Update and pin all actions versions (#564)

Signed-off-by: Dmytro Bondar <git@bonddim.dev>

.github/workflows/chart.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request' }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -35,16 +35,16 @@ jobs:
       # ct lint requires Python 3.x to run following packages:
       #  - yamale (https://github.com/23andMe/Yamale)
       #  - yamllint (https://github.com/adrienverge/yamllint)
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.x'
 
-      - uses: helm/chart-testing-action@v2
+      - uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
 
       - name: Run chart-testing (lint)
         run: ct lint --config ct.yaml
 
-      - uses: nolar/setup-k3d-k3s@v1
+      - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -60,9 +60,9 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/docker-publish.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Get Version
         shell: bash
@@ -32,14 +32,14 @@ jobs:
 
       - name: Login to Docker Hub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -47,7 +47,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             wgportal/wg-portal
@@ -68,7 +68,7 @@ jobs:
             type=semver,pattern=v{{major}}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
@@ -80,7 +80,7 @@ jobs:
             BUILD_VERSION=${{ env.BUILD_VERSION }}
 
       - name: Export binaries from images
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -96,7 +96,7 @@ jobs:
           done
 
       - name: Upload binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: binaries
           path: binaries/wg-portal_linux*
@@ -110,12 +110,12 @@ jobs:
       contents: write
     steps:
       - name: Download binaries
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: binaries
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           files: 'wg-portal_linux*'
           generate_release_notes: true

.github/workflows/pages.yml

@@ -15,11 +15,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.x
 
@@ -37,4 +37,4 @@ jobs:
         run: mike deploy --push --update-aliases ${{ github.ref_name }} latest
         env:
           GIT_COMMITTER_NAME: "github-actions[bot]"
-          GIT_COMMITTER_EMAIL: "41898282+github-actions[bot]@users.noreply.github.com"
+          GIT_COMMITTER_EMAIL: "41898282+github-actions[bot]@users.noreply.github.com"

frontend/package-lock.json

@@ -16,6 +16,7 @@
         "@vojtechlanka/vue-tags-input": "^3.1.1",
         "bootstrap": "^5.3.7",
         "bootswatch": "^5.3.7",
+        "cidr-tools": "^11.0.3",
         "flag-icons": "^7.3.2",
         "ip-address": "^10.0.1",
         "is-cidr": "^5.1.1",
@@ -920,7 +921,6 @@
       "resolved": "https://registry.npmjs.org/@popperjs/core/-/core-2.11.8.tgz",
       "integrity": "sha512-P1st0aksCrn9sGZhp8GMYwBnQsbvAWsZAX44oXNNvLHGqAOcoVxmjZiohstwQ7SqKnbR47akdNi+uleWD8+g6A==",
       "license": "MIT",
-      "peer": true,
       "funding": {
         "type": "opencollective",
         "url": "https://opencollective.com/popperjs"
@@ -1492,6 +1492,18 @@
         "node": ">=14"
       }
     },
+    "node_modules/cidr-tools": {
+      "version": "11.0.3",
+      "resolved": "https://registry.npmjs.org/cidr-tools/-/cidr-tools-11.0.3.tgz",
+      "integrity": "sha512-7p0rp7B2P+nZfBkJlrQzUMDyUHeYK2h/XCJY80VUl1v5oxwLxQjZMy39BXVOXugwAX67l0oJ/QQ6OhANgUtUbw==",
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "ip-bigint": "^8.2.1"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/clone-regexp": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/clone-regexp/-/clone-regexp-3.0.0.tgz",
@@ -1706,6 +1718,15 @@
         "node": ">= 12"
       }
     },
+    "node_modules/ip-bigint": {
+      "version": "8.2.2",
+      "resolved": "https://registry.npmjs.org/ip-bigint/-/ip-bigint-8.2.2.tgz",
+      "integrity": "sha512-wPoOpHigOtoY29UCFA0L82cJVFcT7M+TsrgipUVpFw7HV9LpLEuNXCymt3623jzHPlIZzFaCyaVf9VACssFYew==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/ip-regex": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/ip-regex/-/ip-regex-5.0.0.tgz",
@@ -2047,7 +2068,6 @@
       "integrity": "sha512-FvQdkn2dZ8DGiLgi0Uf4zsj7r/BsiLImNa5QJ10eZalY6NfZyjrmWGFcuCN5jNwlDlXFJnftauv+UtvBKLvepQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@bufbuild/protobuf": "^2.5.0",
         "buffer-builder": "^0.2.0",
@@ -2539,7 +2559,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -2581,7 +2600,6 @@
       "integrity": "sha512-0msEVHJEScQbhkbVTb/4iHZdJ6SXp/AvxL2sjwYQFfBqleHtnCqv1J3sa9zbWz/6kW1m9Tfzn92vW+kZ1WV6QA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.4.4",
@@ -2675,7 +2693,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -2688,7 +2705,6 @@
       "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.22.tgz",
       "integrity": "sha512-toaZjQ3a/G/mYaLSbV+QsQhIdMo9x5rrqIpYRObsJ6T/J+RyCSFwN2LHNVH9v8uIcljDNa3QzPVdv3Y6b9hAJQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@vue/compiler-dom": "3.5.22",
         "@vue/compiler-sfc": "3.5.22",

frontend/package.json

@@ -16,6 +16,7 @@
     "@vojtechlanka/vue-tags-input": "^3.1.1",
     "bootstrap": "^5.3.7",
     "bootswatch": "^5.3.7",
+    "cidr-tools": "^11.0.3",
     "flag-icons": "^7.3.2",
     "ip-address": "^10.0.1",
     "is-cidr": "^5.1.1",

frontend/src/App.vue

@@ -133,6 +133,9 @@ const userDisplayName = computed(() => {
           <li class="nav-item">
             <RouterLink :to="{ name: 'key-generator' }" class="nav-link">{{ $t('menu.keygen') }}</RouterLink>
           </li>
+          <li class="nav-item">
+            <RouterLink :to="{ name: 'ip-calculator' }" class="nav-link">{{ $t('menu.calculator') }}</RouterLink>
+          </li>
         </ul>
 
