update user passwrrod

Author: pcrespov

packages/postgres-database/src/simcore_postgres_database/utils_users.py

@@ -297,6 +297,23 @@ async def update_user_phone(
                 users.update().where(users.c.id == user_id).values(phone=phone)
             )
 
+    async def update_user_password_hash(
+        self,
+        connection: AsyncConnection | None = None,
+        *,
+        user_id: int,
+        password_hash: str,
+    ) -> None:
+        assert (
+            password_hash.strip()
+        ), f"Password hash cannot be empty: {password_hash}"  # nosec
+        async with transaction_context(self._engine, connection) as conn:
+            await conn.execute(
+                users_secrets.update()
+                .where(users_secrets.c.user_id == user_id)
+                .values(password_hash=password_hash)
+            )
+
     async def is_email_used(
         self, connection: AsyncConnection | None = None, *, email: str
     ) -> bool:

services/web/server/src/simcore_service_webserver/login/_auth_service.py

@@ -138,3 +138,29 @@ async def check_authorized_user_in_product_or_raise(
         raise web.HTTPUnauthorized(
             text=MSG_UNKNOWN_EMAIL, content_type=MIMETYPE_APPLICATION_JSON
         )
+
+
+async def update_user_password(
+    app: web.Application,
+    *,
+    user_id: int,
+    current_password: str,
+    new_password: str,
+) -> None:
+    """Updates user password after verifying current password"""
+    repo = UsersRepo(get_asyncpg_engine(app))
+
+    # Get current password hash
+    current_password_hash = await repo.get_password_hash(user_id=user_id)
+
+    # Verify current password
+    if not security_service.check_password(current_password, current_password_hash):
+        raise web.HTTPUnauthorized(
+            text=MSG_WRONG_PASSWORD, content_type=MIMETYPE_APPLICATION_JSON
+        )
+
+    # Encrypt new password and update
+    new_password_hash = security_service.encrypt_password(new_password)
+    await repo.update_user_password_hash(
+        user_id=user_id, password_hash=new_password_hash
+    )

services/web/server/src/simcore_service_webserver/login/_controller/rest/change.py

@@ -11,7 +11,6 @@
 from ....db.plugin import get_asyncpg_engine
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_service
 from ....users import users_service
 from ....utils import HOUR
 from ....utils_rate_limiting import global_rate_limit_route
@@ -268,10 +267,9 @@ async def initiate_change_email(request: web.Request):
 @login_required
 async def change_password(request: web.Request):
 
-    db: AsyncpgStorage = get_plugin_storage(request.app)
     passwords = await parse_request_body_as(ChangePasswordBody, request)
-
-    user = await _auth_service.get_user_or_none(request.app, user_id=user["id"])
+    user_id = request[RQT_USERID_KEY]
+    user = await _auth_service.get_user_or_none(request.app, user_id=user_id)
 
     await _auth_service.check_authorized_user_credentials_or_raise(
         request.app,
@@ -280,13 +278,11 @@ async def change_password(request: web.Request):
         product=products_web.get_current_product(request),
     )
 
-    await db.update_user(
-        dict(user),
-        {
-            "password_hash": security_service.encrypt_password(
-                passwords.new.get_secret_value()
-            )
-        },
+    await _auth_service.update_user_password(
+        request.app,
+        user_id=user_id,
+        current_password=passwords.current.get_secret_value(),
+        new_password=passwords.new.get_secret_value(),
     )
 
     return flash_response(MSG_PASSWORD_CHANGED)