From 443c25c09bad74fb6a304aff54f5de163830bf70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lera=20Elvo=C3=A9?= <yagich@poto.cafe>
Date: Fri, 4 Jul 2025 18:45:53 +0300
Subject: [PATCH] re-add changing password

---
 app/routes/users.py               | 36 ++++++++++++++++++++++++++++++-
 app/templates/users/settings.html |  7 ++++++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/app/routes/users.py b/app/routes/users.py
index e9837bb..318ecd6 100644
--- a/app/routes/users.py
+++ b/app/routes/users.py
@@ -9,6 +9,7 @@ from ..constants import InfoboxKind, PermissionLevel
 from ..auth import digest, verify
 from wand.image import Image
 from wand.exceptions import WandException
+from datetime import datetime, timedelta
 import secrets
 import time
 import re
@@ -64,7 +65,18 @@ def create_session(user_id):
     return Sessions.create({
         "key": secrets.token_hex(16),
         "user_id": user_id,
-        "expires_at": int(time.time()) + 32 * 24 * 60 * 60,
+        "expires_at": int(time.time()) + 31 * 24 * 60 * 60,
+    })
+
+def extend_session(user_id):
+    session_obj = Sessions.find({'key': session['pyrom_session_key']})
+    if not session_obj:
+        return
+    new_duration = timedelta(31)
+    current_app.permanent_session_lifetime = new_duration
+    session.modified = True
+    session_obj.update({
+        'expires_at': int(time.time()) + 31 * 24 * 60 * 60
     })
 
 
@@ -307,6 +319,28 @@ def set_avatar(username):
         return redirect(url_for('.settings', user.username))
 
 
+@bp.post('/<username>/change_password')
+@login_required
+def change_password(username):
+    user = get_active_user()
+    password = request.form.get('new_password')
+    password2 = request.form.get('new_password2')
+
+    if not validate_password(password):
+        flash("Invalid password.", InfoboxKind.ERROR)
+        return redirect(url_for('.settings', username=user.username))
+
+    if password != password2:
+        flash("Passwords do not match.", InfoboxKind.ERROR)
+        return redirect(url_for('.settings', username=user.username))
+
+    hashed = digest(password)
+    user.update({'password_hash': hashed})
+    extend_session(user.id)
+    flash('Password updated.', InfoboxKind.INFO)
+    return redirect(url_for('.settings', username=user.username))
+
+
 @bp.post('/<username>/clear_avatar')
 @login_required
 def clear_avatar(username):
diff --git a/app/templates/users/settings.html b/app/templates/users/settings.html
index 1410745..40a885f 100644
--- a/app/templates/users/settings.html
+++ b/app/templates/users/settings.html
@@ -28,5 +28,12 @@
     <label for='subscribe_by_default'>Subscribe to thread by default when responding</label><br>
     <input type='submit' value='Save settings'>
   </form>
+  <form method='post' action='{{ url_for('users.change_password', username=active_user.username) }}'>
+    <label for="new_password">Change password</label><br>
+    <input type="password" id="new_password" name="new_password" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
+    <label for="new_password2">Confirm new password</label><br>
+    <input type="password" id="new_password2" name="new_password2" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
+    <input class="warn" type="submit" value="Change password">
+  </form>
 </div>
 {% endblock %}