         <div class="navbar-nav d-flex justify-content-end">

frontend/src/lang/translations/de.json

@@ -42,7 +42,8 @@
     "audit": "Event Protokoll",
     "login": "Anmelden",
     "logout": "Abmelden",
-    "keygen": "Schlüsselgenerator"
+    "keygen": "Schlüsselgenerator",
+    "calculator": "IP-Rechner"
   },
   "home": {
     "headline": "WireGuard® VPN Portal",
@@ -221,6 +222,16 @@
       "button-delete-text": "Passkey löschen. Sie können sich anschließend nicht mehr mit diesem Passkey anmelden.",
       "button-register-title": "Passkey registrieren",
       "button-register-text": "Einen neuen Passkey registrieren, um Ihr Konto zu sichern."
+    },
+    "password": {
+      "headline": "Passwort-Einstellungen",
+      "abstract": "Hier können Sie Ihr Passwort ändern.",
+      "current-label": "Aktuelles Passwort",
+      "new-label": "Neues Passwort",
+      "new-confirm-label": "Neues Passwort bestätigen",
+      "change-button-text": "Passwort ändern",
+      "invalid-confirm-label": "Passwörter stimmen nicht überein",
+      "weak-label": "Passwort ist zu schwach"
     }
   },
   "audit": {
@@ -259,6 +270,26 @@
       "placeholder": "Der geteilte Schlüssel"
     }
   },
+  "calculator": {
+    "headline": "WireGuard IP-Rechner",
+    "abstract": "Erzeuge erlaubte IPs für WireGuard. Die IP-Subnetze werden lokal in Ihrem Browser generiert und niemals an den Server gesendet.",
+    "headline-allowed-ip": "Neue erlaubte IPs",
+    "button-exclude-private": "Private IP-Bereiche ausschließen",
+    "allowed-ip": {
+      "label": "Erlaubte IPs",
+      "placeholder": "0.0.0.0/0, ::/0",
+      "empty": "Wert darf nicht leer sein"
+    },
+    "dissallowed-ip": {
+      "label": "Nicht erlaubte IPs",
+      "placeholder": "10.0.0.0/8, 192.168.0.0/16",
+      "invalid": "Ungültige Adresse: {addr}"
+    },
+    "new-allowed-ip": {
+      "label": "Erlaubte IPs",
+      "placeholder": ""
+    }
+  },
   "modals": {
     "user-view": {
       "headline": "Benutzerkonto:",

frontend/src/lang/translations/en.json

@@ -42,7 +42,8 @@
     "audit": "Audit Log",
     "login": "Login",
     "logout": "Logout",
-    "keygen": "Key Generator"
+    "keygen": "Key Generator",
+    "calculator": "IP Calculator"
   },
   "home": {
     "headline": "WireGuard® VPN Portal",
@@ -221,6 +222,16 @@
       "button-delete-text": "Delete the passkey. You will not be able to log in with this passkey anymore.",
       "button-register-title": "Register Passkey",
       "button-register-text": "Register a new Passkey to secure your account."
+    },
+    "password": {
+      "headline": "Password Settings",
+      "abstract": "Here you can change your password.",
+      "current-label": "Current Password",
+      "new-label": "New Password",
+      "new-confirm-label": "Confirm New Password",
+      "change-button-text": "Change Password",
+      "invalid-confirm-label": "Passwords do not match",
+      "weak-label": "Password is too weak"
     }
   },
   "audit": {
@@ -259,6 +270,26 @@
         "placeholder": "The pre-shared key"
     }
   },
+  "calculator": {
+    "headline": "WireGuard IP Calculator",
+    "abstract": "Generate a WireGuard Allowed IPs. The IP subnets are generated in your local browser and are never sent to the server.",
+    "headline-allowed-ip": "New Allowed IPs",
+    "button-exclude-private": "Exclude Private IP Ranges",
+    "allowed-ip": {
+        "label": "Allowed IPs",
+        "placeholder": "0.0.0.0/0, ::/0",
+        "empty": "Value cannot be empty"
+    },
+    "dissallowed-ip": {
+        "label": "Disallowed IPs",
+        "placeholder": "10.0.0.0/8, 192.168.0.0/16",
+        "invalid": "Invalid address: {addr}"
+    },
+    "new-allowed-ip": {
+        "label": "Allowed IPs",
+        "placeholder": ""
+    }
+  },
   "modals": {
     "user-view": {
       "headline": "User Account:",

frontend/src/router/index.js

@@ -72,6 +72,14 @@ const router = createRouter({
       // this generates a separate chunk (About.[hash].js) for this route
       // which is lazy-loaded when the route is visited.
       component: () => import('../views/KeyGeneraterView.vue')
+    },
+    {
+      path: '/ip-calculator',
+      name: 'ip-calculator',
+      // route level code-splitting
+      // this generates a separate chunk (About.[hash].js) for this route
+      // which is lazy-loaded when the route is visited.
+      component: () => import('../views/IPCalculatorView.vue')
     }
   ],
   linkActiveClass: "active",
@@ -122,7 +130,7 @@ router.beforeEach(async (to) => {
   }
 
