'plugin::users-permissions.user', confirm current password?

pullbear12 · July 11, 2023, 12:55pm

System Information

Strapi Version:
Operating System:
Database:
Node Version:
NPM Version:
Yarn Version:

Afternoon,

I have successful built a change password form as part of my front-end web application using a Strapi ‘plugin::users-permissions.user’ plugin. As part of the change password process, I want to check to make sure the current password is correct. Does anyone know how I can achieve this.

const _ = require('lodash');

module.exports = (plugin) => {
  const getController = name => {
    return strapi.plugins['users-permissions'].controller(name);
  };

  // Create the new controller
  plugin.controllers.user.updateMe = async (ctx) => {
    const user = ctx.state.user;

    // User has to be logged in to update themselves
    if (!user) {
      return ctx.unauthorized();
    }

    // Pick only specific fields for security
    const newData = _.pick(ctx.request.body, ['email', 'username', 'password', 'confirmPassword', 'firstName', 'lastName', 'genderIdentity']);

    // Make sure there is no duplicate user with the same username
    if (newData.username) {
      const userWithSameUsername = await strapi
        .query('plugin::users-permissions.user')
        .findOne({ where: { username: newData.username } });

      if (userWithSameUsername && userWithSameUsername.id != user.id) {
        return ctx.badRequest('Username already taken');
      }
    }

    // Make sure there is no duplicate user with the same email
    if (newData.email) {
      const userWithSameEmail = await strapi
        .query('plugin::users-permissions.user')
        .findOne({ where: { email: newData.email.toLowerCase() } });

      if (userWithSameEmail && userWithSameEmail.id != user.id) {
        return ctx.badRequest('Email already taken');
      }
      newData.email = newData.email.toLowerCase();
    }

    // Check if user is changing password and make sure passwords match
    if (newData.password) {
      if (!newData.confirmPassword) {
        return ctx.badRequest('Missing password confirmation');
      } else if (newData.password !== newData.confirmPassword) {
        return ctx.badRequest('Passwords don\'t match')
      }
      delete newData.confirmPassword
    }

    // Reconstruct context so we can pass to the controller
    ctx.request.body = newData
    ctx.params = { id: user.id }

    // Update the user and return the sanitized data
    return await getController('user').update(ctx)
  };

  // Add the custom route
  plugin.routes['content-api'].routes.unshift({
    method: 'PUT',
    path: '/users/me',
    handler: 'user.updateMe',
    config: {
      prefix: ''
    }
  });

  return plugin;
};

Shekhar · July 11, 2023, 1:49pm

Hey @pullbear12, you can achieve that by using this:

Fetch the user existing password by filtering it using user_email or user_id from params.

const user = await strapi.db.query("plugin::users-permissions.user").findOne({
        where: { email: params.user_email.toLowerCase() },
});

Then use the below:

const validPassword = await strapi.plugins['users-permissions'].services.user.validatePassword(params.current_password, user.password);

This will return true if the current password matches.

Hope this helps you

pullbear12 · July 11, 2023, 2:22pm

Thank you for your reply.

Is this to be done within the strap-server.js file or the front-end?

Shekhar · July 12, 2023, 4:52am

Within the strapi-server.js