From 3961422f853934a598a36d3ec10659158affb6ed Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Tue, 10 Aug 2021 19:42:03 +0200 Subject: [PATCH] TwitterAPI: Make change_password require body params instead of query Backport of: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3503 --- CHANGELOG.md | 1 + .../operations/twitter_util_operation.ex | 31 ++++--- .../controllers/util_controller.ex | 12 +-- .../web/twitter_api/util_controller_test.exs | 80 +++++++++---------- 4 files changed, 61 insertions(+), 63 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0756d5223..14e04c053 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - MastodonAPI: Stream out Create activities - MRF ObjectAgePolicy: Fix pattern matching on "published" +- TwitterAPI: Make `change_password` require params on body instead of query ## 2.4.0 - 2021-08-08 diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex index 0cafbc719..bc54f1915 100644 --- a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex +++ b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex @@ -8,6 +8,8 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do alias Pleroma.Web.ApiSpec.Schemas.ApiError alias Pleroma.Web.ApiSpec.Schemas.BooleanLike + import Pleroma.Web.ApiSpec.Helpers + def open_api_operation(action) do operation = String.to_existing_atom("#{action}_operation") apply(__MODULE__, operation, []) @@ -63,17 +65,7 @@ def change_password_operation do summary: "Change account password", security: [%{"oAuth" => ["write:accounts"]}], operationId: "UtilController.change_password", - parameters: [ - Operation.parameter(:password, :query, :string, "Current password", required: true), - Operation.parameter(:new_password, :query, :string, "New password", required: true), - Operation.parameter( - :new_password_confirmation, - :query, - :string, - "New password, confirmation", - required: true - ) - ], + requestBody: request_body("Parameters", change_password_request(), required: true), responses: %{ 200 => Operation.response("Success", "application/json", %Schema{ @@ -86,6 +78,23 @@ def change_password_operation do } end + defp change_password_request do + %Schema{ + title: "ChangePasswordRequest", + description: "POST body for changing the account's passowrd", + type: :object, + required: [:password, :new_password, :new_password_confirmation], + properties: %{ + password: %Schema{type: :string, description: "Current password"}, + new_password: %Schema{type: :string, description: "New password"}, + new_password_confirmation: %Schema{ + type: :string, + description: "New password, confirmation" + } + } + } + end + def change_email_operation do %Operation{ tags: ["Account credentials"], diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index a2e69666e..58a733258 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -81,17 +81,13 @@ def update_notificaton_settings(%{assigns: %{user: user}} = conn, params) do end end - def change_password(%{assigns: %{user: user}} = conn, %{ - password: password, - new_password: new_password, - new_password_confirmation: new_password_confirmation - }) do - case CommonAPI.Utils.confirm_current_password(user, password) do + def change_password(%{assigns: %{user: user}, body_params: body_params} = conn, %{}) do + case CommonAPI.Utils.confirm_current_password(user, body_params.password) do {:ok, user} -> with {:ok, _user} <- User.reset_password(user, %{ - password: new_password, - password_confirmation: new_password_confirmation + password: body_params.new_password, + password_confirmation: body_params.new_password_confirmation }) do json(conn, %{status: "success"}) else diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs index cc17940b5..fe3d99272 100644 --- a/test/pleroma/web/twitter_api/util_controller_test.exs +++ b/test/pleroma/web/twitter_api/util_controller_test.exs @@ -356,15 +356,12 @@ test "without permissions", %{conn: conn} do conn = conn |> assign(:token, nil) - |> post( - "/api/pleroma/change_password?#{ - URI.encode_query(%{ - password: "hi", - new_password: "newpass", - new_password_confirmation: "newpass" - }) - }" - ) + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_password", %{ + "password" => "hi", + "new_password" => "newpass", + "new_password_confirmation" => "newpass" + }) assert json_response_and_validate_schema(conn, 403) == %{ "error" => "Insufficient permissions: write:accounts." @@ -373,16 +370,13 @@ test "without permissions", %{conn: conn} do test "with proper permissions and invalid password", %{conn: conn} do conn = - post( - conn, - "/api/pleroma/change_password?#{ - URI.encode_query(%{ - password: "hi", - new_password: "newpass", - new_password_confirmation: "newpass" - }) - }" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_password", %{ + "password" => "hi", + "new_password" => "newpass", + "new_password_confirmation" => "newpass" + }) assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."} end @@ -392,16 +386,13 @@ test "with proper permissions, valid password and new password and confirmation conn: conn } do conn = - post( - conn, - "/api/pleroma/change_password?#{ - URI.encode_query(%{ - password: "test", - new_password: "newpass", - new_password_confirmation: "notnewpass" - }) - }" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_password", %{ + "password" => "test", + "new_password" => "newpass", + "new_password_confirmation" => "notnewpass" + }) assert json_response_and_validate_schema(conn, 200) == %{ "error" => "New password does not match confirmation." @@ -412,12 +403,13 @@ test "with proper permissions, valid password and invalid new password", %{ conn: conn } do conn = - post( - conn, - "/api/pleroma/change_password?#{ - URI.encode_query(%{password: "test", new_password: "", new_password_confirmation: ""}) - }" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_password", %{ + password: "test", + new_password: "", + new_password_confirmation: "" + }) assert json_response_and_validate_schema(conn, 200) == %{ "error" => "New password can't be blank." @@ -429,15 +421,15 @@ test "with proper permissions, valid password and matching new password and conf user: user } do conn = - post( - conn, - "/api/pleroma/change_password?#{ - URI.encode_query(%{ - password: "test", - new_password: "newpass", - new_password_confirmation: "newpass" - }) - }" + conn + |> put_req_header("content-type", "multipart/form-data") + |> post( + "/api/pleroma/change_password", + %{ + password: "test", + new_password: "newpass", + new_password_confirmation: "newpass" + } ) assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}