commit: 09dcb2b5227d797363d350f4e9ee2f54e1e31af2
parent c45b3bde949bbbd6b8d6de30022c1d1e5b99dc44
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Tue, 10 Aug 2021 19:42:03 +0200
TwitterAPI: Make change_password require body params instead of query
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/2740
Diffstat:
3 files changed, 60 insertions(+), 63 deletions(-)
diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
@@ -8,6 +8,8 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
alias Pleroma.Web.ApiSpec.Schemas.ApiError
alias Pleroma.Web.ApiSpec.Schemas.BooleanLike
+ import Pleroma.Web.ApiSpec.Helpers
+
def open_api_operation(action) do
operation = String.to_existing_atom("#{action}_operation")
apply(__MODULE__, operation, [])
@@ -63,17 +65,7 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
summary: "Change account password",
security: [%{"oAuth" => ["write:accounts"]}],
operationId: "UtilController.change_password",
- parameters: [
- Operation.parameter(:password, :query, :string, "Current password", required: true),
- Operation.parameter(:new_password, :query, :string, "New password", required: true),
- Operation.parameter(
- :new_password_confirmation,
- :query,
- :string,
- "New password, confirmation",
- required: true
- )
- ],
+ requestBody: request_body("Parameters", change_password_request(), required: true),
responses: %{
200 =>
Operation.response("Success", "application/json", %Schema{
@@ -86,6 +78,23 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
}
end
+ defp change_password_request do
+ %Schema{
+ title: "ChangePasswordRequest",
+ description: "POST body for changing the account's passowrd",
+ type: :object,
+ required: [:password, :new_password, :new_password_confirmation],
+ properties: %{
+ password: %Schema{type: :string, description: "Current password"},
+ new_password: %Schema{type: :string, description: "New password"},
+ new_password_confirmation: %Schema{
+ type: :string,
+ description: "New password, confirmation"
+ }
+ }
+ }
+ end
+
def change_email_operation do
%Operation{
tags: ["Account credentials"],
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -81,17 +81,13 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
end
end
- def change_password(%{assigns: %{user: user}} = conn, %{
- password: password,
- new_password: new_password,
- new_password_confirmation: new_password_confirmation
- }) do
- case CommonAPI.Utils.confirm_current_password(user, password) do
+ def change_password(%{assigns: %{user: user}, body_params: body_params} = conn, %{}) do
+ case CommonAPI.Utils.confirm_current_password(user, body_params.password) do
{:ok, user} ->
with {:ok, _user} <-
User.reset_password(user, %{
- password: new_password,
- password_confirmation: new_password_confirmation
+ password: body_params.new_password,
+ password_confirmation: body_params.new_password_confirmation
}) do
json(conn, %{status: "success"})
else
diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs
@@ -356,15 +356,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
conn =
conn
|> assign(:token, nil)
- |> post(
- "/api/pleroma/change_password?#{
- URI.encode_query(%{
- password: "hi",
- new_password: "newpass",
- new_password_confirmation: "newpass"
- })
- }"
- )
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/pleroma/change_password", %{
+ "password" => "hi",
+ "new_password" => "newpass",
+ "new_password_confirmation" => "newpass"
+ })
assert json_response_and_validate_schema(conn, 403) == %{
"error" => "Insufficient permissions: write:accounts."
@@ -373,16 +370,13 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
test "with proper permissions and invalid password", %{conn: conn} do
conn =
- post(
- conn,
- "/api/pleroma/change_password?#{
- URI.encode_query(%{
- password: "hi",
- new_password: "newpass",
- new_password_confirmation: "newpass"
- })
- }"
- )
+ conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/pleroma/change_password", %{
+ "password" => "hi",
+ "new_password" => "newpass",
+ "new_password_confirmation" => "newpass"
+ })
assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."}
end
@@ -392,16 +386,13 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
conn: conn
} do
conn =
- post(
- conn,
- "/api/pleroma/change_password?#{
- URI.encode_query(%{
- password: "test",
- new_password: "newpass",
- new_password_confirmation: "notnewpass"
- })
- }"
- )
+ conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/pleroma/change_password", %{
+ "password" => "test",
+ "new_password" => "newpass",
+ "new_password_confirmation" => "notnewpass"
+ })
assert json_response_and_validate_schema(conn, 200) == %{
"error" => "New password does not match confirmation."
@@ -412,12 +403,13 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
conn: conn
} do
conn =
- post(
- conn,
- "/api/pleroma/change_password?#{
- URI.encode_query(%{password: "test", new_password: "", new_password_confirmation: ""})
- }"
- )
+ conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/pleroma/change_password", %{
+ password: "test",
+ new_password: "",
+ new_password_confirmation: ""
+ })
assert json_response_and_validate_schema(conn, 200) == %{
"error" => "New password can't be blank."
@@ -429,15 +421,15 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
user: user
} do
conn =
- post(
- conn,
- "/api/pleroma/change_password?#{
- URI.encode_query(%{
- password: "test",
- new_password: "newpass",
- new_password_confirmation: "newpass"
- })
- }"
+ conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post(
+ "/api/pleroma/change_password",
+ %{
+ password: "test",
+ new_password: "newpass",
+ new_password_confirmation: "newpass"
+ }
)
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
