From 5e5121fc65b5bddc8390c50d70ea484ee822b113 Mon Sep 17 00:00:00 2001
From: Matthew Dillon <mrdillon@alaska.edu>
Date: Fri, 13 Nov 2015 13:43:09 -0700
Subject: [PATCH] Validate user password

Fixes #29.
---
 api/users.go    | 17 +++++++++++------
 models/users.go |  7 +++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/api/users.go b/api/users.go
index d5b3df9..f148109 100644
--- a/api/users.go
+++ b/api/users.go
@@ -201,16 +201,18 @@ func HandleUserVerify(w http.ResponseWriter, r *http.Request) *types.AppError {
 
 	user.Verified = true
 
-	count, err := models.DBH.Update(&user)
-	if err != nil {
+	if err := models.Update(&user); err != nil {
+		if err == errors.ErrUserNotUpdated {
+			return newJSONError(err, http.StatusBadRequest)
+		}
+		if err, ok := err.(types.ValidationError); ok {
+			return &types.AppError{Error: err, Status: helpers.StatusUnprocessableEntity}
+		}
 		return newJSONError(err, http.StatusInternalServerError)
 	}
-	if count != 1 {
-		return newJSONError(errors.ErrUserNotUpdated, http.StatusInternalServerError)
-	}
 
 	q = `DELETE FROM verification WHERE user_id=$1;`
-	_, err = models.DBH.Exec(q, user.ID)
+	_, err := models.DBH.Exec(q, user.ID)
 	if err != nil {
 		return newJSONError(err, http.StatusInternalServerError)
 	}
@@ -275,6 +277,9 @@ func HandleUserPasswordChange(w http.ResponseWriter, r *http.Request) *types.App
 	}
 
 	if err := models.UpdateUserPassword(&claims, r.FormValue("password")); err != nil {
+		if err, ok := err.(types.ValidationError); ok {
+			return &types.AppError{Error: err, Status: helpers.StatusUnprocessableEntity}
+		}
 		return newJSONError(err, http.StatusInternalServerError)
 	}
 
diff --git a/models/users.go b/models/users.go
index 68fcb38..d433800 100644
--- a/models/users.go
+++ b/models/users.go
@@ -181,6 +181,13 @@ func UpdateUserPassword(claims *types.Claims, password string) error {
 		return err
 	}
 
+	// Temporarily set PW as plaintext, for validation purposes
+	user.Password = password
+
+	if err := user.validate(); err != nil {
+		return err
+	}
+
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), 12)
 	if err != nil {
 		return err