4 files changed, 77 insertions, 32 deletions

diff --git a/README.md b/README.md
index eafa655..0e45485 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@
       - JSON `"Not Authenticated"`
 - POST `/user/delete`
   - Request
-    - JSON `{"id": "ID", "session": "SESSION_KEY"}`
+    - JSON `{"id": "ID", "session": "SESSION_KEY", "password": "PASSWORD"}`
   - Response
     - 200 Ok
       - JSON `"Deleted"`
@@ -90,12 +90,15 @@
     - 200 Ok
     - 500 Internal Server Error
       - JSON `"Could not complete transaction"`
-- POST `/user/update/info`
+- POST `/user/update/password`
   - Request
-    - JSON `{"id": "ID", "session": "SESSION_KEY", "name": "USERNAME", "old_password": "PASSWORD", "new_password": "PASSWORD"}`
+    - JSON `{"id": "ID", "session": "SESSION_KEY", "old_password": "PASSWORD", "new_password": "PASSWORD"}`
+  - Response
+    - 200 Ok
+    - 500 Internal Server Error`
+- POST `/user/update/name`
+  - Request
+    - JSON `{"id": "ID", "session": "SESSION_KEY", "name": "USERNAME"}`
   - Response
     - 200 Ok
-    - 401 Unauthorized
-      - JSON `"Not Authenticated"`
-    - 400 Bad Request
     - 500 Internal Server Error`
\ No newline at end of file
diff --git a/TODO b/TODO
index 0a26a28..724d4a5 100644
--- a/TODO
+++ b/TODO
@@ -5,4 +5,6 @@ Config
 Trade Requests
 Admin
 Admin create registration key
-Registration keys
\ No newline at end of file
+Registration keys
+Admin user recovery
+user recovery
\ No newline at end of file
diff --git a/src/db.rs b/src/db.rs
index ba86b91..053142a 100644
--- a/src/db.rs
+++ b/src/db.rs
@@ -64,8 +64,8 @@ impl User {
         self.name = new_name;
     }
 
-    fn update_password(&mut self, old_password: String, new_password: String) -> Result<(), String> {
-        if User::hash(&old_password) == self.hashed_password {
+    fn update_password(&mut self, old_password: &String, new_password: &String) -> Result<(), String> {
+        if self.same_password(old_password) {
             self.hashed_password = User::hash(&new_password);
             return Ok(());
         } else {
@@ -73,6 +73,10 @@ impl User {
         }
     }
 
+    fn same_password(&self, password: &String) -> bool {
+        User::hash(password) == self.hashed_password
+    }
+
     fn hash(t: &String) -> String {
         let hashed = Sha256::digest(&t);
         let hashed = base16ct::lower::encode_string(&hashed);
@@ -202,10 +206,9 @@ impl DB {
         Err("User Not Found".into())
     }
 
-    pub async fn update_user(&mut self, id: UID, session: &String, name: String, old_password: String, new_password: String) -> Result<(), String> {
+    pub async fn update_user_password(&mut self, id: UID, session: &String, old_password: &String, new_password: &String) -> Result<(), String> {
         self.get_user_authenticated(id, session).await?;
         let user = self.get_mut_user(id).await?;
-        user.update_name(name);
         user.update_password(old_password, new_password)?;
 
         self.save().await?;
@@ -213,6 +216,16 @@ impl DB {
         Ok(())
     }
 
+    pub async fn update_user_name(&mut self, id: UID, session: &String, name: &String) -> Result<(), String> {
+        self.get_user_authenticated(id, session).await?;
+        let user = self.get_mut_user(id).await?;
+        user.update_name(name.clone());
+
+        self.save().await?;
+
+        Ok(())
+    }
+
     pub async fn get_user_authenticated(&self, id: UID, session: &String) -> Result<&User, String> {
         match self.get_user(id) {
             Ok(u) => {
@@ -316,20 +329,25 @@ impl DB {
         r
     }
 
