[API] Change password fails on old password check

[haffmans]

The Change Password API ('/userapi/password') doesn't properly validate the old password. It calls the PasswordHasher.Hash directly (which generates a hash with a new salt), rather than PasswordHasher.Verify.

See RegistrationController.cs line 380:

var old_password_hash = PasswordHasher.Hash(model.old_password);

if (old_password_hash.data!=da.Users.GetAuthenticationSettings(user.user_id).data)
...

I assume this should instead be similar to the AuthLoginController's method of validating the password:

var authSettings = db.Users.GetAuthenticationSettings(user.user_id);
var isPasswordCorrect = PasswordHasher.Verify(model.old_password, new PasswordHash
{
    data = authSettings.data,
    scheme = authSettings.scheme_class
});
if (!isPasswordCorrect)
...

[riperiperi]

Good catch, this one was added by Sim for his http://beta.freeso.org web interface, so I never really had much reason to test it out. Should be fixed next commit, though I think this stuff needs an extra pass anyways.