   // redirect to login page if not logged in and trying to access a restricted page
-  const publicPages = ['/', '/login', '/key-generator']
+  const publicPages = ['/', '/login', '/key-generator', '/ip-calculator']
   const authRequired = !publicPages.includes(to.path)
 
   if (authRequired && !auth.IsAuthenticated) {

frontend/src/stores/profile.js

@@ -151,6 +151,17 @@ export const profileStore = defineStore('profile', {
             })
           })
     },
+    async changePassword(formData) {
+      this.fetching = true
+      let currentUser = authStore().user.Identifier
+      return apiWrapper.post(`${baseUrl}/${base64_url_encode(currentUser)}/change-password`, formData)
+          .then(this.fetching = false)
+          .catch(error => {
+            this.fetching = false;
+            console.log("Failed to change password for ", currentUser, ": ", error);
+            throw new Error(error);
+          });
+    },
     async LoadPeers() {
       this.fetching = true
       let currentUser = authStore().user.Identifier

frontend/src/views/IPCalculatorView.vue

@@ -0,0 +1,139 @@
+<script setup>
+
+import {ref, watch, computed} from "vue";
+import isCidr from "is-cidr";
+import {isIP} from "is-ip";
+import {excludeCidr} from "cidr-tools";
+import {useI18n} from 'vue-i18n';
+
+const allowedIp = ref("")
+const dissallowedIp = ref("")
+const privateIP = ref("10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16")
+
+const {t} = useI18n()
+
+const errorAllowed = ref("")
+const errorDissallowed = ref("")
+
+/**
+ * Validate a comma-separated list of IP and/or CIDR addresses.
+ * @function validateIpAndCidrList
+ * @param {string} value - Comma-separated string (e.g. "10.0.0.0/8, 192.168.0.1")
+ * @returns {true|string} Returns true if all values are valid, otherwise an error message.
+ */
+function validateIpAndCidrList(value) {
+  const list = value.split(",").map(v => v.trim()).filter(Boolean);
+  if (list.length === 0) { 
+    return t('calculator.allowed-ip.empty');
+  }
+  
+  for (const addr of list) {
+    if (!isIP(addr) && !isCidr(addr)) {
+      return t('calculator.dissallowed-ip.invalid', {addr});
+    }
+  }
+  return true;
+}
+
+/**
+ * Watcher that validates allowed IPs input in real-time.
+ * Updates `errorAllowed` whenever `allowedIp` changes.
+ */
+watch(allowedIp, (newValue) => {
+  const result = validateIpAndCidrList(newValue);
+  errorAllowed.value = result === true ? "" : result;
+});
+
+/**
+ * Watcher that validates disallowed IPs input in real-time.
+ * Updates `errorDissallowed` whenever `dissallowedIp` changes.
+ */
+watch(dissallowedIp, (newValue) => {
+  if (!allowedIp.value || allowedIp.value.trim() === "") {
+    allowedIp.value = "0.0.0.0/0";
+  }
+  const result = validateIpAndCidrList(newValue);
+  errorDissallowed.value = result === true ? "" : result;
+});
+
+/**
+ * Dynamically computes the resulting "Allowed IPs" list
+ * by excluding the disallowed ranges from the allowed ranges.
+ * @constant
+ * @type {ComputedRef<string>}
+ * @returns {string} A comma-separated string of resulting CIDR blocks.
+ */
+const newAllowedIp = computed(() => {
+  if (errorAllowed.value || errorDissallowed.value) return "";
+
+  try {
+    const allowedList = allowedIp.value.split(",").map(v => v.trim()).filter(Boolean);
+    const disallowedList = dissallowedIp.value.split(",").map(v => v.trim()).filter(Boolean);
+
+    const result = excludeCidr(allowedList, disallowedList);
+
+    return result.join(", ");
+  } catch (e) {
+    console.error("Allowed IPs calculation error:", e);
+    return "";
+  }
+});
+
+/**
+ * Append private IP ranges to disallowed IPs.
+ * If any already exist, they are preserved and new ones are appended only if not present.
+ * @function addPrivateIPs
+ */
+function addPrivateIPs() {
+  const privateList = privateIP.value.split(",").map(v => v.trim());
+  const currentList = dissallowedIp.value.split(",").map(v => v.trim()).filter(Boolean);
+
+  const combined = Array.from(new Set([...currentList, ...privateList]));
+  dissallowedIp.value = combined.join(", ");
+}
+
+</script>
+
+<template>
+  <div class="page-header">
+    <h1>{{ $t('calculator.headline') }}</h1>
+  </div>
+
+  <p class="lead">{{ $t('calculator.abstract') }}</p>
+
+  <div class="mt-4 row">
+    <div class="col-12 col-lg-5">
+      <fieldset>
+        <div class="form-group">
+          <label class="form-label mt-4">{{ $t('calculator.allowed-ip.label') }}</label>
+          <input class="form-control" v-model="allowedIp" :placeholder="$t('calculator.allowed-ip.placeholder')" :class="{ 'is-invalid': errorAllowed }">
+          <div v-if="errorAllowed" class="text-danger mt-1">{{ errorAllowed }}</div>
+        </div>
+        <div class="form-group">
+          <label class="form-label mt-4">{{ $t('calculator.dissallowed-ip.label') }}</label>
+          <input class="form-control" v-model="dissallowedIp" :placeholder="$t('calculator.dissallowed-ip.placeholder')" :class="{ 'is-invalid': errorDissallowed }">
+          <div v-if="errorDissallowed" class="text-danger mt-1">{{ errorDissallowed }}</div>
+        </div>
+      </fieldset>
+      <fieldset>
+        <hr class="mt-4">
+        <button class="btn btn-primary mb-4" type="button" @click="addPrivateIPs">{{ $t('calculator.button-exclude-private') }}</button>
+      </fieldset>
+    </div>
+    <div class="col-12 col-lg-2 mt-sm-4">
+    </div>
+    <div class="col-12 col-lg-5">
+      <h1>{{ $t('calculator.headline-allowed-ip') }}</h1>
+      <fieldset>
+        <div class="form-group">
+          <textarea class="form-control" :value="newAllowedIp" rows="6" :placeholder="$t('calculator.new-allowed-ip.placeholder')" readonly></textarea>
+        </div>
+      </fieldset>
+    </div>
+  </div>
+
+</template>
+
+<style scoped>
+
+</style>