-    pub async fn delete_user(&mut self, id: UID, session: &String) -> Result<String, String> {
-        self.users = self.users.clone().into_iter().filter(|u| !u.authenticate(session) && id != u.id).collect();
-        self.uid_generator.delete_uid(id);
-
-        // Validate
-        let r = match self.get_user(id) {
-            Ok(_) => Err("Could not delete".into()),
-            Err(_) => {
-                Ok("Deleted".into())
-            },
-        };
-
-        let _ = self.save().await;
-        r
+    pub async fn delete_user(&mut self, id: UID, session: &String, password: &String) -> Result<String, String> {
+        let u = self.get_user(id)?;
+        if u.same_password(password) {
+            self.users = self.users.clone().into_iter().filter(|u| !u.authenticate(session) && id != u.id).collect();
+            self.uid_generator.delete_uid(id);
+    
+            // Validate
+            let r = match self.get_user(id) {
+                Ok(_) => Err("Could not delete".into()),
+                Err(_) => {
+                    Ok("Deleted".into())
+                },
+            };
+    
+            let _ = self.save().await;
+            r
+        } else {
+            return Err("Password does not match".into())
+        }
     }
 
     pub async fn transfer(&mut self, from: UID, to: UID, session: &String, color: Color, amount: usize) -> Result<(), String> {
diff --git a/src/main.rs b/src/main.rs
index 6b0ecec..8ddd853 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -174,27 +174,48 @@ async fn get_sessions(data: Json<LogoutForm>, db: &State<Mutex<DB>>) -> (Status,
     }
 }
 
+#[derive(Deserialize)]
+struct DeleteForm {
+    id: UID,
+    session: String,
+    password: String,
+}
+
 #[post("/delete", data="<data>", format="json")]
-async fn delete(data: Json<LogoutForm>, db: &State<Mutex<DB>>) -> (Status, Result<Json<String>, Json<String>>) {
+async fn delete(data: Json<DeleteForm>, db: &State<Mutex<DB>>) -> (Status, Result<Json<String>, Json<String>>) {
     let mut db = db.lock().await;
-    match db.delete_user(data.id, &data.session).await {
+    match db.delete_user(data.id, &data.session, &data.password).await {
         Ok(n) => (Status::Ok, Ok(n.into())),
         Err(n) => (Status::Unauthorized, Err(n.into())),
     }
 }
 
 #[derive(Deserialize)]
-struct UpdateForm {
+struct UpdateNameForm {
     id: UID,
     session: String,
     name: String,
+}
+#[derive(Deserialize)]
+struct UpdatePasswordForm {
+    id: UID,
+    session: String,
     old_password: String,
     new_password: String,
 }
-#[post("/update/info", data="<data>", format="json")]
-async fn update_user(data: Json<UpdateForm>, db: &State<Mutex<DB>>) -> (Status, Result<(), Json<String>>) {
+#[post("/name", data="<data>", format="json")]
+async fn update_password(data: Json<UpdateNameForm>, db: &State<Mutex<DB>>) -> (Status, Result<(), Json<String>>) {
+    let mut db = db.lock().await;
+    match db.update_user_name(data.id, &data.session, &data.name).await {
+        Ok(_) => (Status::Ok, Ok(())),
+        Err(n) => (Status::InternalServerError, Err(n.into()))
+    }
+}
+
+#[post("/password", data="<data>", format="json")]
+async fn update_name(data: Json<UpdatePasswordForm>, db: &State<Mutex<DB>>) -> (Status, Result<(), Json<String>>) {
     let mut db = db.lock().await;
-    match db.update_user(data.id, &data.session, data.name.clone(), data.old_password.clone(), data.new_password.clone()).await {
+    match db.update_user_password(data.id, &data.session, &data.old_password, &data.new_password).await {
         Ok(_) => (Status::Ok, Ok(())),
         Err(n) => (Status::InternalServerError, Err(n.into()))
     }
@@ -234,7 +255,8 @@ fn rocket() -> _ {
 
     rocket::build().manage(Mutex::new(DB::load(Config::new())))
     .mount("/", routes![index])
-    .mount("/user", routes![login, get_users_by_name, get_user_authenticated, get_user, new_user, get_all_users, logout, logout_all, get_sessions, delete, update_user])
+    .mount("/user", routes![login, get_users_by_name, get_user_authenticated, get_user, new_user, get_all_users, logout, logout_all, get_sessions, delete])
+    .mount("/user/update", routes![update_name, update_password])
     .mount("/transfer", routes![transfer_out])
     .attach(cors)
 }
\ No newline at end of file