From 9da7bafdcee1bd022b7e47eecf704eb799b389e8 Mon Sep 17 00:00:00 2001
From: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com>
Date: Wed, 17 May 2023 10:47:56 +0000
Subject: [PATCH] Old password input in change password screen

When the user changed their password in profile settings, to prevent
XSS attacks, I added the current password input field to authenticate
the user.

Once the authentication had success with the current password, then
allowing the update was possible. After the password is changed
successfully, all the sessions of the user who changed the password
will be disconnected, including the current session. and the current
session will navigate to the login page.

Signed-off-by: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com>
---
 src/locales/en-US.json                        |  4 +-
 src/views/ProfileSettings/ProfileSettings.vue | 54 +++++++++++++++++--
 2 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/src/locales/en-US.json b/src/locales/en-US.json
index 637f052..8d98abb 100644
--- a/src/locales/en-US.json
+++ b/src/locales/en-US.json
@@ -617,6 +617,7 @@
     "confirmPassword": "Confirm new password",
     "defaultUTC": "Default (UTC)",
     "newPassword": "New password",
+    "currentPassword": "Current password",
     "newPassLabelTextInfo": "Password must be between %{min} - %{max} characters",
     "passwordsDoNotMatch": "Passwords do not match",
     "profileInfoTitle": "Profile information",
@@ -625,7 +626,8 @@
     "timezoneDisplayDesc": "Select how time is displayed throughout the application",
     "username": "Username",
     "toast": {
-      "successSaveSettings": "Successfully saved account settings."
+      "successSaveSettings": "Successfully saved account settings.",
+      "wrongCredentials": "Wrong credentials"
     }
   },
   "pageNetwork": {
diff --git a/src/views/ProfileSettings/ProfileSettings.vue b/src/views/ProfileSettings/ProfileSettings.vue
index 35fc800..330fd4a 100644
--- a/src/views/ProfileSettings/ProfileSettings.vue
+++ b/src/views/ProfileSettings/ProfileSettings.vue
@@ -23,6 +23,21 @@
           <page-section
             :section-title="$t('pageProfileSettings.changePassword')"
           >
+            <b-form-group
+              id="input-group-0"
+              :label="$t('pageProfileSettings.currentPassword')"
+              label-for="input-0"
+            >
+              <input-password-toggle>
+                <b-form-input
+                  id="old-password"
+                  v-model="form.currentPassword"
+                  type="password"
+                  data-test-id="profileSettings-input-ocurrentPassword"
+                  class="form-control-with-button"
+                />
+              </input-password-toggle>
+            </b-form-group>
             <b-form-group
               id="input-group-1"
               :label="$t('pageProfileSettings.newPassword')"
@@ -151,6 +166,7 @@ export default {
       form: {
         newPassword: '',
         confirmPassword: '',
+        currentPassword: '',
         isUtcDisplay: this.$store.getters['global/isUtcDisplay'],
       },
     };
@@ -198,9 +214,12 @@ export default {
       this.$store
         .dispatch('userManagement/updateUser', userData)
         .then((message) => {
-          (this.form.newPassword = ''), (this.form.confirmPassword = '');
+          (this.form.newPassword = ''),
+            (this.form.confirmPassword = ''),
+            (this.form.currentPassword = '');
           this.$v.$reset();
           this.successToast(message);
+          this.$store.dispatch('authentication/logout');
         })
         .catch(({ message }) => this.errorToast(message));
     },
@@ -212,10 +231,37 @@ export default {
       );
     },
     submitForm() {
-      if (this.form.confirmPassword || this.form.newPassword) {
-        this.saveNewPasswordInputData();
+      if (
+        this.form.confirmPassword &&
+        this.form.newPassword &&
+        this.form.currentPassword
+      ) {
+        this.confirmAuthenticate();
       }
-      this.saveTimeZonePrefrenceData();
+      if (
+        this.$store.getters['global/isUtcDisplay'] != this.form.isUtcDisplay
+      ) {
+        this.saveTimeZonePrefrenceData();
+      }
+    },
+    confirmAuthenticate() {
+      this.$v.form.newPassword.$touch();
+      if (this.$v.$invalid) return;
+
+      const username = this.username;
+      const password = this.form.currentPassword;
+
+      this.$store
+        .dispatch('authentication/login', { username, password })
+        .then(() => {
+          this.saveNewPasswordInputData();
+        })
+        .catch(() => {
+          this.$v.$reset();
+          this.errorToast(
+            this.$t('pageProfileSettings.toast.wrongCredentials')
+          );
+        });
     },
   },
 };
-- 
2.25.1