frontend/src/views/SettingsView.vue

@@ -1,8 +1,9 @@
 <script setup>
-import {onMounted, ref} from "vue";
+import {computed, onMounted, ref} from "vue";
 import { profileStore } from "@/stores/profile";
 import { settingsStore } from "@/stores/settings";
 import { authStore } from "../stores/auth";
+import {notify} from "@kyvg/vue3-notification";
 
 const profile = profileStore()
 const settings = settingsStore()
@@ -34,6 +35,45 @@ async function saveRename(credential) {
     console.error("Failed to rename credential:", error);
   }
 }
+
+const pwFormData = ref({
+  OldPassword: '',
+  Password: '',
+  PasswordRepeat: '',
+})
+
+const passwordWeak = computed(() => {
+  return pwFormData.value.Password && pwFormData.value.Password.length > 0 && pwFormData.value.Password.length < settings.Setting('MinPasswordLength')
+})
+
+const passwordChangeAllowed = computed(() => {
+  return pwFormData.value.Password && pwFormData.value.Password.length >= settings.Setting('MinPasswordLength') &&
+      pwFormData.value.Password === pwFormData.value.PasswordRepeat &&
+      pwFormData.value.OldPassword && pwFormData.value.OldPassword.length > 0 && pwFormData.value.OldPassword !== pwFormData.value.Password;
+})
+
+const updatePassword = async () => {
+  try {
+    await profile.changePassword(pwFormData.value);
+
+    pwFormData.value.OldPassword = '';
+    pwFormData.value.Password = '';
+    pwFormData.value.PasswordRepeat = '';
+    notify({
+      title: "Password changed!",
+      text: "Your password has been changed successfully.",
+      type: 'success',
+    });
+  } catch (e) {
+    notify({
+      title: "Failed to update password!",
+      text: e.toString(),
+      type: 'error',
+    })
+  }
+}
+
+
 </script>
 
 <template>
@@ -43,52 +83,45 @@ async function saveRename(credential) {
 
   <p class="lead">{{ $t('settings.abstract') }}</p>
 
-  <div v-if="auth.IsAdmin || !settings.Setting('ApiAdminOnly')">
+  <div class="card border-secondary p-5 mt-5" v-if="profile.user.Source === 'db'">
-    <div class="card border-secondary p-5" v-if="profile.user.ApiToken">
+    <h2 class="display-7">{{ $t('settings.password.headline') }}</h2>
-      <h2 class="display-7">{{ $t('settings.api.headline') }}</h2>
+    <p class="lead">{{ $t('settings.password.abstract') }}</p>
-      <p class="lead">{{ $t('settings.api.abstract') }}</p>
+    <hr class="my-4">
-      <hr class="my-4">
+
-      <p>{{ $t('settings.api.active-description') }}</p>
+    <div class="row">
-      <div class="row">
+      <div class="col-6">
-        <div class="col-6">
+        <div class="form-group">
-          <div class="form-group">
+          <label class="form-label mt-4" for="oldpw">{{ $t('settings.password.current-label') }}</label>
-            <label class="form-label mt-4">{{ $t('settings.api.user-label') }}</label>
+          <input id="oldpw" v-model="pwFormData.OldPassword" class="form-control" :class="{ 'is-invalid': pwFormData.Password && !pwFormData.OldPassword }" type="password">
-            <input v-model="profile.user.Identifier" class="form-control" :placeholder="$t('settings.api.user-placeholder')" type="text" readonly>
-          </div>
-        </div>
-        <div class="col-6">
-          <div class="form-group">
-            <label class="form-label mt-4">{{ $t('settings.api.token-label') }}</label>
-            <input v-model="profile.user.ApiToken" class="form-control" :placeholder="$t('settings.api.token-placeholder')" type="text" readonly>
-          </div>
         </div>
       </div>
-      <div class="row">
+      <div class="col-6">
-        <div class="col-12">
+      </div>
-          <div class="form-group">
+    </div>
-            <p class="form-label mt-4">{{ $t('settings.api.token-created-label') }} {{profile.user.ApiTokenCreated}}</p>
+    <div class="row">
-          </div>
+      <div class="col-6">
+        <div class="form-group has-success">
+          <label class="form-label mt-4" for="newpw">{{ $t('settings.password.new-label') }}</label>
+          <input id="newpw" v-model="pwFormData.Password" class="form-control" :class="{ 'is-invalid': passwordWeak,  'is-valid': pwFormData.Password !== '' && !passwordWeak }" type="password">
+          <div class="invalid-feedback" v-if="passwordWeak">{{ $t('settings.password.weak-label') }}</div>
         </div>
       </div>
-      <div class="row mt-5">
+      <div class="col-6">
-        <div class="col-6">
+        <div class="form-group">
-          <button class="btn btn-primary" :title="$t('settings.api.button-disable-title')" @click.prevent="profile.disableApi()" :disabled="profile.isFetching">
+          <label class="form-label mt-4" for="confirmnewpw">{{ $t('settings.password.new-confirm-label') }}</label>
-            <i class="fa-solid fa-minus-circle"></i> {{ $t('settings.api.button-disable-text') }}
+          <input id="confirmnewpw" v-model="pwFormData.PasswordRepeat" class="form-control" :class="{ 'is-invalid': pwFormData.PasswordRepeat !== ''&& pwFormData.Password !== pwFormData.PasswordRepeat,  'is-valid': pwFormData.PasswordRepeat !== '' && pwFormData.Password === pwFormData.PasswordRepeat && !passwordWeak }" type="password">
-          </button>
+          <div class="invalid-feedback" v-if="pwFormData.PasswordRepeat !== ''&& pwFormData.Password !== pwFormData.PasswordRepeat">{{ $t('settings.password.invalid-confirm-label') }}</div>
-        </div>
-        <div class="col-6">
-          <a href="/api/v1/doc.html" target="_blank" :alt="$t('settings.api.api-link')">{{ $t('settings.api.api-link') }}</a>
         </div>
       </div>
     </div>
-    <div class="card border-secondary p-5" v-else>
+    <div class="row mt-5">
-      <h2 class="display-7">{{ $t('settings.api.headline') }}</h2>
+      <div class="col-6">
-      <p class="lead">{{ $t('settings.api.abstract') }}</p>
+        <button class="btn btn-primary" :title="$t('settings.api.button-disable-title')" @click.prevent="updatePassword" :disabled="profile.isFetching || !passwordChangeAllowed">
-      <hr class="my-4">
+          <i class="fa-solid fa-floppy-disk"></i> {{ $t('settings.password.change-button-text') }}
-      <p>{{ $t('settings.api.inactive-description') }}</p>
+        </button>
-      <button class="btn btn-primary" :title="$t('settings.api.button-enable-title')" @click.prevent="profile.enableApi()" :disabled="profile.isFetching">
+      </div>
-        <i class="fa-solid fa-plus-circle"></i> {{ $t('settings.api.button-enable-text') }}
+      <div class="col-6">
-      </button>
+      </div>
     </div>
   </div>
 
