This commit is contained in:
@@ -266,18 +266,15 @@ namespace AyaNova.Api.Controllers
|
||||
{
|
||||
//Note: need to be authenticated to use this, only called from own user's UI
|
||||
//it still asks for old creds in case someone attempts to do this on another user's logged in session
|
||||
//Also it checks here that this is in fact the same user account calling this method as the user attempting to be modified
|
||||
|
||||
if (!serverState.IsOpen)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
|
||||
if (!ModelState.IsValid)
|
||||
{
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
}
|
||||
|
||||
int nFailedAuthDelay = 3000;//should be just long enough to make brute force a hassle but short enough to not annoy people who just mistyped their creds to login
|
||||
|
||||
|
||||
if (string.IsNullOrWhiteSpace(changecreds.OldPassword) || string.IsNullOrWhiteSpace(changecreds.LoginName))
|
||||
{
|
||||
//Make a failed pw wait
|
||||
@@ -286,16 +283,10 @@ namespace AyaNova.Api.Controllers
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(changecreds.NewPassword))
|
||||
{
|
||||
return BadRequest(new ApiErrorResponse(ApiErrorCode.VALIDATION_REQUIRED, "NewPassword"));
|
||||
}
|
||||
|
||||
if (changecreds.NewPassword != changecreds.ConfirmPassword)
|
||||
{
|
||||
return BadRequest(new ApiErrorResponse(ApiErrorCode.VALIDATION_INVALID_VALUE, "ConfirmPassword", "NewPassword does not match ConfirmPassword"));
|
||||
}
|
||||
|
||||
|
||||
|
||||
//Multiple users are allowed the same password and login
|
||||
//Salt will differentiate them so get all users that match login, then try to match pw
|
||||
@@ -310,10 +301,18 @@ namespace AyaNova.Api.Controllers
|
||||
//If the user is inactive they may not login
|
||||
if (!u.Active)
|
||||
{
|
||||
//respond like bad creds so as not to leak information
|
||||
//respond like bad creds so as not to leak information
|
||||
await Task.Delay(nFailedAuthDelay);
|
||||
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
}
|
||||
|
||||
//double check it's the currently logged in User's own User object only
|
||||
//otherwise it's feasible someone could change someone else's password through their own change password form with a mis-type or intentional hack
|
||||
if (u.Id != UserIdFromContext.Id(HttpContext.Items))
|
||||
{
|
||||
await Task.Delay(nFailedAuthDelay);
|
||||
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
}
|
||||
|
||||
//fetch and update user
|
||||
//Instantiate the business object handler
|
||||
|
||||
Reference in New Issue
Block a user