#267. Change password on profile page.

Author: sys27

Pyro.Api/Pyro.ApiTests/Clients/IdentityClient.cs

@@ -38,6 +38,9 @@ public async Task UnlockUser(string login)
     public async Task ActivateUser(ActivateUserRequest request)
         => await Post($"/api/users/activate", request);
 
+    public async Task ChangePassword(ChangePasswordRequest request)
+        => await Post("/api/users/change-password", request);
+
     public async Task<IReadOnlyList<AccessTokenResponse>?> GetAccessTokens()
         => await Get<IReadOnlyList<AccessTokenResponse>>("/api/users/access-tokens");
 

Pyro.Api/Pyro.ApiTests/Tests/UserTests.cs

@@ -91,6 +91,36 @@ public async Task CreateGetUpdateUser()
         });
     }
 
+    [Test]
+    public async Task ChangePassword()
+    {
+        var login = faker.Internet.Email();
+        var createRequest = new CreateUserRequest(
+            login,
+            ["Admin"]);
+        await client.CreateUser(createRequest);
+
+        var message = Api.Smtp.WaitForMessage(x => x.To == login) ??
+                      throw new InvalidOperationException("The message was not found.");
+        var token = message.GetToken();
+        var password = faker.Random.Hash();
+        var activateUserRequest = new ActivateUserRequest(token, password);
+        await client.ActivateUser(activateUserRequest);
+
+        using var identityClient = new IdentityClient(Api.BaseAddress);
+        await identityClient.Login(login, password);
+
+        var newPassword = faker.Random.Hash();
+        var changePasswordRequest = new ChangePasswordRequest(password, newPassword);
+        await identityClient.ChangePassword(changePasswordRequest);
+        await identityClient.Logout();
+
+        await identityClient.Login(login, newPassword);
+        var user = identityClient.GetUser(login);
+
+        Assert.That(user, Is.Not.Null);
+    }
+
     [Test]
     public async Task CreateGetDeleteAccessToken()
     {

Pyro.Api/Pyro.Contracts/Requests/Identity/ChangePasswordRequest.cs

@@ -0,0 +1,6 @@
+// Copyright (c) Dmytro Kyshchenko. All rights reserved.
+// Licensed under the GPL-3.0 license. See LICENSE file in the project root for full license information.
+
+namespace Pyro.Contracts.Requests.Identity;
+
+public record ChangePasswordRequest(string OldPassword, string NewPassword);

Pyro.Api/Pyro.Domain.Identity.UnitTests/Models/UserTests.cs

@@ -270,4 +270,44 @@ public void ActivateUser()
             Assert.That(user.OneTimePasswords, Is.Empty);
         });
     }
+
+    [Test]
+    public void ChangeIncorrectPassword()
+    {
+        const string oldPassword = "password";
+
+        var passwordService = new PasswordService(TimeProvider.System);
+        var (passwordHash, salt) = passwordService.GeneratePasswordHash(oldPassword);
+        var user = new User
+        {
+            Login = "test@localhost.local",
+            Password = passwordHash,
+            Salt = salt,
+        };
+
+        Assert.Throws<DomainException>(() => user.ChangePassword(passwordService, "incorrect", "newPassword"));
+    }
+
+    [Test]
+    public void ChangePassword()
+    {
+        const string oldPassword = "password";
+
+        var passwordService = new PasswordService(TimeProvider.System);
+        var (passwordHash, salt) = passwordService.GeneratePasswordHash(oldPassword);
+        var user = new User
+        {
+            Login = "test@localhost.local",
+            Password = passwordHash,
+            Salt = salt,
+        };
+
+        user.ChangePassword(passwordService, oldPassword, "newPassword");
+
+        Assert.Multiple(() =>
+        {
+            Assert.That(user.Password, Is.Not.EqualTo(passwordHash));
+            Assert.That(user.Salt, Is.Not.EqualTo(salt));
+        });
+    }
 }

Pyro.Api/Pyro.Domain.Identity/Commands/ChangePassword.cs

@@ -0,0 +1,50 @@
+// Copyright (c) Dmytro Kyshchenko. All rights reserved.
+// Licensed under the GPL-3.0 license. See LICENSE file in the project root for full license information.
+
+using FluentValidation;
+using MediatR;
+using Pyro.Domain.Shared.CurrentUserProvider;
+using Pyro.Domain.Shared.Exceptions;
+
+namespace Pyro.Domain.Identity.Commands;
+
+public record ChangePassword(string OldPassword, string NewPassword) : IRequest;
+
+public class ChangePasswordValidator : AbstractValidator<ChangePassword>
+{
+    public ChangePasswordValidator()
+    {
+        RuleFor(x => x.OldPassword)
+            .NotEmpty();
+
+        RuleFor(x => x.NewPassword)
+            .NotEmpty()
+            .MinimumLength(8);
+    }
+}
+
+public class ChangePasswordHandler : IRequestHandler<ChangePassword>
+{
+    private readonly ICurrentUserProvider currentUserProvider;
+    private readonly IUserRepository userRepository;
+    private readonly IPasswordService passwordService;
+
+    public ChangePasswordHandler(
+        ICurrentUserProvider currentUserProvider,
+        IUserRepository userRepository,
+        IPasswordService passwordService)
+    {
+        this.currentUserProvider = currentUserProvider;
+        this.userRepository = userRepository;
+        this.passwordService = passwordService;
+    }
+
+    public async Task Handle(ChangePassword request, CancellationToken cancellationToken)
+    {
+        var currentUser = currentUserProvider.GetCurrentUser();
+        var user = await userRepository.GetUserById(currentUser.Id, cancellationToken) ??
+                   throw new NotFoundException($"The user (Id: {currentUser.Id}) not found");
+
+        user.ChangePassword(passwordService, request.OldPassword, request.NewPassword);
+    }
+}