@@ -173,4 +206,53 @@ async function saveRename(credential) {
     </div>
 
   </div>
+
+  <div class="mt-5" v-if="auth.IsAdmin || !settings.Setting('ApiAdminOnly')">
+    <div class="card border-secondary p-5" v-if="profile.user.ApiToken">
+      <h2 class="display-7">{{ $t('settings.api.headline') }}</h2>
+      <p class="lead">{{ $t('settings.api.abstract') }}</p>
+      <hr class="my-4">
+      <p>{{ $t('settings.api.active-description') }}</p>
+      <div class="row">
+        <div class="col-6">
+          <div class="form-group">
+            <label class="form-label mt-4">{{ $t('settings.api.user-label') }}</label>
+            <input v-model="profile.user.Identifier" class="form-control" :placeholder="$t('settings.api.user-placeholder')" type="text" readonly>
+          </div>
+        </div>
+        <div class="col-6">
+          <div class="form-group">
+            <label class="form-label mt-4">{{ $t('settings.api.token-label') }}</label>
+            <input v-model="profile.user.ApiToken" class="form-control" :placeholder="$t('settings.api.token-placeholder')" type="text" readonly>
+          </div>
+        </div>
+      </div>
+      <div class="row">
+        <div class="col-12">
+          <div class="form-group">
+            <p class="form-label mt-4">{{ $t('settings.api.token-created-label') }} {{profile.user.ApiTokenCreated}}</p>
+          </div>
+        </div>
+      </div>
+      <div class="row mt-5">
+        <div class="col-6">
+          <button class="btn btn-primary" :title="$t('settings.api.button-disable-title')" @click.prevent="profile.disableApi()" :disabled="profile.isFetching">
+            <i class="fa-solid fa-minus-circle"></i> {{ $t('settings.api.button-disable-text') }}
+          </button>
+        </div>
+        <div class="col-6">
+          <a href="/api/v1/doc.html" target="_blank" :alt="$t('settings.api.api-link')">{{ $t('settings.api.api-link') }}</a>
+        </div>
+      </div>
+    </div>
+    <div class="card border-secondary p-5" v-else>
+      <h2 class="display-7">{{ $t('settings.api.headline') }}</h2>
+      <p class="lead">{{ $t('settings.api.abstract') }}</p>
+      <hr class="my-4">
+      <p>{{ $t('settings.api.inactive-description') }}</p>
+      <button class="btn btn-primary" :title="$t('settings.api.button-enable-title')" @click.prevent="profile.enableApi()" :disabled="profile.isFetching">
+        <i class="fa-solid fa-plus-circle"></i> {{ $t('settings.api.button-enable-text') }}
+      </button>
+    </div>
+  </div>
 </template>

go.mod

@@ -21,9 +21,9 @@ require (
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	github.com/yeqown/go-qrcode/v2 v2.2.5
 	github.com/yeqown/go-qrcode/writer/compressed v1.0.1
-	golang.org/x/crypto v0.42.0
+	golang.org/x/crypto v0.43.0
-	golang.org/x/oauth2 v0.31.0
+	golang.org/x/oauth2 v0.32.0
-	golang.org/x/sys v0.36.0
+	golang.org/x/sys v0.37.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.6.0
@@ -93,9 +93,9 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9 // indirect
 	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
 	golang.org/x/tools v0.37.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
 	google.golang.org/protobuf v1.36.10 // indirect

go.sum

@@ -262,8 +262,8 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9 h1:TQwNpfvNkxAVlItJf6Cr5JTsVZoC/Sj7K3OZv2Pc14A=
 golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -291,10 +291,10 @@ golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
-golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -324,8 +324,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -354,8 +354,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/app/api/core/assets/doc/v0_swagger.json

