Add API view for changing current user password

2020-02-12 17:32:18 -06:00 · 2020-02-12 17:32:18 -06:00 · 5e028ce547
parent da16f25cf2
commit 5e028ce547
1 changed files with 30 additions and 2 deletions
--- a/tailbone/api/auth.py
+++ b/tailbone/api/auth.py
@ -2,7 +2,7 @@
 ################################################################################
 #
 #  Rattail -- Retail Software Framework
-#  Copyright © 2010-2018 Lance Edgar
+#  Copyright © 2010-2020 Lance Edgar
 #
 #  This file is part of Rattail.
 #
@ -26,7 +26,7 @@ Tailbone Web API - Auth Views

 from __future__ import unicode_literals, absolute_import

-from rattail.db.auth import authenticate_user
+from rattail.db.auth import authenticate_user, set_user_password

 from tailbone.api import APIView, api
 from tailbone.db import Session
@ -139,6 +139,30 @@ class AuthenticationView(APIView):
            'user': self.get_user_info(self.request.user),
        }

+    @api
+    def change_password(self):
+        """
+        View which allows a user to change their password.
+        """
+        if self.request.method == 'OPTIONS':
+            return self.request.response
+
+        if not self.request.user:
+            raise self.forbidden()
+
+        data = self.request.json_body
+
+        # first make sure "current" password is accurate
+        if not authenticate_user(Session(), self.request.user, data['current_password']):
+            return {'error': "The current/old password you provided is incorrect"}
+
+        # okay then, set new password
+        set_user_password(self.request.user, data['new_password'])
+        return {
+            'ok': True,
+            'user': self.get_user_info(self.request.user),
+        }
+
    @classmethod
    def defaults(cls, config):
        cls._auth_defaults(config)
@ -166,6 +190,10 @@ class AuthenticationView(APIView):
        config.add_route('api.stop_root', '/stop-root', request_method=('OPTIONS', 'POST'))
        config.add_view(cls, attr='stop_root', route_name='api.stop_root', renderer='json')

+        # change password
+        config.add_route('api.change_password', '/change-password', request_method=('OPTIONS', 'POST'))
+        config.add_view(cls, attr='change_password', route_name='api.change_password', renderer='json')
+

 def includeme(config):
    AuthenticationView.defaults(config)