feat(security): #328 delete old sessions change password [tbs]

service/auth.go

@@ -18,11 +18,11 @@ import (
 )
 
 var (
-	ErrInvaidCredentials = errors.New("invalid email or password")
-	ErrInvalidPassword   = errors.New("password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
-	ErrInvalidEmail      = errors.New("invalid email")
-	ErrAccountExists     = errors.New("account already exists")
-	ErrSessionIdInvalid  = errors.New("session ID is invalid")
+	ErrInvalidCredentials = errors.New("invalid email or password")
+	ErrInvalidPassword    = errors.New("password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
+	ErrInvalidEmail       = errors.New("invalid email")
+	ErrAccountExists      = errors.New("account already exists")
+	ErrSessionIdInvalid   = errors.New("session ID is invalid")
 )
 
 type User struct {
@@ -65,9 +65,9 @@ type Auth interface {
 	SignInAnonymous() (*Session, error)
 	SignOut(sessionId string) error
 
-	DeleteAccount(user *User) error
+	DeleteAccount(user *User, currPass string) error
 
-	ChangePassword(user *User, currPass, newPass string) error
+	ChangePassword(session *Session, currPass, newPass string) error
 
 	SendForgotPasswordMail(email string) error
 	ForgotPassword(token string, newPass string) error
@@ -99,7 +99,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
 	user, err := service.db.GetUserByEmail(email)
 	if err != nil {
 		if errors.Is(err, db.ErrNotFound) {
-			return nil, ErrInvaidCredentials
+			return nil, ErrInvalidCredentials
 		} else {
 			return nil, types.ErrInternal
 		}
@@ -108,7 +108,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
 	hash := GetHashPassword(password, user.Salt)
 
 	if subtle.ConstantTimeCompare(hash, user.Password) == 0 {
-		return nil, ErrInvaidCredentials
+		return nil, ErrInvalidCredentials
 	}
 
 	session, err := service.createSession(user.Id)
@@ -299,9 +299,19 @@ func (service AuthImpl) SignOut(sessionId string) error {
 	return service.db.DeleteSession(sessionId)
 }
 
-func (service AuthImpl) DeleteAccount(user *User) error {
+func (service AuthImpl) DeleteAccount(user *User, currPass string) error {
 
-	err := service.db.DeleteUser(user.Id)
+	userDb, err := service.db.GetUser(user.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	currHash := GetHashPassword(currPass, userDb.Salt)
+	if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
+		return ErrInvalidCredentials
+	}
+
+	err = service.db.DeleteUser(user.Id)
 	if err != nil {
 		return err
 	}
@@ -311,7 +321,7 @@ func (service AuthImpl) DeleteAccount(user *User) error {
 	return nil
 }
 
-func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) error {
+func (service AuthImpl) ChangePassword(session *Session, currPass, newPass string) error {
 
 	if !isPasswordValid(newPass) {
 		return ErrInvalidPassword
@@ -321,18 +331,18 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
 		return ErrInvalidPassword
 	}
 
-	_, err := service.SignIn(user.Email, currPass)
+	userDb, err := service.db.GetUser(session.User.Id)
 	if err != nil {
 		return err
 	}
 
-	userDb, err := service.db.GetUser(user.Id)
-	if err != nil {
-		return err
+	currHash := GetHashPassword(currPass, userDb.Salt)
+
+	if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
+		return ErrInvalidCredentials
 	}
 
 	newHash := GetHashPassword(newPass, userDb.Salt)
-
 	userDb.Password = newHash
 
 	err = service.db.UpdateUser(userDb)
@@ -340,11 +350,15 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
 		return err
 	}
 
+	err = service.db.DeleteOtherSessions(session.User.Id, session.Id)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
 func (service AuthImpl) SendForgotPasswordMail(email string) error {
-
 	tokenStr, err := service.random.String(32)
 	if err != nil {
 		return err