@@ -1550,6 +1550,38 @@
                 }
             }
         },
+        "/user/{id}/change-password": {
+            "post": {
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Users"
+                ],
+                "summary": "Change the password for the given user.",
+                "operationId": "users_handleChangePasswordPost",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.User"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/model.Error"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/model.Error"
+                        }
+                    }
+                }
+            }
+        },
         "/user/{id}/interfaces": {
             "get": {
                 "produces": [
@@ -2159,6 +2191,10 @@
                         }
                     ]
                 },
+                "UserDisplayName": {
+                    "description": "the owner display name",
+                    "type": "string"
+                },
                 "UserIdentifier": {
                     "description": "the owner",
                     "type": "string"

internal/app/api/core/assets/doc/v0_swagger.yaml

@@ -322,6 +322,9 @@ definitions:
         allOf:
         - $ref: '#/definitions/model.ConfigOption-string'
         description: the routing table
+      UserDisplayName:
+        description: the owner display name
+        type: string
       UserIdentifier:
         description: the owner
         type: string
@@ -1442,6 +1445,27 @@ paths:
       summary: Enable the REST API for the given user.
       tags:
       - Users
+  /user/{id}/change-password:
+    post:
+      operationId: users_handleChangePasswordPost
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/model.User'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/model.Error'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/model.Error'
+      summary: Change the password for the given user.
+      tags:
+      - Users
   /user/{id}/interfaces:
     get:
       operationId: users_handleInterfacesGet

internal/app/api/core/assets/doc/v1_swagger.json

@@ -17,11 +17,6 @@
     "paths": {
         "/interface/all": {
             "get": {
-                "security": [
-                    {
-                        "BasicAuth": []
-                    }
-                ],
                 "produces": [
                     "application/json"
                 ],
@@ -52,16 +47,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/interface/by-id/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/interface/by-id/{id}": {
+            "get": {
                 "produces": [
                     "application/json"
                 ],
@@ -110,14 +105,14 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            },
-            "put": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            },
+            "put": {
                 "description": "This endpoint updates an existing interface with the provided data. All required fields must be filled (e.g. name, private key, public key, ...).",
                 "produces": [
                     "application/json"
@@ -182,14 +177,14 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            },
-            "delete": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            },
+            "delete": {
                 "produces": [
                     "application/json"
                 ],
@@ -241,16 +236,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/interface/new": {
-            "post": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/interface/new": {
+            "post": {
                 "description": "This endpoint creates a new interface with the provided data. All required fields must be filled (e.g. name, private key, public key, ...).",
                 "produces": [
                     "application/json"
@@ -308,16 +303,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/interface/prepare": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/interface/prepare": {
+            "get": {
                 "description": "This endpoint returns a new interface with default values (fresh key pair, valid name, new IP address pool, ...).",
                 "produces": [
                     "application/json"
@@ -352,16 +347,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/metrics/by-interface/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/metrics/by-interface/{id}": {
+            "get": {
                 "produces": [
                     "application/json"
                 ],
@@ -410,16 +405,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/metrics/by-peer/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/metrics/by-peer/{id}": {
+            "get": {
                 "produces": [
                     "application/json"
                 ],
@@ -468,16 +463,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/metrics/by-user/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/metrics/by-user/{id}": {
+            "get": {
                 "produces": [
                     "application/json"
                 ],
@@ -526,16 +521,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/peer/by-id/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/peer/by-id/{id}": {
+            "get": {
                 "description": "Normal users can only access their own records. Admins can access all records.",
                 "produces": [
                     "application/json"
@@ -585,14 +580,14 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            },
-            "put": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            },
+            "put": {
                 "description": "Only admins can update existing records. The peer record must contain all required fields (e.g., public key, allowed IPs).",
                 "produces": [
                     "application/json"
@@ -657,14 +652,14 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            },
-            "delete": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            },
+            "delete": {
                 "produces": [
                     "application/json"
                 ],
@@ -716,16 +711,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/peer/by-interface/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/peer/by-interface/{id}": {
+            "get": {
                 "produces": [
                     "application/json"
                 ],
@@ -765,16 +760,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/peer/by-user/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/peer/by-user/{id}": {
+            "get": {
                 "description": "Normal users can only access their own records. Admins can access all records.",
                 "produces": [
                     "application/json"
@@ -815,16 +810,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/peer/new": {
-            "post": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/peer/new": {
+            "post": {
                 "description": "Only admins can create new records. The peer record must contain all required fields (e.g., public key, allowed IPs).",
                 "produces": [
                     "application/json"
@@ -882,16 +877,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/peer/prepare/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/peer/prepare/{id}": {
+            "get": {
                 "description": "This endpoint is used to prepare a new peer record. The returned data contains a fresh key pair and valid ip address.",
                 "produces": [
                     "application/json"
@@ -947,16 +942,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/provisioning/data/peer-config": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/provisioning/data/peer-config": {
+            "get": {
                 "description": "Normal users can only access their own record. Admins can access all records.",
                 "produces": [
                     "text/plain",
@@ -1013,16 +1008,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/provisioning/data/peer-qr": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/provisioning/data/peer-qr": {
+            "get": {
                 "description": "Normal users can only access their own record. Admins can access all records.",
                 "produces": [
                     "image/png",
@@ -1079,16 +1074,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/provisioning/data/user-info": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/provisioning/data/user-info": {
+            "get": {
                 "description": "Normal users can only access their own record. Admins can access all records.",
                 "produces": [
                     "application/json"
@@ -1149,16 +1144,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/provisioning/new-peer": {
-            "post": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/provisioning/new-peer": {
+            "post": {
                 "description": "Normal users can only create new peers if self provisioning is allowed. Admins can always add new peers.",
                 "produces": [
                     "application/json"
@@ -1216,16 +1211,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/user/all": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/user/all": {
+            "get": {
                 "produces": [
                     "application/json"
                 ],
@@ -1256,16 +1251,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/user/by-id/{id}": {
-            "get": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/user/by-id/{id}": {
+            "get": {
                 "description": "Normal users can only access their own record. Admins can access all records.",
                 "produces": [
                     "application/json"
@@ -1315,14 +1310,14 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            },
-            "put": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            },
+            "put": {
                 "description": "Only admins can update existing records.",
                 "produces": [
                     "application/json"
@@ -1387,14 +1382,14 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            },
-            "delete": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            },
+            "delete": {
                 "produces": [
                     "application/json"
                 ],
@@ -1446,16 +1441,16 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
-            }
-        },
-        "/user/new": {
-            "post": {
                 "security": [
                     {
                         "BasicAuth": []
                     }
-                ],
+                ]
+            }
+        },
+        "/user/new": {
+            "post": {
                 "description": "Only admins can create new records.",
                 "produces": [
                     "application/json"
@@ -1513,7 +1508,12 @@
                             "$ref": "#/definitions/models.Error"
                         }
                     }
-                }
+                },
+                "security": [
+                    {
+                        "BasicAuth": []
+                    }
+                ]
             }
         }
     },

