From 653ad6d3aa13037d731d7a3b7cd5d49965007501 Mon Sep 17 00:00:00 2001
From: Jonathan Cobb <jonathan@kyuss.org>
Date: Tue, 4 Feb 2020 00:04:30 -0500
Subject: [PATCH] change password now works

---
 .../resources/account/AccountsResource.java     | 17 +++++++----------
 .../bubble/resources/account/MeResource.java    | 12 ++++++------
 .../email/request/download/account/message.hbs  |  4 ++--
 .../email/request/password/account/message.hbs  |  4 ++--
 .../email/request/password/network/message.hbs  |  4 ++--
 .../post_auth/ResourceMessages.properties       |  4 +++-
 .../sms/request/download/account/message.hbs    |  2 +-
 .../sms/request/password/account/message.hbs    |  2 +-
 .../sms/request/password/network/message.hbs    |  2 +-
 bubble-web                                      |  2 +-
 10 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java b/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java
index df817955..421e9f25 100644
--- a/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java
@@ -28,7 +28,6 @@ import bubble.service.boot.SelfNodeService;
 import bubble.service.cloud.StandardNetworkService;
 import lombok.extern.slf4j.Slf4j;
 import org.cobbzilla.wizard.auth.ChangePasswordRequest;
-import org.cobbzilla.wizard.model.HashedPassword;
 import org.cobbzilla.wizard.validation.ConstraintViolationBean;
 import org.cobbzilla.wizard.validation.ValidationResult;
 import org.glassfish.grizzly.http.server.Request;
@@ -90,9 +89,9 @@ public class AccountsResource {
         // regular users must use AuthResource.register
         if (!c.caller.admin()) return forbidden();
 
-        final ValidationResult errors = new ValidationResult();
         if (c.account != null) return invalid("err.user.exists", "User with name "+request.getName()+" already exists", request.getName());
 
+        final ValidationResult errors = new ValidationResult();
         final ConstraintViolationBean passwordViolation = validatePassword(request.getPassword());
         if (passwordViolation != null) errors.addViolation(passwordViolation);
         if (!request.hasContact()) {
@@ -332,15 +331,9 @@ public class AccountsResource {
 
         if (c.caller.getUuid().equals(c.account.getUuid()) || c.account.admin()) {
             if (policy != null) authenticatorService.ensureAuthenticated(ctx, policy, ActionTarget.account);
-            if (!c.account.getHashedPassword().isCorrectPassword(request.getOldPassword())) {
-                return invalid("err.currentPassword.invalid", "current password was invalid", "");
-            }
         }
 
-        final ConstraintViolationBean passwordViolation = validatePassword(request.getNewPassword());
-        if (passwordViolation != null) return invalid(passwordViolation);
-
-        if (policy != null && !c.caller.admin()) {
+        if (policy != null) {
             final AccountMessage forgotPasswordMessage = forgotPasswordMessage(req, c.account, configuration);
             final List<AccountContact> requiredApprovals = policy.getRequiredApprovals(forgotPasswordMessage);
             final List<AccountContact> requiredExternalApprovals = policy.getRequiredExternalApprovals(forgotPasswordMessage);
@@ -359,7 +352,11 @@ public class AccountsResource {
             }
         }
 
-        c.account.setHashedPassword(new HashedPassword(request.getNewPassword()));
+        if (!c.account.getHashedPassword().isCorrectPassword(request.getOldPassword())) {
+            return invalid("err.currentPassword.invalid", "current password was invalid", "");
+        }
+        final ConstraintViolationBean passwordViolation = validatePassword(request.getNewPassword());
+        if (passwordViolation != null) return invalid(passwordViolation);
 
         // Update account
         final Account updated = accountDAO.update(c.account);
diff --git a/bubble-server/src/main/java/bubble/resources/account/MeResource.java b/bubble-server/src/main/java/bubble/resources/account/MeResource.java
index 271a30a7..309e6660 100644
--- a/bubble-server/src/main/java/bubble/resources/account/MeResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/MeResource.java
@@ -129,12 +129,6 @@ public class MeResource {
         }
         if (policy != null) authenticatorService.ensureAuthenticated(ctx, ActionTarget.account);
 
-        if (!caller.getHashedPassword().isCorrectPassword(request.getOldPassword())) {
-            return invalid("err.currentPassword.invalid", "current password was invalid", "");
-        }
-        final ConstraintViolationBean passwordViolation = validatePassword(request.getNewPassword());
-        if (passwordViolation != null) return invalid(passwordViolation);
-
         if (policy != null) {
             final AccountMessage forgotPasswordMessage = forgotPasswordMessage(req, caller, configuration);
             final List<AccountContact> requiredApprovals = policy.getRequiredApprovals(forgotPasswordMessage);
@@ -154,6 +148,12 @@ public class MeResource {
             }
         }
 
+        if (!caller.getHashedPassword().isCorrectPassword(request.getOldPassword())) {
+            return invalid("err.currentPassword.invalid", "current password was invalid", "");
+        }
+        final ConstraintViolationBean passwordViolation = validatePassword(request.getNewPassword());
+        if (passwordViolation != null) return invalid(passwordViolation);
+
         caller.setHashedPassword(new HashedPassword(request.getNewPassword()));
 
         // Update account, and write back to session
diff --git a/bubble-server/src/main/resources/message_templates/en_US/email/request/download/account/message.hbs b/bubble-server/src/main/resources/message_templates/en_US/email/request/download/account/message.hbs
index 4b88989d..03ac3410 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/email/request/download/account/message.hbs
+++ b/bubble-server/src/main/resources/message_templates/en_US/email/request/download/account/message.hbs
@@ -9,14 +9,14 @@ The request was made on {{format_epoch message.ctime 'MMM dd, YYYY' network.time
 
 If you did not make this request or would like to cancel this request, please click this link:
 
-  {{publicUri}}/auth/deny?t={{confirmationToken}}
+  {{publicUri}}/action?deny={{confirmationToken}}
 
 ----------------------------------------------------------------------------------------------
 ----------------------------------------------------------------------------------------------
 
 If you DID make this request and want to download your account data, click the link below.
 
