From ab7b2d907d2c92180184b10e790d84bb85e04bfe Mon Sep 17 00:00:00 2001
From: Oliver Boehlk <ollitobiasb@gmail.com>
Date: Fri, 15 May 2020 23:15:49 +0200
Subject: [PATCH] add setpassword function backend is #68 ready

---
 backend/index.js | 54 +++++++++++++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 17 deletions(-)

diff --git a/backend/index.js b/backend/index.js
index e373d35..faddb94 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -168,23 +168,23 @@ app.post("/API/user/login", passport.authenticate('local-login'), function (req,
 app.delete("/API/user/logout", function (req, res) {
     req.logout();
     return res.status(status.OK).send("logout success");
-});
+}); !!
 
-app.put("/API/user/create", function (req, res) {
-    let { email, password } = req.body;
-    if (email && password) {
-        email = mysql.escape(email);
-        password = mysql.escape(bcrypt.hashSync(password, saltRounds));
-        if (DEBUG) return res.status(status.OK).send();
-        connection.query(`INSERT INTO user (deactivated, email, password) values (1, ${email}, ${password})`, function (err, rows) {
-            if (err)
-                return res.status(status.INTERNAL_SERVER_ERROR).send("the user seems to exist already - if you think this is an error contact the sys admin");
-            return res.status(status.OK).send("account successfully created");
-        });
-    } else {
-        return res.status(status.BAD_REQUEST).send("invalid data supplied");
-    }
-});
+    app.put("/API/user/create", function (req, res) {
+        let { email, password } = req.body;
+        if (email && password) {
+            email = mysql.escape(email);
+            password = mysql.escape(bcrypt.hashSync(password, saltRounds));
+            if (DEBUG) return res.status(status.OK).send();
+            connection.query(`INSERT INTO user (deactivated, email, password) values (1, ${email}, ${password})`, function (err, rows) {
+                if (err)
+                    return res.status(status.INTERNAL_SERVER_ERROR).send("the user seems to exist already - if you think this is an error contact the sys admin");
+                return res.status(status.OK).send("account successfully created");
+            });
+        } else {
+            return res.status(status.BAD_REQUEST).send("invalid data supplied");
+        }
+    });
 
 app.all("*", function (req, res, next) {
     if (req.isAuthenticated()) {
@@ -293,7 +293,7 @@ app.get('/API/resourcelist', function (req, res) {
     return res.send(resourceList);
 });
 
-app.post("/API/user/setname", function (req, res) {
+app.post("/API/user/setname", async function (req, res) {
     let { email, password } = req.body;
     if (email && password) {
         if (DEBUG) return res.status(status.OK).send();
@@ -314,4 +314,24 @@ app.post("/API/user/setname", function (req, res) {
     }
 });
 
+app.post("/API/user/setpassword", async function (req, res) {
+    let { oldpassword, newpassword } = req.body;
+    if (oldpassword && newpassword) {
+        if (DEBUG) return res.status(status.OK).send();
+        try {
+            if (!await validatePassword(req.user.email, oldpassword))
+                return res.status(status.UNAUTHORIZED).send("wrong password supplied");
+        } catch (e) {
+            return res.status(status.INTERNAL_SERVER_ERROR).send(e);
+        }
+        connection.query(`UPDATE user SET password = ${mysql.escape(bcrypt.hashSync(newpassword, saltRounds))} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) {
+            if (err)
+                return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin");
+            return res.status(status.OK).send("username changed");
+        });
+    } else {
+        return res.status(status.BAD_REQUEST).send("invalid data supplied");
+    }
+});
+
 app.listen(3001);