Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-10-17 13:16:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

password change UI (#543) (#548)

Browse Source
This commit is contained in:
h44z
2025-10-15 21:11:40 +02:00
committed by GitHub
parent 139fb17f98
commit 3d923b328e
9 changed files with 459 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
internal/app/api/core/assets/doc/v0_swagger.json
View File

@@ -1550,6 +1550,38 @@
}
}
},
"/user/{id}/change-password": {
"post": {
"produces": [
"application/json"
],
"tags": [
"Users"
],
"summary": "Change the password for the given user.",
"operationId": "users_handleChangePasswordPost",
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.User"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/model.Error"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/model.Error"
}
}
}
}
},
"/user/{id}/interfaces": {
"get": {
"produces": [
@@ -2159,6 +2191,10 @@
}
]
},
"UserDisplayName": {
"description": "the owner display name",
"type": "string"
},
"UserIdentifier": {
"description": "the owner",
"type": "string"

24
internal/app/api/core/assets/doc/v0_swagger.yaml
View File

@@ -322,6 +322,9 @@ definitions:
allOf:
- $ref: '#/definitions/model.ConfigOption-string'
description: the routing table
UserDisplayName:
description: the owner display name
type: string
UserIdentifier:
description: the owner
type: string
@@ -1442,6 +1445,27 @@ paths:
summary: Enable the REST API for the given user.
tags:
- Users
/user/{id}/change-password:
post:
operationId: users_handleChangePasswordPost
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/model.User'
"400":
description: Bad Request
schema:
$ref: '#/definitions/model.Error'
"500":
description: Internal Server Error
schema:
$ref: '#/definitions/model.Error'
summary: Change the password for the given user.
tags:
- Users
/user/{id}/interfaces:
get:
operationId: users_handleInterfacesGet

