fix(api-key): add password requirement to generate api key [EE-6140] (#10617)

api/http/handler/users/user_create_access_token.go

@@ -15,18 +15,22 @@ import (
 )
 
 type userAccessTokenCreatePayload struct {
+	Password    string `validate:"required" example:"password" json:"password"`
 	Description string `validate:"required" example:"github-api-key" json:"description"`
 }
 
 func (payload *userAccessTokenCreatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Password) {
+		return errors.New("invalid password: cannot be empty")
+	}
 	if govalidator.IsNull(payload.Description) {
-		return errors.New("invalid description. cannot be empty")
+		return errors.New("invalid description: cannot be empty")
 	}
 	if govalidator.HasWhitespaceOnly(payload.Description) {
-		return errors.New("invalid description. cannot contain only whitespaces")
+		return errors.New("invalid description: cannot contain only whitespaces")
 	}
 	if govalidator.MinStringLength(payload.Description, "128") {
-		return errors.New("invalid description. cannot be longer than 128 characters")
+		return errors.New("invalid description: cannot be longer than 128 characters")
 	}
 	return nil
 }
@@ -82,7 +86,12 @@ func (handler *Handler) userCreateAccessToken(w http.ResponseWriter, r *http.Req
 
 	user, err := handler.DataStore.User().Read(portainer.UserID(userID))
 	if err != nil {
-		return httperror.BadRequest("Unable to find a user", err)
+		return httperror.InternalServerError("Unable to find a user with the specified identifier inside the database", err)
+	}
+
+	err = handler.CryptoService.CompareHashAndData(user.Password, payload.Password)
+	if err != nil {
+		return httperror.Forbidden("Current password doesn't match", errors.New("Current password does not match the password provided. Please try again"))
 	}
 
 	rawAPIKey, apiKey, err := handler.apiKeyService.GenerateApiKey(*user, payload.Description)