console.log("Changin password")
 	},
 	login: async (event) => {
 		const data = await event.request.formData()
- 		const res = await event.fetch('/api/user/login',
+ 		const res = await event.fetch('/api/user/change_pw',
 	    		{method: 'POST',
 			body: JSON.stringify({
-				username: data.get('username'),
+        username:     data.get('username'),
-				password: data.get('password'),
+				new_password: data.get('new_password'),
 				new_password_rep: data.get('new_password_rep'),
 				old_password: data.get('old_password'),
 			}),
      headers: {
        credentials: 'include',
      }
 			})
-			}
+    if(res.ok){
-			)
+      console.log("OK response")
-	    	const jwt = await res.json()
+    }
-		if(res.ok){
+    else{
-		event.cookies.set("UserSession", jwt, {
+      const item = await res.json()
-			path: "/",
+      throw error(401, item.message) 
-			httpOnly: true,
+    }
-			sameSite: "strict",
+  }
 			secure: process.env.NODE_ENV === "production",
 			maxAge: 60 * 60 * 24 * 7, // 1 week
 		})
 		throw redirect(303, "/")
 		}
 		else{
 			throw error(401, jwt.message)
 		}
 	},
 	logout: async () => {
 		throw redirect(303, "/logout")
 	},
 }
--- a/src/routes/(main)/settings/+page.svelte
+++ b/src/routes/(main)/settings/+page.svelte
@ -1,33 +1,56 @@
 <script>
  import {enhance} from '$app/forms';
 	export let data
  let password;
 	const admin = data.user?.access.includes('admin') ?? false
  import "$lib/css/form.css"
 </script>
 <style>
 input:invalid + div{
  display: none;
 }
 input:valid + div{
  position: absolute;
  color: green;
  bottom: 0.25rem;
  right: -0.25rem;
  font-size: 1.5rem;
  width: 1em;
  height: 1em;
 }
 form label,
 form label input
 {
  position: relative;
 	display: block;
 }
 input.hide{
  display:none;
 }
 </style>
 <section>
 	<h2>Change Profile pictures</h2>
 </section>
 <section>
-	<h2>Change password</h2>
+  <form action="?/change_password" method=POST use:enhance>
-	<form>
+	<h2>Passwort ändern</h2>
    <input type="text" bind:value={data.user.username} class=hide name="username" required> 
 		<label>
 		Altes Passwort:
-			<input type="password" >
+			<input type="password" name="old_password" required>
 		</label>
 		<label>
 		Neues Passwort:
-			<input type="password" >
+			<input type="password" name="new_password" required bind:value={password} minlength=10>
      <div>✔️</div>
 		</label>
 		<label>
 		Neues Passwort wiederholen:
-			<input type="password" >
+			<input type="password" name="new_password_rep" required pattern={password}>
      <div>✔️</div>
 		</label>
    <button type="submit">Ändern</button>
 	</form>
 </section>
--- a/src/routes/api/user/change_pw/+server.ts
+++ b/src/routes/api/user/change_pw/+server.ts
@ -1,6 +1,8 @@
 import type { RequestHandler } from '@sveltejs/kit';
 import { error } from '@sveltejs/kit';
-import { hash }  from 'argon2';
+import { verify }  from 'argon2';
 import { hashPassword } from '$lib/js/hashPassword'
 import {randomBytes} from 'crypto'
 import { PEPPER } from '$env/static/private';
@ -10,31 +12,25 @@ import { dbConnect, dbDisconnect } from '../../../../utils/db';
 // header: use for bearer token for now
 // recipe json in body
 export const POST: RequestHandler = async ({request}) => {
-	const {username, old_password, new_password} = await request.json()
+	const {username, old_password, new_password, new_password_rep} = await request.json()
  if(new_password != new_password_rep){
    throw error(400, 'new passwords do not match!')
  }
 	await dbConnect();
-	const salt = await User.findOne({username: username}, 'salt');
+	const user = await User.findOne({username: username});
-	const pass_hash =  await hashPassword(old_password + PEPPER, salt)
+  console.log("Found user:", user)
-	try{
+  const isMatch = await verify(user.pass_hash, old_password + PEPPER, {salt: user.salt})
-		await User.updateOne({
+  console.log("isMatch:", isMatch)
-				username: username,
+  if(isMatch){
-				pass_hash: pass_hash,
+		const salt = randomBytes(32).toString('hex'); // Generate a random salt
-		})
+    const pass_hash = await hashPassword(new_password + PEPPER, salt)
-	}catch(e){
+    await User.findOneAndUpdate({username: username}, {pass_hash: pass_hash, salt: salt})
-		await dbDisconnect();
+    await dbDisconnect()
-		throw error(400, e);
+	  return new Response(JSON.stringify({message: "Password updated successfully"}),
-	}
+                        {status: 200})
-	await dbDisconnect();
+  }
-	return new Response(JSON.stringify({message: "User added successfully"}),
+  else{
-			    	{status: 200}
+	  await dbDisconnect();
-		);
+    throw error(401, "Wrong old password")
 	}
 };
 async function hashPassword(password, salt) {
  try {
    const hashedPassword = await hash(password, salt); // Hash the password with the salt and pepper
    return hashedPassword;
  } catch (error) {
    console.error('Error hashing password:', error);
  }
 }