1 files changed, 135 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0001-Old-password-input-in-change-password-screen.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0001-Old-password-input-in-change-password-screen.patch
new file mode 100644
index 000000000..313ba9387
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0001-Old-password-input-in-change-password-screen.patch
@@ -0,0 +1,135 @@
+From 9da7bafdcee1bd022b7e47eecf704eb799b389e8 Mon Sep 17 00:00:00 2001
+From: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com>
+Date: Wed, 17 May 2023 10:47:56 +0000
+Subject: [PATCH] Old password input in change password screen
+
+When the user changed their password in profile settings, to prevent
+XSS attacks, I added the current password input field to authenticate
+the user.
+
+Once the authentication had success with the current password, then
+allowing the update was possible. After the password is changed
+successfully, all the sessions of the user who changed the password
+will be disconnected, including the current session. and the current
+session will navigate to the login page.
+
+Signed-off-by: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com>
+---
+ src/locales/en-US.json                        |  4 +-
+ src/views/ProfileSettings/ProfileSettings.vue | 54 +++++++++++++++++--
+ 2 files changed, 53 insertions(+), 5 deletions(-)
+
+diff --git a/src/locales/en-US.json b/src/locales/en-US.json
+index 637f052..8d98abb 100644
+--- a/src/locales/en-US.json
++++ b/src/locales/en-US.json
+@@ -617,6 +617,7 @@
+     "confirmPassword": "Confirm new password",
+     "defaultUTC": "Default (UTC)",
+     "newPassword": "New password",
++    "currentPassword": "Current password",
+     "newPassLabelTextInfo": "Password must be between %{min} - %{max} characters",
+     "passwordsDoNotMatch": "Passwords do not match",
+     "profileInfoTitle": "Profile information",
+@@ -625,7 +626,8 @@
+     "timezoneDisplayDesc": "Select how time is displayed throughout the application",
+     "username": "Username",
+     "toast": {
+-      "successSaveSettings": "Successfully saved account settings."
++      "successSaveSettings": "Successfully saved account settings.",
++      "wrongCredentials": "Wrong credentials"
+     }
+   },
+   "pageNetwork": {
+diff --git a/src/views/ProfileSettings/ProfileSettings.vue b/src/views/ProfileSettings/ProfileSettings.vue
+index 35fc800..330fd4a 100644
+--- a/src/views/ProfileSettings/ProfileSettings.vue
++++ b/src/views/ProfileSettings/ProfileSettings.vue
+@@ -23,6 +23,21 @@
+           <page-section
+             :section-title="$t('pageProfileSettings.changePassword')"
+           >
++            <b-form-group
++              id="input-group-0"
++              :label="$t('pageProfileSettings.currentPassword')"
++              label-for="input-0"
++            >
++              <input-password-toggle>
++                <b-form-input
++                  id="old-password"
++                  v-model="form.currentPassword"
++                  type="password"
++                  data-test-id="profileSettings-input-ocurrentPassword"
++                  class="form-control-with-button"
++                />
++              </input-password-toggle>
++            </b-form-group>
+             <b-form-group
+               id="input-group-1"
+               :label="$t('pageProfileSettings.newPassword')"
+@@ -151,6 +166,7 @@ export default {
+       form: {
+         newPassword: '',
+         confirmPassword: '',
++        currentPassword: '',
+         isUtcDisplay: this.$store.getters['global/isUtcDisplay'],
+       },
+     };
+@@ -198,9 +214,12 @@ export default {
+       this.$store
+         .dispatch('userManagement/updateUser', userData)
+         .then((message) => {
+-          (this.form.newPassword = ''), (this.form.confirmPassword = '');
++          (this.form.newPassword = ''),
++            (this.form.confirmPassword = ''),
++            (this.form.currentPassword = '');
+           this.$v.$reset();
+           this.successToast(message);
++          this.$store.dispatch('authentication/logout');
+         })
+         .catch(({ message }) => this.errorToast(message));
+     },
+@@ -212,10 +231,37 @@ export default {
+       );
+     },
+     submitForm() {
+-      if (this.form.confirmPassword || this.form.newPassword) {
+-        this.saveNewPasswordInputData();
++      if (
++        this.form.confirmPassword &&
++        this.form.newPassword &&
++        this.form.currentPassword
++      ) {
++        this.confirmAuthenticate();
+       }
+-      this.saveTimeZonePrefrenceData();
++      if (
++        this.$store.getters['global/isUtcDisplay'] != this.form.isUtcDisplay
++      ) {
++        this.saveTimeZonePrefrenceData();
++      }
++    },
++    confirmAuthenticate() {
++      this.$v.form.newPassword.$touch();
++      if (this.$v.$invalid) return;
++
++      const username = this.username;
++      const password = this.form.currentPassword;
++
++      this.$store
++        .dispatch('authentication/login', { username, password })
++        .then(() => {
++          this.saveNewPasswordInputData();
++        })
++        .catch(() => {
++          this.$v.$reset();
++          this.errorToast(
++            this.$t('pageProfileSettings.toast.wrongCredentials')
++          );
++        });
+     },
+   },
+ };
+-- 
+2.25.1
+