Change Password should verify password every time

[anomalyze]

Hey, I was just looking through your code. I noticed that you have a verify_password function and a change_password function.

It would probably be more ideal from a security perspective if you called the verify_password function inside the change_password function. This will allow you to reuse your change_password function (when you start to implement multiple ways to access the system. I.e. Website, terminal, etc.) It'll prevent you from forgetting to add a verification into every implementation.

I noticed when you create a new user, you use the change_password function as well here:
https://github.com/MTRNord/erooster/blob/b7c1da4c3fba816b3fc25e94a92d2b7826b283ac/src/cmds/eroosterctl.rs#L270

If you wanted to refactor it you could add the password field to your add_user SQL query/function. then add in a current_password parameter to your change_password function, and then call verify_password inside change_password.
After all it makes more sense, since you aren't 'changing' a password that hasn't been set.

I hope that makes sense. This is an interesting project and I'd be happy to contribute if you're accepting PR's.

[MTRNord]

Hi thanks for noting that :) This makes sense for sure.

I am certainly happy to accept PR's 👍

But I think while I am at it I probably can combine this with #9 at least in parts. Aka moving the current auth to some trait based abstraction which then calls db stuff in it :)