libeufin

commit 77d032f8a1d56c6fd6c01c212459b432c6f20699
parent 44deb37f196fc5e60de04f737b64793426a5ab46
Author: Antoine A <>
Date:   Wed,  8 Oct 2025 15:22:47 +0200

Check password before 2FA

Diffstat:
M
bank/src/main/kotlin/tech/libeufin/bank/db/AccountDAO.kt
 | 
6
+++---
M
bank/src/test/kotlin/CoreBankApiTest.kt
 | 
9
+++++++++

2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/bank/src/main/kotlin/tech/libeufin/bank/db/AccountDAO.kt b/bank/src/main/kotlin/tech/libeufin/bank/db/AccountDAO.kt
@@ -423,10 +423,10 @@ class AccountDAO(private val db: Database) {
                 Triple(it.getLong(1), it.getString(2), it.getBoolean(3))
             } ?: return@serializableTransaction AccountPatchAuthResult.UnknownAccount
         }
-        if (tanRequired) {
-            AccountPatchAuthResult.TanRequired
-        } else if (oldPw != null && !pwCrypto.checkpw(oldPw, currentPwh).match) {
+        if (oldPw != null && !pwCrypto.checkpw(oldPw, currentPwh).match) {
             AccountPatchAuthResult.OldPasswordMismatch
+        } else if (tanRequired) {
+            AccountPatchAuthResult.TanRequired
         } else {
             val newPwh = pwCrypto.hashpw(newPw.pw)
             conn.withStatement("UPDATE customers SET password_hash=?, token_creation_counter=0 WHERE customer_id=?") {
diff --git a/bank/src/test/kotlin/CoreBankApiTest.kt b/bank/src/test/kotlin/CoreBankApiTest.kt
@@ -1127,6 +1127,15 @@ class CoreBankAccountsApiTest {
                 "new_password" to "new-password"
             }
         }.assertNoContent()
+   
+        
+        // Check 2FA after password check
+        client.patchA("/accounts/customer/auth") {
+            json {
+                "old_password" to "password"
+                "new_password" to "new-password"
+            }
+        }.assertConflict(TalerErrorCode.BANK_PATCH_BAD_OLD_PASSWORD)
     }
 
     // PATCH /accounts/USERNAME/auth