From cbcc68f8e4f7661c2a5579f378d190e48e1bf42c Mon Sep 17 00:00:00 2001
From: maru <maru@myyahoo.com>
Date: Sun, 28 Apr 2024 17:27:58 -0400
Subject: [PATCH] Add password changes

---
 api/account/changepw.go | 27 +++++++++++++++++++++++++++
 api/common.go           |  1 +
 api/endpoints.go        | 22 ++++++++++++++++++++++
 db/account.go           |  9 +++++++++
 4 files changed, 59 insertions(+)
 create mode 100644 api/account/changepw.go

diff --git a/api/account/changepw.go b/api/account/changepw.go
new file mode 100644
index 0000000..a91f230
--- /dev/null
+++ b/api/account/changepw.go
@@ -0,0 +1,27 @@
+package account
+
+import (
+	"crypto/rand"
+	"fmt"
+
+	"github.com/pagefaultgames/pokerogue-server/db"
+)
+
+func ChangePW(uuid []byte, password string) error {
+	if len(password) < 6 {
+		return fmt.Errorf("invalid password")
+	}
+
+	salt := make([]byte, ArgonSaltSize)
+	_, err := rand.Read(salt)
+	if err != nil {
+		return fmt.Errorf(fmt.Sprintf("failed to generate salt: %s", err))
+	}
+
+	err = db.UpdateAccountPassword(uuid, deriveArgon2IDKey([]byte(password), salt), salt)
+	if err != nil {
+		return fmt.Errorf("failed to add account record: %s", err)
+	}
+
+	return nil
+}
diff --git a/api/common.go b/api/common.go
index 803562b..b4b1bfe 100644
--- a/api/common.go
+++ b/api/common.go
@@ -19,6 +19,7 @@ func Init(mux *http.ServeMux) {
 	mux.HandleFunc("GET /account/info", handleAccountInfo)
 	mux.HandleFunc("POST /account/register", handleAccountRegister)
 	mux.HandleFunc("POST /account/login", handleAccountLogin)
+	mux.HandleFunc("POST /account/changepw", handleAccountChangePW)
 	mux.HandleFunc("GET /account/logout", handleAccountLogout)
 
 	// game
diff --git a/api/endpoints.go b/api/endpoints.go
index 137a219..99bf21f 100644
--- a/api/endpoints.go
+++ b/api/endpoints.go
@@ -87,6 +87,28 @@ func handleAccountLogin(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 }
 
+func handleAccountChangePW(w http.ResponseWriter, r *http.Request) {
+	err := r.ParseForm()
+	if err != nil {
+		httpError(w, r, fmt.Errorf("failed to parse request form: %s", err), http.StatusBadRequest)
+		return
+	}
+
+	uuid, err := uuidFromRequest(r)
+	if err != nil {
+		httpError(w, r, err, http.StatusBadRequest)
+		return
+	}
+
+	err = account.ChangePW(uuid, r.Form.Get("password"))
+	if err != nil {
+		httpError(w, r, err, http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
+
 func handleAccountLogout(w http.ResponseWriter, r *http.Request) {
 	token, err := tokenFromRequest(r)
 	if err != nil {
diff --git a/db/account.go b/db/account.go
index ba5ef3d..fe9f9b1 100644
--- a/db/account.go
+++ b/db/account.go
@@ -32,6 +32,15 @@ func AddAccountSession(username string, token []byte) error {
 	return nil
 }
 
+func UpdateAccountPassword(uuid, key, salt []byte) error {
+	_, err := handle.Exec("UPDATE accounts SET (hash, salt) VALUES (?, ?) WHERE uuid = ?", key, salt, uuid)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func UpdateAccountLastActivity(uuid []byte) error {
 	_, err := handle.Exec("UPDATE accounts SET lastActivity = UTC_TIMESTAMP() WHERE uuid = ?", uuid)
 	if err != nil {