From e7e57ddbc0ec951fdd88fe26722cf066d3920bb7 Mon Sep 17 00:00:00 2001
From: Victor Vrantchan <groob@users.noreply.github.com>
Date: Thu, 22 Dec 2016 12:08:29 -0500
Subject: [PATCH] prevent password reuse when changing passwords (#678)

For #375
Closes #448
---
 server/service/service_users.go      | 11 ++++++++++-
 server/service/service_users_test.go | 11 +++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/server/service/service_users.go b/server/service/service_users.go
index 9118ba3834..8cf0568bdb 100644
--- a/server/service/service_users.go
+++ b/server/service/service_users.go
@@ -158,8 +158,12 @@ func (svc service) ChangePassword(ctx context.Context, oldPass, newPass string)
 		return errNoContext
 	}
 
+	if err := vc.User.ValidatePassword(newPass); err == nil {
+		return newInvalidArgumentError("new_password", "cannot reuse old password")
+	}
+
 	if err := vc.User.ValidatePassword(oldPass); err != nil {
-		return errors.Wrap(err, "password validation failed")
+		return newInvalidArgumentError("old_password", "old password does not match")
 	}
 
 	return errors.Wrap(svc.setNewPassword(ctx, vc.User, newPass), "setting new password")
@@ -175,6 +179,11 @@ func (svc service) ResetPassword(ctx context.Context, token, password string) er
 		return errors.Wrap(err, "retrieving user")
 	}
 
+	// prevent setting the same password
+	if err := user.ValidatePassword(password); err == nil {
+		return newInvalidArgumentError("new_password", "cannot reuse old password")
+	}
+
 	err = svc.setNewPassword(ctx, user, password)
 	if err != nil {
 		return errors.Wrap(err, "setting new password")
diff --git a/server/service/service_users_test.go b/server/service/service_users_test.go
index f45765bdcd..3b7fc067ff 100644
--- a/server/service/service_users_test.go
+++ b/server/service/service_users_test.go
@@ -264,6 +264,12 @@ func TestChangePassword(t *testing.T) {
 			oldPassword: "foobar",
 			newPassword: "123cat!",
 		},
+		{ // prevent password reuse
+			user:        users["admin1"],
+			oldPassword: "foobar",
+			newPassword: "foobar",
+			wantErr:     &invalidArgumentError{invalidArgument{name: "new_password", reason: "cannot reuse old password"}},
+		},
 		{ // all good
 			user:        users["user1"],
 			oldPassword: "foobar",
@@ -321,6 +327,11 @@ func TestResetPassword(t *testing.T) {
 			token:       "abcd",
 			newPassword: "123cat!",
 		},
+		{ // prevent reuse
+			token:       "abcd",
+			newPassword: "123cat!",
+			wantErr:     &invalidArgumentError{invalidArgument{name: "new_password", reason: "cannot reuse old password"}},
+		},
 		{ // bad token
 			token:       "dcbaz",
 			newPassword: "123cat!",