internal/app/api/v0/backend/user_service.go

@@ -2,6 +2,8 @@ package backend
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
@@ -70,6 +72,44 @@ func (u UserService) DeactivateApi(ctx context.Context, id domain.UserIdentifier
 	return u.users.DeactivateApi(ctx, id)
 }
 
+func (u UserService) ChangePassword(ctx context.Context, id domain.UserIdentifier, oldPassword, newPassword string) (*domain.User, error) {
+	oldPassword = strings.TrimSpace(oldPassword)
+	newPassword = strings.TrimSpace(newPassword)
+
+	if newPassword == "" {
+		return nil, fmt.Errorf("new password must not be empty")
+	}
+
+	// ensure that the new password is different from the old one
+	if oldPassword == newPassword {
+		return nil, fmt.Errorf("new password must be different from the old one")
+	}
+
+	user, err := u.users.GetUser(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user: %w", err)
+	}
+
+	// ensure that the user uses the database backend; otherwise we can't change the password
+	if user.Source != domain.UserSourceDatabase {
+		return nil, fmt.Errorf("user source %s does not support password changes", user.Source)
+	}
+
+	// validate old password
+	if user.CheckPassword(oldPassword) != nil {
+		return nil, fmt.Errorf("current password is invalid")
+	}
+
+	user.Password = domain.PrivateString(newPassword)
+
+	// ensure that the new password is strong enough
+	if err := user.HasWeakPassword(u.cfg.Auth.MinPasswordLength); err != nil {
+		return nil, err
+	}
+
+	return u.users.UpdateUser(ctx, user)
+}
+
 func (u UserService) GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error) {
 	return u.wg.GetUserPeers(ctx, id)
 }

internal/app/api/v0/handlers/endpoint_users.go

@@ -28,6 +28,8 @@ type UserService interface {
 	ActivateApi(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
 	// DeactivateApi disables the API for the user with the given id.
 	DeactivateApi(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
+	// ChangePassword changes the password for the user with the given id.
+	ChangePassword(ctx context.Context, id domain.UserIdentifier, oldPassword, newPassword string) (*domain.User, error)
 	// GetUserPeers returns all peers for the given user.
 	GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error)
 	// GetUserPeerStats returns all peer stats for the given user.
@@ -75,6 +77,7 @@ func (e UserEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("GET /{id}/interfaces", e.handleInterfacesGet())
 	apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("POST /{id}/api/enable", e.handleApiEnablePost())
 	apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("POST /{id}/api/disable", e.handleApiDisablePost())
+	apiGroup.With(e.authenticator.UserIdMatch("id")).HandleFunc("POST /{id}/change-password", e.handleChangePasswordPost())
 }
 
