password change UI (#543) (#548)

internal/app/api/v0/backend/user_service.go

@@ -2,6 +2,8 @@ package backend
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
@@ -70,6 +72,44 @@ func (u UserService) DeactivateApi(ctx context.Context, id domain.UserIdentifier
 	return u.users.DeactivateApi(ctx, id)
 }
 
+func (u UserService) ChangePassword(ctx context.Context, id domain.UserIdentifier, oldPassword, newPassword string) (*domain.User, error) {
+	oldPassword = strings.TrimSpace(oldPassword)
+	newPassword = strings.TrimSpace(newPassword)
+
+	if newPassword == "" {
+		return nil, fmt.Errorf("new password must not be empty")
+	}
+
+	// ensure that the new password is different from the old one
+	if oldPassword == newPassword {
+		return nil, fmt.Errorf("new password must be different from the old one")
+	}
+
+	user, err := u.users.GetUser(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user: %w", err)
+	}
+
+	// ensure that the user uses the database backend; otherwise we can't change the password
+	if user.Source != domain.UserSourceDatabase {
+		return nil, fmt.Errorf("user source %s does not support password changes", user.Source)
+	}
+
+	// validate old password
+	if user.CheckPassword(oldPassword) != nil {
+		return nil, fmt.Errorf("current password is invalid")
+	}
+
+	user.Password = domain.PrivateString(newPassword)
+
+	// ensure that the new password is strong enough
+	if err := user.HasWeakPassword(u.cfg.Auth.MinPasswordLength); err != nil {
+		return nil, err
+	}
+
+	return u.users.UpdateUser(ctx, user)
+}
+
 func (u UserService) GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error) {
 	return u.wg.GetUserPeers(ctx, id)
 }