feature-8975: API to verify password of signed in account (#9008)

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

* feature-8975: API to verify password of signed in account

---------

Co-authored-by: cweitat <[email protected]>

Author: Hieu Lam - TMA

app/api/auth.py

@@ -466,3 +466,30 @@ def decorated(*args, **kwargs):
 def environment_details():
     envdump = EnvironmentDump(include_config=False)
     return envdump.dump_environment()
+
+
+@auth_routes.route('/verify-password', methods=['POST'])
+@jwt_required
+def verify_password():
+    data = request.get_json()
+    password = data.get('password')
+
+    if not all([current_user.id, password]):
+        logging.error('user or password missing')
+        return jsonify(error='user or password missing'), 400
+
+    try:
+        user = User.query.filter_by(id=current_user.id).one()
+    except NoResultFound:
+        logging.info('User Not Found')
+        raise NotFoundError({'source': ''}, 'User Not Found')
+
+    result = False
+    if user.is_correct_password(password):
+        result = True
+
+    return jsonify(
+        {
+            "result": result,
+        }
+    )

docs/api/blueprint/auth/authentication.apib

@@ -105,6 +105,33 @@ For mobile clients, dealing with cookies is not easy, and traditional problem of
             "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NjQ4NTQyODIsIm5iZiI6MTU2NDg1NDI4MiwianRpIjoiZGM2MjU3MjMtZjYyMi00YmYzLTgxMGQtYTVmZTljMWNhMDIyIiwiZXhwIjoxNTY0OTQwNjgyLCJpZGVudGl0eSI6MSwiZnJlc2giOnRydWUsInR5cGUiOiJhY2Nlc3MiLCJjc3JmIjoiMDFkNDI2MmYtOGRiZS00MWEwLWI2OWUtODY1M2QzNTRkYTUyIn0.lscegFJqTeqsfpqBNC6t2E2_A38JYqriQh5wixQQOtU"
         }
 
+## API to verify password of signed in account [/v1/auth/verify-password]
+
+### API to verify password of signed in account [POST]
+
+API to verify password of signed in account using JWT token
+
++ Request
+
+    + Headers
+
+            Content-Type: application/vnd.api+json
+
+            Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NjQ4NTQyODIsIm5iZiI6MTU2NDg1NDI4MiwianRpIjoiZGM2MjU3MjMtZjYyMi00YmYzLTgxMGQtYTVmZTljMWNhMDIyIiwiZXhwIjoxNTY0OTQwNjgyLCJpZGVudGl0eSI6MSwiZnJlc2giOnRydWUsInR5cGUiOiJhY2Nlc3MiLCJjc3JmIjoiMDFkNDI2MmYtOGRiZS00MWEwLWI2OWUtODY1M2QzNTRkYTUyIn0.lscegFJqTeqsfpqBNC6t2E2_A38JYqriQh5wixQQOtU
+
+    + Body
+
+            {
+                "password": "password"
+            }
+
++ Response 200 (application/json)
+
+        {
+            "result": true
+        }
+
+
 ## Token Refresh [/v1/auth/token/refresh]
 
 **Note**: The access token generated by this method is not fresh. Which means it is good for all auth except sensitive APIs like changing password and changing email. This is done to increase security and prevent damage if a refresh token is leaked.

tests/all/integration/api/helpers/test_auth.py

@@ -56,3 +56,18 @@ def test_get_user_id(client, jwt):
 
     assert response.status_code == 200
     assert json.loads(response.data)['user_id']
+
+
+def test_verify_password(client, jwt):
+    """Method to test verify password"""
+    data = json.dumps({'password': 'password'})
+
+    response = client.post(
+        '/v1/auth/verify-password',
+        content_type='application/vnd.api+json',
+        headers=jwt,
+        data=data,
+    )
+
+    assert response.status_code == 200
+    assert json.loads(response.data)['result']