MM-32013: Do not allow password change in /auth endpoint (#16770)

We were allowing new password to be reset without asking for the old password. This was not advertised but was possible nevertheless through the API. Since there is already a separate API to change password, we choose to remove this functionality. https://mattermost.atlassian.net/browse/MM-32013 ```release-note The /api/v4/users/me/auth API endpoint cannot be used to change password anymore. This was a hidden feature that was not documented, but was nevertheless possible. We are just removing the hidden feature. ``` Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
2025-02-25 18:55:24 -06:00 · 2021-01-22 09:58:08 +05:30
parent 1cb019c0d8
commit 1aae3444c0
4 changed files with 18 additions and 28 deletions
--- a/api4/user.go
+++ b/api4/user.go
@@ -1398,6 +1398,11 @@ func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if userAuth.AuthData == nil || *userAuth.AuthData == "" || userAuth.AuthService == "" {
+		c.Err = model.NewAppError("updateUserAuth", "api.user.update_user_auth.invalid_request", nil, "", http.StatusBadRequest)
+		return
+	}
+
 	if user, err := c.App.GetUser(c.Params.UserId); err == nil {
 		auditRec.AddMeta("user", user)
 	}