1 files changed, 53 insertions, 0 deletions

diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go
index 0dd84e085..9be6d8edf 100644
--- a/internal/authentication/file_user_provider.go
+++ b/internal/authentication/file_user_provider.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -159,6 +160,58 @@ func (p *FileUserProvider) UpdatePassword(username string, newPassword string) (
 	return nil
 }
 
+func (p *FileUserProvider) ChangePassword(username string, oldPassword string, newPassword string) (err error) {
+	var details FileUserDatabaseUserDetails
+
+	if details, err = p.database.GetUserDetails(username); err != nil {
+		return fmt.Errorf("%w : %v", ErrUserNotFound, err)
+	}
+
+	if details.Disabled {
+		return ErrUserNotFound
+	}
+
+	if strings.TrimSpace(newPassword) == "" {
+		return ErrPasswordWeak
+	}
+
+	if oldPassword == newPassword {
+		return ErrPasswordWeak
+	}
+
+	oldPasswordCorrect, err := p.CheckUserPassword(username, oldPassword)
+
+	if err != nil {
+		return ErrAuthenticationFailed
+	}
+
+	if !oldPasswordCorrect {
+		return ErrIncorrectPassword
+	}
+
+	var digest algorithm.Digest
+
+	if digest, err = p.hash.Hash(newPassword); err != nil {
+		return fmt.Errorf("%w : %v", ErrOperationFailed, err)
+	}
+
+	details.Password = schema.NewPasswordDigest(digest)
+
+	p.database.SetUserDetails(details.Username, &details)
+
+	p.mutex.Lock()
+
+	p.setTimeoutReload(time.Now())
+
+	p.mutex.Unlock()
+
+	if err = p.database.Save(); err != nil {
+		return fmt.Errorf("%w : %v", ErrOperationFailed, err)
+	}
+
+	return nil
+}
+
 // StartupCheck implements the startup check provider interface.
 func (p *FileUserProvider) StartupCheck() (err error) {
 	if err = checkDatabase(p.config.Path); err != nil {