Enhance password handling in BaseAuthController

Vadim Belov · Vadim Belov · commit 86f37f60e039 · 2025-10-24T12:34:14.000-07:00
Added logic to handle users who have never set a password by introducing the `CanSetPasswordIfNeverHadAsync` method. Updated the `ChangePassword` method to check this condition and provide more specific error messages. Improved password verification logic to return an "Unauthorized" error for incorrect current passwords. Added XML documentation for the new method while retaining existing documentation for `GetUserRolesAsync`.
diff --git a/Sources/EasyExtensions.AspNetCore.Authorization/Controllers/BaseAuthController.cs b/Sources/EasyExtensions.AspNetCore.Authorization/Controllers/BaseAuthController.cs
@@ -44,14 +44,18 @@ public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest
         {
             Guid userId = User.GetUserId();
             string? phc = await FindUserPhcAsync(userId);
-            if (string.IsNullOrWhiteSpace(phc))
+            bool canSetIfNeverHad = await CanSetPasswordIfNeverHadAsync(userId);
+            if (string.IsNullOrWhiteSpace(phc) && !canSetIfNeverHad)
             {
-                return this.ApiNotFound("User not found");
+                return this.ApiNotFound("User or password does not exist");
             }
-            bool isValidPassword = _passwordHasher.Verify(request.CurrentPassword, phc);
-            if (!isValidPassword)
+            if (!string.IsNullOrWhiteSpace(phc))
             {
-                return this.ApiBadRequest("Invalid current password");
+                bool isValidPassword = _passwordHasher.Verify(request.CurrentPassword, phc);
+                if (!isValidPassword)
+                {
+                    return this.ApiUnauthorized("Current password is incorrect");
+                }
             }
             string newPhc = _passwordHasher.Hash(request.NewPassword);
             await SetUserPasswordPhcAsync(userId, newPhc);
@@ -224,6 +228,15 @@ public async Task<IActionResult> LoginWithGoogle([FromQuery] string token)
         /// roles.</returns>
         public abstract Task<IEnumerable<string>> GetUserRolesAsync(Guid userId);
 
+        /// <summary>
+        /// Determines whether a password can be set for the specified user if the user has never previously set a
+        /// password.
+        /// </summary>
+        /// <param name="userId">The unique identifier of the user to evaluate. This value must correspond to an existing user.</param>
+        /// <returns>A task that represents the asynchronous operation. The task result is <see langword="true"/> if the user is
+        /// eligible to set a password for the first time; otherwise, <see langword="false"/>.</returns>
+        public abstract Task<bool> CanSetPasswordIfNeverHadAsync(Guid userId);
+
         /// <summary>
         /// Handles logic to be executed after a user has changed their password.
         /// </summary>
