2 files changed, 103 insertions, 0 deletions
diff --git a/src/login/handlers/password/mod.rs b/src/login/handlers/password/mod.rs
new file mode 100644
index 0000000..94c7fb4
--- /dev/null
+++ b/src/login/handlers/password/mod.rs
@@ -0,0 +1,56 @@
+use axum::{
+    extract::{Json, State},
+    http::StatusCode,
+    response::{IntoResponse, Response},
+};
+
+use crate::{
+    app::App,
+    clock::RequestedAt,
+    empty::Empty,
+    error::Internal,
+    login::app,
+    password::Password,
+    token::extract::{Identity, IdentityCookie},
+};
+
+#[cfg(test)]
+mod test;
+
+pub async fn handler(
+    State(app): State<App>,
+    RequestedAt(now): RequestedAt,
+    identity: Identity,
+    cookie: IdentityCookie,
+    Json(request): Json<Request>,
+) -> Result<(IdentityCookie, Empty), Error> {
+    let secret = app
+        .logins()
+        .change_password(&identity.login, &request.password, &request.to, &now)
+        .await
+        .map_err(Error)?;
+    let cookie = cookie.set(secret);
+    Ok((cookie, Empty))
+}
+
+#[derive(serde::Deserialize)]
+pub struct Request {
+    pub password: Password,
+    pub to: Password,
+}
+
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct Error(#[from] pub app::LoginError);
+
+impl IntoResponse for Error {
+    fn into_response(self) -> Response {
+        let Self(error) = self;
+        match error {
+            app::LoginError::Rejected => {
+                (StatusCode::BAD_REQUEST, "invalid name or password").into_response()
+            }
+            other => Internal::from(other).into_response(),
+        }
+    }
+}
diff --git a/src/login/handlers/password/test.rs b/src/login/handlers/password/test.rs
new file mode 100644
index 0000000..ba2f28f
--- /dev/null
+++ b/src/login/handlers/password/test.rs
@@ -0,0 +1,47 @@
+use axum::extract::{Json, State};
+
+use crate::{
+    empty::Empty,
+    test::{fixtures, verify},
+};
+
+#[tokio::test]
+async fn password_change() {
+    // Set up the environment
+    let app = fixtures::scratch_app().await;
+    let creds = fixtures::user::create_with_password(&app, &fixtures::now()).await;
+    let cookie = fixtures::cookie::logged_in(&app, &creds, &fixtures::now()).await;
+    let identity = fixtures::identity::from_cookie(&app, &cookie, &fixtures::now()).await;
+
+    // Call the endpoint
+    let (name, password) = creds;
+    let to = fixtures::user::propose_password();
+    let request = super::Request {
+        password: password.clone(),
+        to: to.clone(),
+    };
+    let (new_cookie, Empty) = super::handler(
+        State(app.clone()),
+        fixtures::now(),
+        identity.clone(),
+        cookie.clone(),
+        Json(request),
+    )
+    .await
+    .expect("changing passwords succeeds");
+
+    // Verify that we have a new session
+    assert_ne!(cookie.secret(), new_cookie.secret());
+
+    // Verify that we're still ourselves
+    verify::identity::valid_for_login(&app, &new_cookie, &identity.login).await;
+
+    // Verify that our original token is no longer valid
+    verify::identity::invalid(&app, &cookie).await;
+
+    // Verify that our original password is no longer valid
+    verify::login::invalid_login(&app, &name, &password).await;
+
+    // Verify that our new password is valid
+    verify::login::valid_login(&app, &name, &to).await;
+}