lwsgt: fix check against forgot password flow defeating existing pw check

https://github.com/warmcat/libwebsockets/issues/706 This fixes a problem where the check for the existing pw was skipped when a logged-in user is changing his password. It's not good but because the user has to be logged in, it only affected the situation someone changes his password on his logged in session.
2025-03-09 00:00:04 +01:00 · 2016-12-08 17:32:08 +08:00 · 2016-12-08 17:32:08 +08:00 · b1d4d3bb9e
commit b1d4d3bb9e
parent ba8fb14e85
1 changed files with 9 additions and 2 deletions
--- a/plugins/generic-sessions/handlers.c
+++ b/plugins/generic-sessions/handlers.c
@ -289,14 +289,19 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi,
 				return 1;

 			/* did a forgot pw ? */
-			if (u.last_forgot_validated > lws_now_secs() - 300)
+			if (u.last_forgot_validated > lws_now_secs() - 300) {
 				n |= LWSGS_AUTH_FORGOT_FLOW;
+				lwsl_debug("within forgot password flow\n");
+			}
 		}
 	}

+	lwsl_debug("auth value %d\n", n);
+
 	/* if he just did forgot pw flow, don't need old pw */
-	if (!(n & (LWSGS_AUTH_FORGOT_FLOW | 1))) {
+	if ((n & (LWSGS_AUTH_FORGOT_FLOW | 1)) != (LWSGS_AUTH_FORGOT_FLOW | 1)) {
 		/* otherwise user:pass must be right */
+		lwsl_debug("checking pw\n");
 		if (lwsgs_check_credentials(vhd,
 			   lws_spa_get_string(pss->spa, FGS_USERNAME),
 			   lws_spa_get_string(pss->spa, FGS_CURPW))) {
@ -304,6 +309,8 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi,
 			return 1;
 		}

+		lwsl_debug("current pw checks out\n");
+
 		strncpy(u.username, lws_spa_get_string(pss->spa, FGS_USERNAME), sizeof(u.username) - 1);
 		u.username[sizeof(u.username) - 1] = '\0';
 	}