chore: be more specific about pwd requirement

staaldraad · staaldraad · commit 78a56ba6d915 · 2026-02-04T17:56:32.000+01:00
diff --git a/internal/api/apierrors/errorcode.go b/internal/api/apierrors/errorcode.go
@@ -71,7 +71,8 @@ const (
 	ErrorCodeReauthenticationNeeded            ErrorCode = "reauthentication_needed"
 	ErrorCodeSamePassword                      ErrorCode = "same_password"
 	ErrorCodeReauthenticationNotValid          ErrorCode = "reauthentication_not_valid"
-	ErrorCodeCurrentPasswordMismatch           ErrorCode = "current_password_required"
+	ErrorCodeCurrentPasswordMismatch           ErrorCode = "current_password_invalid"
+	ErrorCodeCurrentPasswordRequired           ErrorCode = "current_password_required"
 	ErrorCodeOTPExpired                        ErrorCode = "otp_expired"
 	ErrorCodeOTPDisabled                       ErrorCode = "otp_disabled"
 	ErrorCodeIdentityNotFound                  ErrorCode = "identity_not_found"
diff --git a/internal/api/user.go b/internal/api/user.go
@@ -168,13 +168,12 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 			if user.HasPassword() {
 				// current password required when updating password
 				if config.Security.UpdatePasswordRequireCurrentPassword {
-					isCurrentPasswordCorrect := false
-					if params.CurrentPassword != nil && *params.CurrentPassword != "" {
-						auth, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
-						if err != nil {
-							return err
-						}
-						isCurrentPasswordCorrect = auth
+					if params.CurrentPassword == nil || *params.CurrentPassword == "" {
+						return apierrors.NewBadRequestError(apierrors.ErrorCodeCurrentPasswordRequired, "Current password required when setting new password.")
+					}
+					isCurrentPasswordCorrect, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
+					if err != nil {
+						return err
 					}
 					if !isCurrentPasswordCorrect {
 						return apierrors.NewBadRequestError(apierrors.ErrorCodeCurrentPasswordMismatch, "Current password required when setting new password.")
diff --git a/internal/api/user_test.go b/internal/api/user_test.go
@@ -356,6 +356,15 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 			sessionId:               r.SessionId,
 			expected:                expected{code: http.StatusBadRequest, isAuthenticated: false},
 		},
+		{
+			desc:                    "Fails if current password not set when required",
+			newPassword:             "newpassword123",
+			nonce:                   "",
+			requireReauthentication: false,
+			requireCurrentPassword:  true,
+			sessionId:               r.SessionId,
+			expected:                expected{code: http.StatusBadRequest, isAuthenticated: false},
+		},
 	}
 
 	for _, c := range cases {