-  {{publicUri}}/auth/approve?t={{confirmationToken}}
+  {{publicUri}}/action?approve={{confirmationToken}}
 
 ----------------------------------------------------------------------------------------------
 ----------------------------------------------------------------------------------------------
diff --git a/bubble-server/src/main/resources/message_templates/en_US/email/request/password/account/message.hbs b/bubble-server/src/main/resources/message_templates/en_US/email/request/password/account/message.hbs
index da774f51..48641f30 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/email/request/password/account/message.hbs
+++ b/bubble-server/src/main/resources/message_templates/en_US/email/request/password/account/message.hbs
@@ -9,14 +9,14 @@ The request was made on {{format_epoch message.ctime 'MMM dd, YYYY' network.time
 
 If you did not make this request or would like to cancel this request, please click this link:
 
-  {{publicUri}}/auth/deny?t={{confirmationToken}}
+  {{publicUri}}/action?deny={{confirmationToken}}
 
 ----------------------------------------------------------------------------------------------
 ----------------------------------------------------------------------------------------------
 
 If you DID make this request and are ready to set a new password for your account, click the link below.
 
-  {{publicUri}}/auth/approve?t={{confirmationToken}}
+  {{publicUri}}/action?approve={{confirmationToken}}
 
 ----------------------------------------------------------------------------------------------
 ----------------------------------------------------------------------------------------------
diff --git a/bubble-server/src/main/resources/message_templates/en_US/email/request/password/network/message.hbs b/bubble-server/src/main/resources/message_templates/en_US/email/request/password/network/message.hbs
index e9b163de..5f3fb03e 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/email/request/password/network/message.hbs
+++ b/bubble-server/src/main/resources/message_templates/en_US/email/request/password/network/message.hbs
@@ -9,14 +9,14 @@ The request was made on {{format_epoch message.ctime 'MMM dd, YYYY' network.time
 
 If you did not make this request or would like to cancel this request, please click this link:
 
-  {{publicUri}}/auth/deny?t={{confirmationToken}}
+  {{publicUri}}/action?deny={{confirmationToken}}
 
 ----------------------------------------------------------------------------------------------
 ----------------------------------------------------------------------------------------------
 
 If you DID make this request and would like to view keys for your network, click the link below.
 
-  {{publicUri}}/auth/approve?t={{confirmationToken}}
+  {{publicUri}}/action?approve={{confirmationToken}}
 
 ----------------------------------------------------------------------------------------------
 ----------------------------------------------------------------------------------------------
diff --git a/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties b/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties
index fc7eb79e..80b187d1 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties
+++ b/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties
@@ -156,12 +156,14 @@ button_label_create_account=Create Account
 button_label_delete_account=Delete
 button_label_force_delete_account=Force Delete
 
-# Change Password page
+# Change Password / Set Password pages
 form_title_change_password=Change Password
+form_title_set_password=Set Password
 field_label_current_password=Current Password
 field_label_new_password=New Password
 field_label_new_password_confirm=Confirm New Password
 button_label_change_password=Set New Password
+button_label_set_password=Set New Password
 button_label_request_password_reset=Request Password Reset
 message_change_password_external_auth=Changing account password requires approval from these contacts on file:
 message_change_password_authenticator_auth=Changing account password requires Authenticator password
diff --git a/bubble-server/src/main/resources/message_templates/en_US/sms/request/download/account/message.hbs b/bubble-server/src/main/resources/message_templates/en_US/sms/request/download/account/message.hbs
index 081ec338..57c49cbd 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/sms/request/download/account/message.hbs
+++ b/bubble-server/src/main/resources/message_templates/en_US/sms/request/download/account/message.hbs
@@ -1 +1 @@
-{{network.networkDomain}}: Download account {{account.name}} requested: {{publicUri}}/auth/approve?t={{confirmationToken}}
\ No newline at end of file
+{{network.networkDomain}}: Download account {{account.name}} requested: {{publicUri}}/action?approve={{confirmationToken}}
\ No newline at end of file
diff --git a/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/account/message.hbs b/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/account/message.hbs
index b8e6c01f..1186df83 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/account/message.hbs
+++ b/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/account/message.hbs
@@ -1 +1 @@
-{{network.networkDomain}}: Reset password: {{publicUri}}/auth/approve?t={{confirmationToken}}
\ No newline at end of file
+{{network.networkDomain}}: Reset password: {{publicUri}}/action?approve={{confirmationToken}}
\ No newline at end of file
diff --git a/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/network/message.hbs b/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/network/message.hbs
index 2d556438..921a4375 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/network/message.hbs
+++ b/bubble-server/src/main/resources/message_templates/en_US/sms/request/password/network/message.hbs
@@ -1 +1 @@
-{{network.networkDomain}}: approve viewing network keys: {{publicUri}}/auth/approve?t={{confirmationToken}}
\ No newline at end of file
+{{network.networkDomain}}: approve viewing network keys: {{publicUri}}/action?approve={{confirmationToken}}
\ No newline at end of file
diff --git a/bubble-web b/bubble-web
index 194dbc00..fb396f35 160000
--- a/bubble-web
+++ b/bubble-web
@@ -1 +1 @@
-Subproject commit 194dbc005456a36dc8bbebff2fa7726fa03281a5
+Subproject commit fb396f3541900e24b3e98e5eb32c7af9345b45d6