 // handleAllGet returns a gorm Handler function.
@@ -391,3 +394,68 @@ func (e UserEndpoint) handleApiDisablePost() http.HandlerFunc {
 		respond.JSON(w, http.StatusOK, model.NewUser(user, false))
 	}
 }
+
+// handleChangePasswordPost returns a gorm Handler function.
+//
+// @ID users_handleChangePasswordPost
+// @Tags Users
+// @Summary Change the password for the given user.
+// @Produce json
+// @Success 200 {object} model.User
+// @Failure 400 {object} model.Error
+// @Failure 500 {object} model.Error
+// @Router /user/{id}/change-password [post]
+func (e UserEndpoint) handleChangePasswordPost() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		userId := Base64UrlDecode(request.Path(r, "id"))
+		if userId == "" {
+			respond.JSON(w, http.StatusBadRequest,
+				model.Error{Code: http.StatusInternalServerError, Message: "missing id parameter"})
+			return
+		}
+
+		var passwordData struct {
+			OldPassword    string `json:"OldPassword"`
+			Password       string `json:"Password"`
+			PasswordRepeat string `json:"PasswordRepeat"`
+		}
+		if err := request.BodyJson(r, &passwordData); err != nil {
+			respond.JSON(w, http.StatusBadRequest, model.Error{Code: http.StatusBadRequest, Message: err.Error()})
+			return
+		}
+
+		if passwordData.OldPassword == "" {
+			respond.JSON(w, http.StatusBadRequest,
+				model.Error{Code: http.StatusBadRequest, Message: "old password missing"})
+			return
+		}
+
+		if passwordData.Password == "" {
+			respond.JSON(w, http.StatusBadRequest,
+				model.Error{Code: http.StatusBadRequest, Message: "new password missing"})
+			return
+		}
+
+		if passwordData.OldPassword == passwordData.Password {
+			respond.JSON(w, http.StatusBadRequest,
+				model.Error{Code: http.StatusBadRequest, Message: "password did not change"})
+			return
+		}
+
+		if passwordData.Password != passwordData.PasswordRepeat {
+			respond.JSON(w, http.StatusBadRequest,
+				model.Error{Code: http.StatusBadRequest, Message: "password mismatch"})
+			return
+		}
+
+		user, err := e.userService.ChangePassword(r.Context(), domain.UserIdentifier(userId),
+			passwordData.OldPassword, passwordData.Password)
+		if err != nil {
+			respond.JSON(w, http.StatusInternalServerError,
+				model.Error{Code: http.StatusInternalServerError, Message: err.Error()})
+			return
+		}
+
+		respond.JSON(w, http.StatusOK, model.NewUser(user, false))
+	}
+}

internal/app/api/v1/handlers/endpoint_interface.go

@@ -48,12 +48,12 @@ func (e InterfaceEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	apiGroup.Use(e.authenticator.LoggedIn(ScopeAdmin))
 
 	apiGroup.HandleFunc("GET /all", e.handleAllGet())
-	apiGroup.HandleFunc("GET /by-id/{id}", e.handleByIdGet())
+	apiGroup.HandleFunc("GET /by-id/{id...}", e.handleByIdGet())
 
 	apiGroup.HandleFunc("GET /prepare", e.handlePrepareGet())
 	apiGroup.HandleFunc("POST /new", e.handleCreatePost())
-	apiGroup.HandleFunc("PUT /by-id/{id}", e.handleUpdatePut())
+	apiGroup.HandleFunc("PUT /by-id/{id...}", e.handleUpdatePut())
-	apiGroup.HandleFunc("DELETE /by-id/{id}", e.handleDelete())
+	apiGroup.HandleFunc("DELETE /by-id/{id...}", e.handleDelete())
 }
 
 // handleAllGet returns a gorm Handler function.

internal/app/api/v1/handlers/endpoint_metrics.go

@@ -44,10 +44,10 @@ func (e MetricsEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	apiGroup := g.Mount("/metrics")
 	apiGroup.Use(e.authenticator.LoggedIn())
 
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /by-interface/{id}",
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /by-interface/{id...}",
 		e.handleMetricsForInterfaceGet())
-	apiGroup.HandleFunc("GET /by-user/{id}", e.handleMetricsForUserGet())
+	apiGroup.HandleFunc("GET /by-user/{id...}", e.handleMetricsForUserGet())
-	apiGroup.HandleFunc("GET /by-peer/{id}", e.handleMetricsForPeerGet())
+	apiGroup.HandleFunc("GET /by-peer/{id...}", e.handleMetricsForPeerGet())
 }
 
 // handleMetricsForInterfaceGet returns a gorm Handler function.

internal/app/api/v1/handlers/endpoint_peer.go

@@ -47,15 +47,15 @@ func (e PeerEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	apiGroup := g.Mount("/peer")
 	apiGroup.Use(e.authenticator.LoggedIn())
 
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /by-interface/{id}",
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /by-interface/{id...}",
 		e.handleAllForInterfaceGet())
-	apiGroup.HandleFunc("GET /by-user/{id}", e.handleAllForUserGet())
+	apiGroup.HandleFunc("GET /by-user/{id...}", e.handleAllForUserGet())
-	apiGroup.HandleFunc("GET /by-id/{id}", e.handleByIdGet())
+	apiGroup.HandleFunc("GET /by-id/{id...}", e.handleByIdGet())
 
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /prepare/{id}", e.handlePrepareGet())
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /prepare/{id...}", e.handlePrepareGet())
 	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("POST /new", e.handleCreatePost())
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("PUT /by-id/{id}", e.handleUpdatePut())
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("PUT /by-id/{id...}", e.handleUpdatePut())
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("DELETE /by-id/{id}", e.handleDelete())
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("DELETE /by-id/{id...}", e.handleDelete())
 }
 
 // handleAllForInterfaceGet returns a gorm Handler function.

internal/app/api/v1/handlers/endpoint_user.go

@@ -47,10 +47,10 @@ func (e UserEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	apiGroup.Use(e.authenticator.LoggedIn())
 
 	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("GET /all", e.handleAllGet())
-	apiGroup.HandleFunc("GET /by-id/{id}", e.handleByIdGet())
+	apiGroup.HandleFunc("GET /by-id/{id...}", e.handleByIdGet())
 	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("POST /new", e.handleCreatePost())
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("PUT /by-id/{id}", e.handleUpdatePut())
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("PUT /by-id/{id...}", e.handleUpdatePut())
-	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("DELETE /by-id/{id}", e.handleDelete())
+	apiGroup.With(e.authenticator.LoggedIn(ScopeAdmin)).HandleFunc("DELETE /by-id/{id...}", e.handleDelete())
 }
 
 // handleAllGet returns a gorm Handler function.