Don't allow setting personal password when already set

Fixes #180

Author: steunix

api/v1/controllers/personal.mjs

@@ -68,6 +68,16 @@ export async function setPassword (req, res, next) {
     return
   }
 
+  // Check that personal password is not already set
+  const user = await DB.users.findUnique({
+    where: { id: req.user },
+    select: { personalsecret: true }
+  })
+  if (user.personalsecret !== null) {
+    res.status(R.UNPROCESSABLE_ENTITY).send(R.ko('Personal password already set'))
+    return
+  }
+
   // Create personal storage key
   const pkey = Crypt.randomAESKey()
 

docs/apidoc/paths/personalpassword.yaml

@@ -4,13 +4,14 @@ post:
   operationId: personalpasswordset
   summary: Set personal folder password
   description: Set personal folder password. The user must already be logged in.
+  security:
+    - bearerAuth: []
   requestBody:
     required: true
     content:
       application/json:
         schema:
           $ref: '..\requestbodies\personalpassword.yaml#/personalpasswordBody'
-
   responses:
     "200":
       $ref: '..\responsebodies\personalpassword.yaml#/success'
@@ -19,20 +20,47 @@ post:
       $ref: '..\responsebodies\default.yaml#/badrequest'
     "401":
       $ref: '..\responsebodies\default.yaml#/unauthorized'
+    "422":
+      $ref: '..\responsebodies\default.yaml#/unauthorized'
+      description: Personal password already set
 
 patch:
   tags:
     - Personal folders
   operationId: personalpasswordupdate
   summary: Change personal folder password
   description: Change personal folder password. The user must already be logged in.
+  security:
+    - bearerAuth: []
   requestBody:
     required: true
     content:
       application/json:
         schema:
           $ref: '..\requestbodies\personalpassword.yaml#/personalpasswordBody'
+  responses:
+    "200":
+      $ref: '..\responsebodies\personalpassword.yaml#/success'
+      description: Personal password set
+    "400":
+      $ref: '..\responsebodies\default.yaml#/badrequest'
+    "401":
+      $ref: '..\responsebodies\default.yaml#/unauthorized'
 
+delete:
+  tags:
+    - Personal folders
+  operationId: personalpasswordreset
+  summary: Delete personal folder password
+  description: Delete personal folder password. All personal item will be unreadable.
+  security:
+    - bearerAuth: []
+  requestBody:
+    required: true
+    content:
+      application/json:
+        schema:
+          $ref: '..\requestbodies\personalpassword.yaml#/personalpasswordBody'
   responses:
     "200":
       $ref: '..\responsebodies\personalpassword.yaml#/success'

docs/apidoc/paths/personalunlock.yaml

@@ -4,13 +4,14 @@ post:
   operationId: personalunlock
   summary: Unlock user personal folder
   description: Unlock user personal folder. The user must already be logged in.
+  security:
+    - bearerAuth: []
   requestBody:
     required: true
     content:
       application/json:
         schema:
           $ref: '..\requestbodies\personalunlock.yaml#/personalunlockBody'
-
   responses:
     "200":
       $ref: '..\responsebodies\personalunlock.yaml#/success'

test/personal.spec.cjs

@@ -4,13 +4,20 @@ require('./common.cjs')
 
 describe('Personal folders', function () {
   it('Set personal password', async () => {
-    const res1 = await agent
+    // Delete personal password. Ignore the error.
+    await agent
+      .delete(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
+    const res2 = await agent
       .post(`${global.host}/api/v1/personal/password`)
       .set('Authorization', `Bearer ${global.userJWT}`)
       .send({ password: '123' })
       .catch(v => v)
 
-    assert.strictEqual(res1.status, 200)
+    assert.strictEqual(res2.status, 200)
   })
 
   it('Unlock personal folders', async () => {
@@ -32,6 +39,19 @@ describe('Personal folders', function () {
   })
 
   it('Create, update and remove personal item', async () => {
+    // Delete personal password. Ignore the error.
+    await agent
+      .delete(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
+    await agent
+      .post(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
     const res1 = await agent
       .post(`${global.host}/api/v1/personal/unlock`)
       .set('Authorization', `Bearer ${global.userJWT}`)
@@ -67,6 +87,13 @@ describe('Personal folders', function () {
   })
 
   it('Reset personal password', async () => {
+    // Delete personal password. Ignore the error.
+    await agent
+      .delete(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
     const res1 = await agent
       .post(`${global.host}/api/v1/personal/password`)
       .set('Authorization', `Bearer ${global.userJWT}`)
@@ -90,4 +117,29 @@ describe('Personal folders', function () {
 
     assert.strictEqual(res3.status, 200)
   })
+
+  it('Set personal password when already set', async () => {
+    // Delete personal password. Ignore the error.
+    await agent
+      .delete(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
+    const res1 = await agent
+      .post(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
+    assert.strictEqual(res1.status, 200)
+
+    const res2 = await agent
+      .post(`${global.host}/api/v1/personal/password`)
+      .set('Authorization', `Bearer ${global.userJWT}`)
+      .send({ password: '123' })
+      .catch(v => v)
+
+    assert.strictEqual(res2.status, 422)
+  })
 })