[mod] password change: Anpassungen

source/api/actions/member_password_change_execute.ts

@@ -13,7 +13,12 @@ namespace _espe.api
 				token : string;
 				password_new : string;
 			},
-			null
+			Array<
+				{
+					incident : string;
+					details : Record<string, any>;
+				}
+			>
 		>(
 			rest_subject,
 			lib_plankton.http.enum_method.patch,
@@ -41,20 +46,53 @@ namespace _espe.api
 					]
 				}),
 				"output_schema": () => ({
+					"nullable": false,
+					"type": "array",
+					"items": {
+						"nullable": false,
+						"type": "object",
+						"properties": {
+							"incident": {
+								"nullable": false,
+								"type": "string"
+							},
+							"details": {
+								"nullable": false,
+								"type": "object",
+								"properties": {},
+								"additionalProperties": {
 									"nullable": true
+								},
+								"required": []
+							},
+						},
+						"additionalProperties": false,
+						"required": [
+							"incident",
+							"details",
+						]
+					}
 				}),
 				"restriction": restriction_none,
-				"execution": async ({"path_parameters": path_parameters, "input": input}) => {
+				"execution": ({"path_parameters": path_parameters, "input": input}) => {
 					const member_id : _espe.type.member_id = parseInt(path_parameters["id"]);
-					await _espe.service.member.password_change_execute(
+					return (
+						_espe.service.member.password_change_execute(
 							member_id,
 							input.token,
 							input.password_new
+						)
+						.then(
+							flaws => Promise.resolve({
+								"status_code": (
+									(flaws.length <= 0)
+									? 200
+									: 409
+								),
+								"data": flaws
+							})
+						)
 					);
-					return Promise.resolve({
-						"status_code": 200,
-						"data": null
-					});
 				},
 			}
 		)

source/services/member.ts

@@ -573,7 +573,8 @@ namespace _espe.service.member
 						};
 						await _espe.repository.member.update(member_id, member_object_new);
 						// notify_change();
-						await _espe.helpers.email_send(
+						// do NOT wait in order to reduce information for potential attackers
+						/*await*/ _espe.helpers.email_send(
 							[
 								member_object_old.email_address_private,
 							],
@@ -581,7 +582,7 @@ namespace _espe.service.member
 							lib_plankton.string.coin(
 								_espe.conf.get().settings.password_change.initialization_email.body,
 								{
-									"name": member_object_old.name_real_value,
+									"name": name_display(member_object_old),
 									"url": lib_plankton.string.coin(
 										"{{base}}{{rest}}",
 										{
@@ -614,10 +615,15 @@ namespace _espe.service.member
 		member_id : _espe.type.member_id,
 		token : string,
 		password_new : string
-	) : Promise<void>
+	) : Promise<Array<{incident : string; details : Record<string, any>;}>>
 	{
 		const member_object_old : _espe.type.member_object = await _espe.repository.member.read(member_id);
-		if (! (token === member_object_old.password_change_token)) {
+		let flaws : Array<{incident : string; details : Record<string, any>;}> = [];
+		if (
+			(member_object_old.password_change_token === null)
+			||
+			(! (token === member_object_old.password_change_token))
+		) {
 			lib_plankton.log.notice(
 				"member_password_change_token_invalid",
 				{
@@ -625,7 +631,15 @@ namespace _espe.service.member
 					"token_sent": token,
 				}
 			);
-			throw (new Error("password change token is invalid"));
+			flaws.push({"incident": "token_invalid", "details": {}});
+		}
+		else {
+			flaws = flaws.concat(
+				validate_password(password_new)
+				.map(flaw => ({"incident": ("password_" + flaw.incident), "details": flaw.details}))
+			);
+			if (flaws.length > 0) {
+				// do nothing
 			}
 			else {
 				const member_object_new : _espe.type.member_object = {
@@ -653,11 +667,14 @@ namespace _espe.service.member
 					lib_plankton.string.coin(
 						_espe.conf.get().settings.password_change.execution_email.body,
 						{
+							"name": name_display(member_object_old),
 						}
 					)
 				);
 			}
 		}
+		return flaws;
+	}
 	
 	
 	/*