diff --git a/tailbone/api/auth.py b/tailbone/api/auth.py index 4306da78..05123818 100644 --- a/tailbone/api/auth.py +++ b/tailbone/api/auth.py @@ -2,7 +2,7 @@ ################################################################################ # # Rattail -- Retail Software Framework -# Copyright © 2010-2018 Lance Edgar +# Copyright © 2010-2020 Lance Edgar # # This file is part of Rattail. # @@ -26,7 +26,7 @@ Tailbone Web API - Auth Views from __future__ import unicode_literals, absolute_import -from rattail.db.auth import authenticate_user +from rattail.db.auth import authenticate_user, set_user_password from tailbone.api import APIView, api from tailbone.db import Session @@ -139,6 +139,30 @@ class AuthenticationView(APIView): 'user': self.get_user_info(self.request.user), } + @api + def change_password(self): + """ + View which allows a user to change their password. + """ + if self.request.method == 'OPTIONS': + return self.request.response + + if not self.request.user: + raise self.forbidden() + + data = self.request.json_body + + # first make sure "current" password is accurate + if not authenticate_user(Session(), self.request.user, data['current_password']): + return {'error': "The current/old password you provided is incorrect"} + + # okay then, set new password + set_user_password(self.request.user, data['new_password']) + return { + 'ok': True, + 'user': self.get_user_info(self.request.user), + } + @classmethod def defaults(cls, config): cls._auth_defaults(config) @@ -166,6 +190,10 @@ class AuthenticationView(APIView): config.add_route('api.stop_root', '/stop-root', request_method=('OPTIONS', 'POST')) config.add_view(cls, attr='stop_root', route_name='api.stop_root', renderer='json') + # change password + config.add_route('api.change_password', '/change-password', request_method=('OPTIONS', 'POST')) + config.add_view(cls, attr='change_password', route_name='api.change_password', renderer='json') + def includeme(config): AuthenticationView.defaults(config)