adjust password validation

2021-10-09 14:30:41 -05:00 · 2021-10-09 14:30:41 -05:00 · ed27a32cff
parent a080c3017a
commit ed27a32cff
2 changed files with 22 additions and 17 deletions
--- a/src/Handler/AccountSettings.hs
+++ b/src/Handler/AccountSettings.hs
@ -34,17 +34,23 @@ getChangePasswordR = do

 postChangePasswordR :: Handler Html
 postChangePasswordR = do
-  userId <- requireAuthId
-  mauthuname <- maybeAuthUsername
-  mresult <- runInputPostResult ((,) <$> ireq textField "oldpassword" <*> ireq textField "newpassword")
-  case (mauthuname, mresult) of
-    (Just uname, FormSuccess (old, new)) -> do
-      muser <- runDB (authenticatePassword uname old)
-      case muser of
-        Just _ -> do 
-          new' <- liftIO (hashPassword new)
-          void $ runDB (update userId [UserPasswordHash CP.=. new'])
-          setMessage "Password Changed Successfully"
-        _ -> setMessage "Incorrect Old Password"
+  (userId, user) <- requireAuthPair
+  runInputPostResult ((,) <$> ireq textField "oldpassword" <*> ireq textField "newpassword") >>= \case
+    FormSuccess (old, new) -> do
+      runDB (authenticatePassword (userName user) old) >>= \case
+        Nothing -> setMessage "Incorrect Old Password"
+        Just _ -> validateNewPassword new >>= \case
+          Just newValid -> do
+            newHash <- liftIO (hashPassword newValid)
+            void $ runDB (update userId [UserPasswordHash CP.=. newHash])
+            setMessage "Password Changed Successfully"
+          _ -> pure ()
    _ -> setMessage "Missing Required Fields"
  redirect ChangePasswordR
+
+validateNewPassword :: Text -> Handler (Maybe Text)
+validateNewPassword = \case
+    new | length new < 6 -> do
+          setMessage "Password must be at least 6 characters long"
+          pure Nothing
+    new -> pure $ Just new
--- a/src/Model.hs
+++ b/src/Model.hs
@ -148,13 +148,12 @@ sqliteGroupConcat expr sep = unsafeSqlFunction "GROUP_CONCAT" [expr, sep]

 authenticatePassword :: Text -> Text -> DB (Maybe (Entity User))
 authenticatePassword username password = do
-  muser <- getBy (UniqueUserName username)
-  case muser of
-    Nothing -> return Nothing
+  getBy (UniqueUserName username) >>= \case
+    Nothing -> pure Nothing
    Just dbuser ->
      if validatePasswordHash (userPasswordHash (entityVal dbuser)) password
-        then return (Just dbuser)
-        else return Nothing
+        then pure (Just dbuser)
+        else pure Nothing

 getUserByName :: UserNameP -> DB (Maybe (Entity User))
 getUserByName (UserNameP uname) =