fix: option to skip current password check when changing password

Author: annahassel

schemas/updatePassword.json

@@ -38,6 +38,10 @@
         "remoteip": {
             "type": "string",
             "format": "ipv4"
+        },
+        "noCurrentPasswordCheck": {
+            "type": "boolean",
+            "default": false
         }
     }
 }

src/actions/updatePassword.js

@@ -37,7 +37,8 @@ async function usernamePasswordReset(service, username, currentPassword) {
   ]);
 
   // if no password is not allowed - it will throw on hasPassword above
-  if (internalData.password) {
+  // @TODO tests
+  if (internalData.password && currentPassword !== false) {
     await scrypt.verify(internalData.password, currentPassword);
   }
 
@@ -71,14 +72,15 @@ async function setPassword(service, userId, password) {
  * @apiParam (Payload) {String} [resetToken] - must be present if `username` or `currentPassword` is not
  * @apiParam (Payload) {String} newPassword - password will be changed to this
  * @apiParam (Payload) {Boolean} [invalidateTokens=false] - if set to `true` will invalidate issued tokens
+ * @apiParam (Payload) {Boolean} [noCurrentPasswordCheck=false] - disable checking of current password
  * @apiParam (Payload) {String} [remoteip] - will be used for rate limiting if supplied
  */
 async function updatePassword(request) {
   const { config, redis, tokenManager } = this;
   if (!config.noPasswordCheck && !request.params.currentPassword) {
     throw new HttpStatusError(400, 'must have required property currentPassword');
   }
-  const { newPassword: password, remoteip = false } = request.params;
+  const { newPassword: password, noCurrentPasswordCheck, remoteip = false } = request.params;
   const invalidateTokens = !!request.params.invalidateTokens;
   const loginRateLimiter = new UserLoginRateLimiter(redis, config.rateLimiters.userLogin);
 
@@ -98,7 +100,7 @@ async function updatePassword(request) {
       throw Forbidden;
     }
   } else {
-    userId = await usernamePasswordReset(this, request.params.username, request.params.currentPassword);
+    userId = await usernamePasswordReset(this, request.params.username, noCurrentPasswordCheck ? false : request.params.currentPassword);
   }
 
   // update password

src/custom/phone-rate-limiter.js

@@ -10,16 +10,29 @@ const ErrorCaptchaConfigInvalid = new HttpStatusError(500, 'Invalid reCAPTCHA co
 const ErrorCaptchaInvalid = new HttpStatusError(400, 'Captcha invalid');
 const ErrorCaptchaRequired = new HttpStatusError(412, 'Captcha required');
 const ErrorIpRequired = new HttpStatusError(400, 'IP address required');
-const ErrorLockLimit = new HttpStatusError(403, 'Lock limit');
-const ErrorTotalLimit = new HttpStatusError(403, 'Total limit');
+
+const ErrorLockLimit = (reset) => {
+  const error = new HttpStatusError(403, 'Lock limit');
+
+  error.code = 'E_LOCK_LIMIT';
+  error.detail = { reset };
+
+  return error;
+};
+const ErrorTotalLimit = (reset) => {
+  const error = new HttpStatusError(403, 'Total limit');
+
+  error.code = 'E_TOTAL_LIMIT';
+  error.detail = { reset };
+
+  return error;
+};
 
 const ErrorCaptchaError = (error) => new HttpStatusError(500, `Captcha error: ${error.message}`);
 
 ErrorCaptchaInvalid.code = 'E_CAPTCHA_INVALID';
 ErrorCaptchaRequired.code = 'E_CAPTCHA_REQUIRED';
 ErrorIpRequired.code = 'E_IP_REQUIRED';
-ErrorLockLimit.code = 'E_LOCK_LIMIT';
-ErrorTotalLimit.code = 'E_TOTAL_LIMIT';
 
 const actionUsernameParamNameMap = {
   'disposable-password': ['id', 'challengeType', 'remoteip'],
@@ -92,7 +105,7 @@ const checkTotalLimit = async (service) => {
     await createTotalLimiter(service).check(totalRateLimiterKey);
   } catch (error) {
     if (error instanceof KeyIpRateLimiter.RateLimitError) {
-      throw ErrorTotalLimit;
+      throw ErrorTotalLimit(error.reset);
     }
 
     throw error;
@@ -104,7 +117,7 @@ const checkLockLimit = async (service, username, remoteIp) => {
     await createLockLimiter(service).check(username, remoteIp);
   } catch (error) {
     if (error instanceof KeyIpRateLimiter.RateLimitError) {
-      throw ErrorLockLimit;
+      throw ErrorLockLimit(error.reset);
     }
 
     throw error;

test/suites/actions/update-password.js

@@ -74,6 +74,24 @@ describe('#updatePassword', function updatePasswordSuite() {
         });
     });
 
+    it('should not be able to update password without current password', async function test() {
+      const params = { username, newPassword: 'zzz' };
+
+      await assert.rejects(
+        () => this.users.dispatch('updatePassword', { params }),
+        /password arg must be present/
+      );
+    });
+
+    it('should be able to update password without current password with noCurrentPasswordCheck', async function test() {
+      const params = { username, newPassword: 'zzz', noCurrentPasswordCheck: true };
+
+      return this.users.dispatch('updatePassword', { params })
+        .then((updatePassword) => {
+          assert.deepEqual(updatePassword, { success: true });
+        });
+    });
+
     describe('token', function tokenSuite() {
       beforeEach(async function pretest() {
         const data = await challenge.call(this.users, 'email', {