diff --git a/src/main/ldap.go b/src/main/ldap.go index 1782c83..e1b6f56 100644 --- a/src/main/ldap.go +++ b/src/main/ldap.go @@ -133,6 +133,41 @@ func modifyLDAPAttribute(server *LDAPServer, userDN string, attribute string, da return nil } +func changeLDAPPassword(server *LDAPServer, userDN, oldPassword, newPassword string) error { + logging.Infof("Changing LDAP password for %s", userDN) + + if server == nil || server.Connection == nil { + return fmt.Errorf("LDAP connection not initialized") + } + + // Ensure connection is alive + if server.Connection.IsClosing() { + if err := reconnectToLDAPServer(server); err != nil { + return err + } + } + + // Bind as the user (required for FreeIPA self-password change) + err := server.Connection.Bind(userDN, oldPassword) + if err != nil { + logging.Errorf("Failed to bind as user: %s", err.Error()) + return err + } + + // Perform password modify extended operation + _, err = server.Connection.PasswordModify(&ldap.PasswordModifyRequest{ + UserIdentity: userDN, + OldPassword: oldPassword, + NewPassword: newPassword, + }) + if err != nil { + logging.Errorf("Password modify failed: %s", err.Error()) + return err + } + logging.Infof("Password successfully changed for %s", userDN) + return nil +} + func closeLDAPServer(server *LDAPServer) { if server != nil && server.Connection != nil { logging.Debug("Closing connection to LDAP server") diff --git a/src/main/main.go b/src/main/main.go index d3b5df3..cd30983 100644 --- a/src/main/main.go +++ b/src/main/main.go @@ -309,46 +309,62 @@ func cleanupSessions() { } } -// func changePasswordHandler(w http.ResponseWriter, r *http.Request) { -// exist, sessionData := validateSession(r) -// if !exist { -// http.Redirect(w, r, "/login", http.StatusSeeOther) -// return -// } -// err := r.ParseMultipartForm(10 << 20) // 10MB limit -// if err != nil { -// http.Error(w, "Bad request", http.StatusBadRequest) -// return -// } +func changePasswordHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") -// if r.FormValue("csrf_token") != sessionData.CSRFToken { -// http.Error(w, "CSRF Forbidden", http.StatusForbidden) -// return -// } + exist, sessionData := validateSession(r) + if !exist { + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte(`{"success": false, "error": "Not authenticated"}`)) + return + } -// file, header, err := r.FormFile("photo") -// if err != nil { -// http.Error(w, "File not found", http.StatusBadRequest) -// return -// } -// defer file.Close() -// if header.Size > (10 * 1024 * 1024) { -// http.Error(w, "File is to large (limit is 10 MB)", http.StatusBadRequest) -// return -// } + err := r.ParseMultipartForm(10 << 20) + if err != nil { + w.WriteHeader(http.StatusBadRequest) + w.Write([]byte(`{"success": false, "error": "Bad request"}`)) + return + } -// // 3. Read file into memory -// data, err := io.ReadAll(file) -// if err != nil { -// http.Error(w, "Failed to read file", http.StatusInternalServerError) -// return -// } -// userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", sessionData.data.Username, serverConfig.LDAPConfig.BaseDN) -// ldapServerMutex.Lock() -// defer ldapServerMutex.Unlock() -// modifyLDAPAttribute(ldapServer, userDN, "jpegphoto", []string{string(data)}) -// createUserPhoto(sessionData.data.Username, data) -// } + if r.FormValue("csrf_token") != sessionData.CSRFToken { + w.WriteHeader(http.StatusForbidden) + w.Write([]byte(`{"success": false, "error": "CSRF Forbidden"}`)) + return + } + + oldPassword := r.FormValue("old_password") + newPassword := r.FormValue("new_password") + newPasswordRepeat := r.FormValue("new_password_repeat") + + if newPassword != newPasswordRepeat { + w.WriteHeader(http.StatusBadRequest) + w.Write([]byte(`{"success": false, "error": "Passwords do not match"}`)) + return + } + + userDN := fmt.Sprintf( + "uid=%s,cn=users,cn=accounts,%s", + sessionData.data.Username, + serverConfig.LDAPConfig.BaseDN, + ) + + err = changeLDAPPassword(ldapServer, userDN, oldPassword, newPassword) + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + + if strings.Contains(err.Error(), "Invalid Credentials") { + w.Write([]byte(`{"success": false, "error": "Current password incorrect"}`)) + } else if strings.Contains(err.Error(), "Too soon to change password") { + w.Write([]byte(`{"success": false, "error": "Too soon to change password"}`)) + } else { + w.Write([]byte(`{"success": false, "error": "Internal error"}`)) + } + return + } + + w.WriteHeader(http.StatusOK) + w.Write([]byte(`{"success": true}`)) +} func main() { logging.Info("Starting the server") @@ -380,6 +396,7 @@ func main() { HandleFunc("/avatar", avatarHandler) HandleFunc("/change-photo", uploadPhotoHandler) + HandleFunc("/change-password", changePasswordHandler) HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/profile", http.StatusFound) // 302 redirect diff --git a/src/pages/profile_page.html b/src/pages/profile_page.html index ca40b2b..e61bd42 100644 --- a/src/pages/profile_page.html +++ b/src/pages/profile_page.html @@ -205,12 +205,12 @@ method: "POST", body: formData, }) - .then((res) => res.json()) - .then((data) => { - // handle success - }) - .catch((err) => { - displayError("Something went wrong"); + .then(async (res) => { + const data = await res.json(); + if (!res.ok) { + throw new Error(data.error || "Request failed"); + } + return data; }) .then((data) => { document @@ -219,6 +219,9 @@ document .getElementById("popup_background") .classList.add("hidden"); + }) + .catch((err) => { + displayError(err.message); }); });