276
internal/app/api/core/assets/doc/v1_swagger.json
View File

@@ -17,11 +17,6 @@
"paths": {
"/interface/all": {
"get": {
"security": [
{
"BasicAuth": []
}
],
"produces": [
"application/json"
],
@@ -52,16 +47,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/interface/by-id/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/interface/by-id/{id}": {
"get": {
"produces": [
"application/json"
],
@@ -110,14 +105,14 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"put": {
},
"security": [
{
"BasicAuth": []
}
],
]
},
"put": {
"description": "This endpoint updates an existing interface with the provided data. All required fields must be filled (e.g. name, private key, public key, ...).",
"produces": [
"application/json"
@@ -182,14 +177,14 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"delete": {
},
"security": [
{
"BasicAuth": []
}
],
]
},
"delete": {
"produces": [
"application/json"
],
@@ -241,16 +236,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/interface/new": {
"post": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/interface/new": {
"post": {
"description": "This endpoint creates a new interface with the provided data. All required fields must be filled (e.g. name, private key, public key, ...).",
"produces": [
"application/json"
@@ -308,16 +303,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/interface/prepare": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/interface/prepare": {
"get": {
"description": "This endpoint returns a new interface with default values (fresh key pair, valid name, new IP address pool, ...).",
"produces": [
"application/json"
@@ -352,16 +347,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/metrics/by-interface/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/metrics/by-interface/{id}": {
"get": {
"produces": [
"application/json"
],
@@ -410,16 +405,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/metrics/by-peer/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/metrics/by-peer/{id}": {
"get": {
"produces": [
"application/json"
],
@@ -468,16 +463,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/metrics/by-user/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/metrics/by-user/{id}": {
"get": {
"produces": [
"application/json"
],
@@ -526,16 +521,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/peer/by-id/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/peer/by-id/{id}": {
"get": {
"description": "Normal users can only access their own records. Admins can access all records.",
"produces": [
"application/json"
@@ -585,14 +580,14 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"put": {
},
"security": [
{
"BasicAuth": []
}
],
]
},
"put": {
"description": "Only admins can update existing records. The peer record must contain all required fields (e.g., public key, allowed IPs).",
"produces": [
"application/json"
@@ -657,14 +652,14 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"delete": {
},
"security": [
{
"BasicAuth": []
}
],
]
},
"delete": {
"produces": [
"application/json"
],
@@ -716,16 +711,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/peer/by-interface/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/peer/by-interface/{id}": {
"get": {
"produces": [
"application/json"
],
@@ -765,16 +760,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/peer/by-user/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/peer/by-user/{id}": {
"get": {
"description": "Normal users can only access their own records. Admins can access all records.",
"produces": [
"application/json"
@@ -815,16 +810,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/peer/new": {
"post": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/peer/new": {
"post": {
"description": "Only admins can create new records. The peer record must contain all required fields (e.g., public key, allowed IPs).",
"produces": [
"application/json"
@@ -882,16 +877,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/peer/prepare/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/peer/prepare/{id}": {
"get": {
"description": "This endpoint is used to prepare a new peer record. The returned data contains a fresh key pair and valid ip address.",
"produces": [
"application/json"
@@ -947,16 +942,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/provisioning/data/peer-config": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/provisioning/data/peer-config": {
"get": {
"description": "Normal users can only access their own record. Admins can access all records.",
"produces": [
"text/plain",
@@ -1013,16 +1008,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/provisioning/data/peer-qr": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/provisioning/data/peer-qr": {
"get": {
"description": "Normal users can only access their own record. Admins can access all records.",
"produces": [
"image/png",
@@ -1079,16 +1074,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/provisioning/data/user-info": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/provisioning/data/user-info": {
"get": {
"description": "Normal users can only access their own record. Admins can access all records.",
"produces": [
"application/json"
@@ -1149,16 +1144,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/provisioning/new-peer": {
"post": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/provisioning/new-peer": {
"post": {
"description": "Normal users can only create new peers if self provisioning is allowed. Admins can always add new peers.",
"produces": [
"application/json"
@@ -1216,16 +1211,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/user/all": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/user/all": {
"get": {
"produces": [
"application/json"
],
@@ -1256,16 +1251,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/user/by-id/{id}": {
"get": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/user/by-id/{id}": {
"get": {
"description": "Normal users can only access their own record. Admins can access all records.",
"produces": [
"application/json"
@@ -1315,14 +1310,14 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"put": {
},
"security": [
{
"BasicAuth": []
}
],
]
},
"put": {
"description": "Only admins can update existing records.",
"produces": [
"application/json"
@@ -1387,14 +1382,14 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"delete": {
},
"security": [
{
"BasicAuth": []
}
],
]
},
"delete": {
"produces": [
"application/json"
],
@@ -1446,16 +1441,16 @@
"$ref": "#/definitions/models.Error"
}
}
}
}
},
"/user/new": {
"post": {
},
"security": [
{
"BasicAuth": []
}
],
]
}
},
"/user/new": {
"post": {
"description": "Only admins can create new records.",
"produces": [
"application/json"
@@ -1513,7 +1508,12 @@
"$ref": "#/definitions/models.Error"
}
}
}
},
"security": [
{
"BasicAuth": []
}
]
}
}
},

40
internal/app/api/v0/backend/user_service.go
View File

@@ -2,6 +2,8 @@ package backend
import (
"context"
"fmt"
"strings"
"github.com/h44z/wg-portal/internal/config"
"github.com/h44z/wg-portal/internal/domain"
@@ -70,6 +72,44 @@ func (u UserService) DeactivateApi(ctx context.Context, id domain.UserIdentifier
return u.users.DeactivateApi(ctx, id)
}
func (u UserService) ChangePassword(ctx context.Context, id domain.UserIdentifier, oldPassword, newPassword string) (*domain.User, error) {
oldPassword = strings.TrimSpace(oldPassword)
newPassword = strings.TrimSpace(newPassword)
if newPassword == "" {
return nil, fmt.Errorf("new password must not be empty")
}
// ensure that the new password is different from the old one
if oldPassword == newPassword {
return nil, fmt.Errorf("new password must be different from the old one")
}
user, err := u.users.GetUser(ctx, id)
if err != nil {
return nil, fmt.Errorf("failed to get user: %w", err)
}
// ensure that the user uses the database backend; otherwise we can't change the password
if user.Source != domain.UserSourceDatabase {
return nil, fmt.Errorf("user source %s does not support password changes", user.Source)
}
// validate old password
if user.CheckPassword(oldPassword) != nil {
return nil, fmt.Errorf("current password is invalid")
}
user.Password = domain.PrivateString(newPassword)
// ensure that the new password is strong enough
if err := user.HasWeakPassword(u.cfg.Auth.MinPasswordLength); err != nil {
return nil, err
}
return u.users.UpdateUser(ctx, user)
}
func (u UserService) GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error) {
return u.wg.GetUserPeers(ctx, id)
}

