From 51bc89dfb7fb5aa7557cd5b41dca5a76f70df5cd Mon Sep 17 00:00:00 2001
From: leandrofars <leandrofars@gmail.com>
Date: Wed, 30 Oct 2024 09:25:39 -0300
Subject: [PATCH] feat(controller): validate new user password + only allow to
 change own user password

---
 .../services/controller/internal/api/user.go    | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/backend/services/controller/internal/api/user.go b/backend/services/controller/internal/api/user.go
index 3e31726..9103e93 100644
--- a/backend/services/controller/internal/api/user.go
+++ b/backend/services/controller/internal/api/user.go
@@ -135,16 +135,6 @@ func (a *Api) changePassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	userToChangePasswd := mux.Vars(r)["user"]
-	if userToChangePasswd != "" && userToChangePasswd != email {
-		rUser, _ := a.db.FindUser(email)
-		if rUser.Level != db.AdminUser {
-			w.WriteHeader(http.StatusForbidden)
-			return
-		}
-		email = userToChangePasswd
-	}
-
 	var user db.User
 	err = json.NewDecoder(r.Body).Decode(&user)
 	if err != nil {
@@ -154,6 +144,12 @@ func (a *Api) changePassword(w http.ResponseWriter, r *http.Request) {
 	}
 	user.Email = email
 
+	if len(user.Password) < 8 {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte("Password must be at least 8 characters long"))
+		return
+	}
+
 	if err := user.HashPassword(user.Password); err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		return
@@ -164,6 +160,7 @@ func (a *Api) changePassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	w.WriteHeader(http.StatusNoContent)
 }
 
 func (a *Api) registerAdminUser(w http.ResponseWriter, r *http.Request) {