Pyro.Api/Pyro.Domain.Identity/Models/User.cs

@@ -40,7 +40,7 @@ public IReadOnlyList<byte> Password
         get => password;
 
         [MemberNotNull(nameof(password))]
-        init
+        set
         {
             if (value is null)
                 throw new DomainValidationException("Password cannot be null.");
@@ -57,7 +57,7 @@ public IReadOnlyList<byte> Salt
         get => salt;
 
         [MemberNotNull(nameof(salt))]
-        init
+        set
         {
             if (value is null)
                 throw new DomainValidationException("Salt cannot be null.");
@@ -143,6 +143,16 @@ public void DeleteAccessToken(string name)
         accessTokens.Remove(accessToken);
     }
 
+    public void ChangePassword(IPasswordService passwordService, string oldPassword, string newPassword)
+    {
+        if (!passwordService.VerifyPassword(oldPassword, password, salt))
+            throw new DomainException("The old password is incorrect.");
+
+        var (newPasswordHash, newSalt) = passwordService.GeneratePasswordHash(newPassword);
+        Password = newPasswordHash;
+        Salt = newSalt;
+    }
+
     public void AddOneTimePassword(OneTimePassword oneTimePassword)
     {
         if (oneTimePasswords.Any(x => x.Token == oneTimePassword.Token))

Pyro.Api/Pyro/DtoMappings/IdentityMapper.cs

@@ -40,6 +40,8 @@ public static partial class IdentityMapper
 
     public static partial ActivateUser ToCommand(this ActivateUserRequest request);
 
+    public static partial ChangePassword ToCommand(this ChangePasswordRequest request);
+
     [MapProperty([nameof(JwtTokenPair.AccessToken), nameof(Token.Value)], nameof(TokenPairResponse.AccessToken))]
     [MapProperty([nameof(JwtTokenPair.RefreshToken), nameof(Token.Value)], nameof(TokenPairResponse.RefreshToken))]
     public static partial TokenPairResponse ToResponse(this JwtTokenPair jwtTokenPair);

Pyro.Api/Pyro/Endpoints/IdentityEndpoints.cs

@@ -182,6 +182,26 @@ private static IEndpointRouteBuilder MapUserEndpoints(this IEndpointRouteBuilder
             .WithName("Activate User")
             .WithOpenApi();
 
+        usersBuilder.MapPost("/change-password", async (
+                IMediator mediator,
+                UnitOfWork unitOfWork,
+                ChangePasswordRequest request,
+                CancellationToken cancellationToken) =>
+            {
+                var command = request.ToCommand();
+                await mediator.Send(command, cancellationToken);
+                await unitOfWork.SaveChangesAsync(cancellationToken);
+
+                return Results.Ok();
+            })
+            .Produces(200)
+            .ProducesValidationProblem()
+            .Produces(401)
+            .Produces(403)
+            .ProducesProblem(500)
+            .WithName("Change Password")
+            .WithOpenApi();
+
         var accessTokenBuilder = usersBuilder.MapGroup("/access-tokens")
             .WithTags("Access Tokens");
 

Pyro.Api/Pyro/Extensions/SpaExtensions.cs

@@ -7,23 +7,26 @@ namespace Pyro.Extensions;
 
 internal static class SpaExtensions
 {
-    public static IServiceCollection AddSpa(this IServiceCollection services)
+    public static IHostApplicationBuilder AddSpa(this IHostApplicationBuilder builder)
     {
-        var fileServerOptions = new FileServerOptions
+        if (!builder.Environment.IsDevelopment())
         {
-            EnableDefaultFiles = true,
-            EnableDirectoryBrowsing = false,
-            FileProvider = new PhysicalFileProvider(Path.Combine(Directory.GetCurrentDirectory(), "wwwroot")),
-            DefaultFilesOptions =
+            var fileServerOptions = new FileServerOptions
             {
-                DefaultFileNames = ["index.html"],
-            },
-        };
-        services.AddSingleton(fileServerOptions);
-        services.AddSingleton(fileServerOptions.DefaultFilesOptions);
-        services.AddSingleton(fileServerOptions.StaticFileOptions);
-
-        return services;
+                EnableDefaultFiles = true,
+                EnableDirectoryBrowsing = false,
+                FileProvider = new PhysicalFileProvider(Path.Combine(Directory.GetCurrentDirectory(), "wwwroot")),
+                DefaultFilesOptions =
+                {
+                    DefaultFileNames = ["index.html"],
+                },
+            };
+            builder.Services.AddSingleton(fileServerOptions);
+            builder.Services.AddSingleton(fileServerOptions.DefaultFilesOptions);
+            builder.Services.AddSingleton(fileServerOptions.StaticFileOptions);
+        }
+
+        return builder;
     }
 
     public static IApplicationBuilder UseSpa(this IApplicationBuilder app)

Pyro.Api/Pyro/Program.cs

@@ -55,7 +55,7 @@
     .AddOpenBehavior(typeof(ValidatorPipeline<,>)));
 
 builder.Services.AddAuth();
-builder.Services.AddSpa();
+builder.AddSpa();
 
 var app = builder.Build();