Add option to change passwords

2025-08-09 20:24:03 +00:00 · 2019-04-22 10:18:17 -05:00
parent 30e567e8b6
commit 64aecba7a0
16 changed files with 168 additions and 0 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -1875,6 +1875,86 @@ post "/data_control" do |env|
  env.redirect referer
 end

+get "/change_password" do |env|
+  locale = LOCALES[env.get("preferences").as(Preferences).locale]?
+
+  user = env.get? "user"
+  sid = env.get? "sid"
+  referer = get_referer(env)
+
+  if user
+    user = user.as(User)
+    sid = sid.as(String)
+    csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB)
+
+    templated "change_password"
+  else
+    env.redirect referer
+  end
+end
+
+post "/change_password" do |env|
+  locale = LOCALES[env.get("preferences").as(Preferences).locale]?
+
+  user = env.get? "user"
+  sid = env.get? "sid"
+  referer = get_referer(env)
+
+  if user
+    user = user.as(User)
+    sid = sid.as(String)
+    token = env.params.body["csrf_token"]?
+
+    # We don't store passwords for Google accounts
+    if !user.password
+      error_message = "Cannot change password for Google accounts"
+      next templated "error"
+    end
+
+    begin
+      validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
+    rescue ex
+      error_message = ex.message
+      env.response.status_code = 400
+      next templated "error"
+    end
+
+    password = env.params.body["password"]?
+    if !password
+      error_message = translate(locale, "Password is a required field")
+      next templated "error"
+    end
+
+    new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v }
+
+    if new_passwords.size <= 1 || new_passwords.uniq.size != 1
+      error_message = translate(locale, "New passwords must match")
+      next templated "error"
+    end
+
+    new_password = new_passwords.uniq[0]
+    if new_password.empty?
+      error_message = translate(locale, "Password cannot be empty")
+      next templated "error"
+    end
+
+    if new_password.size > 55
+      error_message = translate(locale, "Password cannot be longer than 55 characters")
+      next templated "error"
+    end
+
+    if Crypto::Bcrypt::Password.new(user.password.not_nil!) != password
+      error_message = translate(locale, "Incorrect password")
+      next templated "error"
+    end
+
+    new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10)
+    PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email)
+  end
+
+  env.redirect referer
+end
+
 get "/delete_account" do |env|
  locale = LOCALES[env.get("preferences").as(Preferences).locale]?

--- a/src/invidious/views/change_password.ecr
+++ b/src/invidious/views/change_password.ecr
@@ -0,0 +1,32 @@
+<% content_for "header" do %>
+<title><%= translate(locale, "Change password") %> - Invidious</title>
+<% end %>
+
+<div class="pure-g">
+    <div class="pure-u-1 pure-u-lg-1-5"></div>
+    <div class="pure-u-1 pure-u-lg-3-5">
+        <div class="h-box">
+            <form class="pure-form pure-form-aligned" action="/change_password?referer=<%= URI.escape(referer) %>" method="post">
+                <legend><%= translate(locale, "Change password") %></legend>
+
+                <fieldset>
+                    <label for="password"><%= translate(locale, "Password") %> :</label>
+                    <input required class="pure-input-1" name="password" type="password" placeholder="<%= translate(locale, "Password") %>">
+
+                    <label for="new_password[0]"><%= translate(locale, "New password") %> :</label>
+                    <input required class="pure-input-1" name="new_password[0]" type="password" placeholder="<%= translate(locale, "New password") %>">
+
+                    <label for="new_password[1]"><%= translate(locale, "New password") %> :</label>
+                    <input required class="pure-input-1" name="new_password[1]" type="password" placeholder="<%= translate(locale, "New password") %>">
+
+                    <button type="submit" name="action" value="change_password" class="pure-button pure-button-primary">
+                        <%= translate(locale, "Change password") %>
+                    </button>
+
+                    <input type="hidden" name="csrf_token" value="<%= URI.escape(csrf_token) %>">
+                </fieldset>
+            </form>
+        </div>
+    </div>
+    <div class="pure-u-1 pure-u-lg-1-5"></div>
+</div>
--- a/src/invidious/views/preferences.ecr
+++ b/src/invidious/views/preferences.ecr
@@ -213,6 +213,10 @@ function update_value(element) {
                <a href="/clear_watch_history?referer=<%= URI.escape(referer) %>"><%= translate(locale, "Clear watch history") %></a>
            </div>

+            <div class="pure-control-group">
+                <a href="/change_password?referer=<%= URI.escape(referer) %>"><%= translate(locale, "Change password") %></a>
+            </div>
+
            <div class="pure-control-group">
                <a href="/data_control?referer=<%= URI.escape(referer) %>"><%= translate(locale, "Import/export data") %></a>
            </div>