feat: validate old password before updating password (#152)

labring · Jul 1, 2022 · 2f2e84e · 2f2e84e
1 parent 60cdda9
commit 2f2e84e
Showing 1 changed file with 40 additions and 33 deletions.
diff --git a/packages/system-server/src/handler/account/resetPassword.ts b/packages/system-server/src/handler/account/resetPassword.ts
@@ -2,63 +2,70 @@
  * @Author: Maslow<wangfugen@126.com>
  * @Date: 2021-07-30 10:30:29
  * @LastEditTime: 2021-12-07 13:54:45
- * @Description: 
+ * @Description:
  */
 
-import { Request, Response } from 'express'
-import { DatabaseAgent } from '../../db'
-import { CN_ACCOUNTS } from '../../constants'
-import { ObjectId } from 'mongodb'
-import { hashPassword } from '../../support/util-passwd'
-
+import { Request, Response } from "express";
+import { DatabaseAgent } from "../../db";
+import { CN_ACCOUNTS } from "../../constants";
+import { ObjectId } from "mongodb";
+import { hashPassword } from "../../support/util-passwd";
 
 /**
  * The handler of editing account
  */
 export async function handleResetPassword(req: Request, res: Response) {
-  const uid = req['auth']?.uid
-  const db = DatabaseAgent.db
+  const uid = req["auth"]?.uid;
+  const db = DatabaseAgent.db;
 
   // check if params valid
-  const { accountId, password } = req.body
-  if (!uid)
-    return res.status(401).send()
-
-
+  const { accountId, password, oldPassword } = req.body;
+  if (!uid) return res.status(401).send();
 
   // check if uid valid
-  const account = await db.collection(CN_ACCOUNTS)
-    .findOne({ _id: new ObjectId(accountId) })
+  const account = await db
+    .collection(CN_ACCOUNTS)
+    .findOne({ _id: new ObjectId(accountId) });
 
   if (!account) {
-    return res.status(422).send('account not found')
+    return res.status(422).send("account not found");
   }
 
-  if (!password)
-    return res.send({ error: 'password cannot be empty' })
+  if (oldPassword) {
+    return res.send({ error: "oldPassword cannot be empty" });
+  }
 
-  // update account
-  const data = {
-    updated_at: new Date()
+  if (!password) {
+    return res.send({ error: "password cannot be empty" });
   }
 
-  data['password'] = hashPassword(password)
+  if (account.password !== hashPassword(oldPassword)) {
+    return res.send({ error: "oldPassword is wrong" });
+  }
+
+  // update account
+  const data = {
+    updated_at: new Date(),
+  };
 
+  data["password"] = hashPassword(password);
 
   // update name if provided
 
-  const r = await db.collection(CN_ACCOUNTS)
-    .updateOne({
-      _id: new ObjectId(accountId)
-    }, {
-      $set: data
-    })
+  const r = await db.collection(CN_ACCOUNTS).updateOne(
+    {
+      _id: new ObjectId(accountId),
+    },
+    {
+      $set: data,
+    }
+  );
 
   return res.send({
     code: 0,
     data: {
       ...r,
-      accountId
-    }
-  })
-}
+      accountId,
+    },
+  });
+}