2 files changed, 34 insertions, 6 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index 86e3e8434..95f8bb9a2 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -85,6 +85,12 @@ sub sign_in : Private {
     my $parsed = FixMyStreet::SMS->parse_username($username);
 
     if ($parsed->{username} && $password && $c->forward('authenticate', [ $parsed->{type}, $parsed->{username}, $password ])) {
+        # Upgrade hash count if necessary
+        my $cost = sprintf("%02d", FixMyStreet::DB::Result::User->cost);
+        if ($c->user->password !~ /^\$2a\$$cost\$/) {
+            $c->user->update({ password => $password });
+        }
+
         # unless user asked to be remembered limit the session to browser
         $c->set_session_cookie_expire(0)
           unless $remember_me;
diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
index d1fb32c41..2d8ae081e 100644
--- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
@@ -19,7 +19,7 @@ verifying email, phone, password.
 
 =cut
 
-sub auto {
+sub auto : Private {
     my ( $self, $c ) = @_;
 
     $c->detach( '/auth/redirect' ) unless $c->user;
@@ -49,8 +49,17 @@ sub change_password : Path('/auth/change_password') {
     my $new = $c->get_param('new_password') // '';
     my $confirm = $c->get_param('confirm') // '';
 
+    my $password_error;
+
+    # Check existing password, if available
+    if ($c->user->password) {
+        my $current = $c->get_param('current_password') // '';
+        $c->stash->{current_password} = $current;
+        $password_error = 'incorrect' unless $c->user->check_password($current);
+    }
+
     # check for errors
-    my $password_error =
+    $password_error ||=
        !$new && !$confirm ? 'missing'
       : $new ne $confirm ? 'mismatch'
       : !$c->forward('/auth/test_password', [ $new ]) ? 'failed'
@@ -63,10 +72,17 @@ sub change_password : Path('/auth/change_password') {
         return;
     }
 
-    # we should have a usable password - save it to the user
-    $c->user->obj->update( { password => $new } );
-    $c->stash->{password_changed} = 1;
-
+    if ($c->user->password) {
+        # we should have a usable password - save it to the user
+        $c->user->obj->update( { password => $new } );
+        $c->stash->{password_changed} = 1;
+    } else {
+        # Set up arguments for code sign in
+        $c->set_param('username', $c->user->username);
+        $c->set_param('password_register', $new);
+        $c->set_param('r', 'auth/change_password/success');
+        $c->detach('/auth/code_sign_in');
+    }
 }
 
 =head2 change_email
@@ -149,6 +165,12 @@ sub change_phone_success : Path('/auth/change_phone/success') {
     $c->res->redirect('/my');
 }
 
+sub change_password_success : Path('/auth/change_password/success') {
+    my ( $self, $c ) = @_;
+    $c->flash->{flash_message} = _('Your password has been changed');
+    $c->res->redirect('/my');
+}
+
 sub generate_token : Path('/auth/generate_token') {
     my ($self, $c) = @_;