fix: test states

staaldraad · staaldraad · commit 78ca01e4b7e1 · 2026-02-04T14:34:39.000+01:00
diff --git a/internal/api/user.go b/internal/api/user.go
@@ -168,17 +168,16 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 			if user.HasPassword() {
 				// current password required when updating password
 				if config.Security.UpdatePasswordRequireCurrentPassword {
-					currentPassword := *params.CurrentPassword
 					isCurrentPasswordCorrect := false
-					if currentPassword != "" {
-						auth, _, err := user.Authenticate(ctx, db, currentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
+					if params.CurrentPassword != nil && *params.CurrentPassword != "" {
+						auth, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
 						if err != nil {
 							return err
 						}
 						isCurrentPasswordCorrect = auth
 					}
 					if !isCurrentPasswordCorrect {
-						return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeCurrentPasswordMismatch, "Current password required when setting new password.")
+						return apierrors.NewBadRequestError(apierrors.ErrorCodeCurrentPasswordMismatch, "Current password required when setting new password.")
 					}
 				}
 				auth, _, err := user.Authenticate(ctx, db, password, config.Security.DBEncryption.DecryptionKeys, false, "")
diff --git a/internal/api/user_test.go b/internal/api/user_test.go
@@ -338,8 +338,8 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 		},
 		{
 			desc:                    "Current password checked when require current password set",
-			newPassword:             "newpassword123",
-			currentPassword:         "password",
+			newPassword:             "updateToNewpassword123",
+			currentPassword:         "newpassword123", // match to the test case above
 			nonce:                   "",
 			requireReauthentication: false,
 			requireCurrentPassword:  true,
@@ -362,8 +362,13 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 		ts.Run(c.desc, func() {
 			ts.Config.Security.UpdatePasswordRequireReauthentication = c.requireReauthentication
 			ts.Config.Security.UpdatePasswordRequireCurrentPassword = c.requireCurrentPassword
+
+			userUpdateBody := map[string]string{"password": c.newPassword, "nonce": c.nonce}
+			if c.requireCurrentPassword {
+				userUpdateBody["current_password"] = c.currentPassword
+			}
 			var buffer bytes.Buffer
-			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]string{"password": c.newPassword, "nonce": c.nonce}))
+			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(userUpdateBody))
 
 			req := httptest.NewRequest(http.MethodPut, "http://localhost/user", &buffer)
 			req.Header.Set("Content-Type", "application/json")
@@ -389,6 +394,7 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 }
 
 func (ts *UserTestSuite) TestUserUpdatePasswordNoReauthenticationRequired() {
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
@@ -452,7 +458,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordNoReauthenticationRequired() {
 
 func (ts *UserTestSuite) TestUserUpdatePasswordReauthentication() {
 	ts.Config.Security.UpdatePasswordRequireReauthentication = true
-
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
@@ -510,6 +516,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordReauthentication() {
 
 func (ts *UserTestSuite) TestUserUpdatePasswordLogoutOtherSessions() {
 	ts.Config.Security.UpdatePasswordRequireReauthentication = false
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
@@ -609,6 +616,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordSendsNotificationEmail() {
 	for _, c := range cases {
 		ts.Run(c.desc, func() {
 			ts.Config.Security.UpdatePasswordRequireReauthentication = false
+			ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 			ts.Config.Mailer.Autoconfirm = false
 			ts.Config.Mailer.Notifications.PasswordChangedEnabled = c.notificationEnabled
 

Original file line number	Diff line number	Diff line change
`@@ -168,17 +168,16 @@ func (a API) UserUpdate(w http.ResponseWriter, r http.Request) error {`
`168`	`168`	`if user.HasPassword() {`
`169`	`169`	`// current password required when updating password`
`170`	`170`	`if config.Security.UpdatePasswordRequireCurrentPassword {`
`171`		`- currentPassword := *params.CurrentPassword`
`172`	`171`	`isCurrentPasswordCorrect := false`
`173`		`- if currentPassword != "" {`
`174`		`- auth, _, err := user.Authenticate(ctx, db, currentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")`
	`172`	`+ if params.CurrentPassword != nil && *params.CurrentPassword != "" {`
	`173`	`+ auth, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")`
`175`	`174`	`if err != nil {`
`176`	`175`	`return err`
`177`	`176`	`}`
`178`	`177`	`isCurrentPasswordCorrect = auth`
`179`	`178`	`}`
`180`	`179`	`if !isCurrentPasswordCorrect {`
`181`		`- return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeCurrentPasswordMismatch, "Current password required when setting new password.")`
	`180`	`+ return apierrors.NewBadRequestError(apierrors.ErrorCodeCurrentPasswordMismatch, "Current password required when setting new password.")`
`182`	`181`	`}`
`183`	`182`	`}`
`184`	`183`	`auth, _, err := user.Authenticate(ctx, db, password, config.Security.DBEncryption.DecryptionKeys, false, "")`