Add tests for /reset/mail endpoint + fix bug (#2641)

Argonid2 check didn't work due to permissions issues

bin/v-check-mail-account-hash

@@ -0,0 +1,55 @@
+#!/bin/bash
+# info: check user password
+# options: TYPE PASSWORD HASH
+#
+# example: v-check-mail-account-hash ARGONID2 PASS HASH 
+#
+# This function verifies email account password hash
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+type=$1
+password=$2; HIDE=2
+hash=$3; HIDE=2
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '3' "$#" 'TYPE PASS HASH'
+
+is_password_valid
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+if [ "$type" = "ARGONID2" ]; then
+    match=$(doveadm pw -s ARGON2ID -p $password -t $hash | grep "verified");
+    if [ -n "$match" ]; then
+        exit 0;
+    else
+        echo $match;
+        exit 2;
+    fi
+else
+    echo "Not supported"
+    exit 2;
+fi
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit

test/test.bats

@@ -1475,6 +1475,18 @@ function check_ip_not_banned(){
     assert_failure $E_EXISTS
 }
 
+@test "MAIL: change mail account password" {
+  run curl -k -X POST -d "email=test@$domain&password=$userpass2&new=123456" https://localhost:8083/reset/mail/ 
+  assert_success
+  assert_output --partial "==ok=="
+}
+
+@test "MAIL: change mail account password (Incorrect PW)" {
+  run curl -k -X POST -d "email=test@$domain&password=$userpass2&new=123456" https://localhost:8083/reset/mail/ 
+  assert_success
+  assert_output --partial "error"
+}
+
 @test "MAIL: Delete account" {
     run v-delete-mail-account $user $domain test
     assert_success

web/reset/mail/index.php

@@ -148,11 +148,12 @@ if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST[
         $n_hash = '{MD5}'.$n_hash;
         }else{
             $v_password = escapeshellarg($v_password);
-            exec("doveadm pw -s ARGON2ID -p $v_password -t '$v_hash'", $output, $return_var);
-            if ($return_var == 0) {
-                if (strpos($output, "(verified)") !== 0){
-                    $n_hash = $v_hash;
-                }
+            $s_hash = escapeshellarg($v_hash);
+            exec(HESTIA_CMD."v-check-mail-account-hash ARGONID2 ". $v_password ." ". $s_hash, $output, $return_var);
+            if($return_var != 0){
+                $n_hash = '';
+            }else{
+                $n_hash = $v_hash;
             }
         }
         // Change password