68
internal/app/api/v0/handlers/endpoint_users.go
View File

@@ -28,6 +28,8 @@ type UserService interface {
ActivateApi(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
// DeactivateApi disables the API for the user with the given id.
DeactivateApi(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
// ChangePassword changes the password for the user with the given id.
ChangePassword(ctx context.Context, id domain.UserIdentifier, oldPassword, newPassword string) (*domain.User, error)
// GetUserPeers returns all peers for the given user.
GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error)
// GetUserPeerStats returns all peer stats for the given user.
@@ -75,6 +77,7 @@ func (e UserEndpoint) RegisterRoutes(g *routegroup.Bundle) {
apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("GET /{id}/interfaces", e.handleInterfacesGet())
apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("POST /{id}/api/enable", e.handleApiEnablePost())
apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("POST /{id}/api/disable", e.handleApiDisablePost())
apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("POST /{id}/change-password", e.handleChangePasswordPost())
}
// handleAllGet returns a gorm Handler function.
@@ -391,3 +394,68 @@ func (e UserEndpoint) handleApiDisablePost() http.HandlerFunc {
respond.JSON(w, http.StatusOK, model.NewUser(user, false))
}
}
// handleChangePasswordPost returns a gorm Handler function.
//
// @ID users_handleChangePasswordPost
// @Tags Users
// @Summary Change the password for the given user.
// @Produce json
// @Success 200 {object} model.User
// @Failure 400 {object} model.Error
// @Failure 500 {object} model.Error
// @Router /user/{id}/change-password [post]
func (e UserEndpoint) handleChangePasswordPost() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
userId := Base64UrlDecode(request.Path(r, "id"))
if userId == "" {
respond.JSON(w, http.StatusBadRequest,
model.Error{Code: http.StatusInternalServerError, Message: "missing id parameter"})
return
}
var passwordData struct {
OldPassword string `json:"OldPassword"`
Password string `json:"Password"`
PasswordRepeat string `json:"PasswordRepeat"`
}
if err := request.BodyJson(r, &passwordData); err != nil {
respond.JSON(w, http.StatusBadRequest, model.Error{Code: http.StatusBadRequest, Message: err.Error()})
return
}
if passwordData.OldPassword == "" {
respond.JSON(w, http.StatusBadRequest,
model.Error{Code: http.StatusBadRequest, Message: "old password missing"})
return
}
if passwordData.Password == "" {
respond.JSON(w, http.StatusBadRequest,
model.Error{Code: http.StatusBadRequest, Message: "new password missing"})
return
}
if passwordData.OldPassword == passwordData.Password {
respond.JSON(w, http.StatusBadRequest,
model.Error{Code: http.StatusBadRequest, Message: "password did not change"})
return
}
if passwordData.Password != passwordData.PasswordRepeat {
respond.JSON(w, http.StatusBadRequest,
model.Error{Code: http.StatusBadRequest, Message: "password mismatch"})
return
}
user, err := e.userService.ChangePassword(r.Context(), domain.UserIdentifier(userId),
passwordData.OldPassword, passwordData.Password)
if err != nil {
respond.JSON(w, http.StatusInternalServerError,
model.Error{Code: http.StatusInternalServerError, Message: err.Error()})
return
}
respond.JSON(w, http.StatusOK, model.NewUser(user, false))
}
}