Lots of Bugfixes (#1426)

* Fixed bookmarks not being able to load due to missing [AllowAnonymous]

* Downgraded Docnet to 2.4.0-alpha2 which is the version we added our patches to. This might fix reports of broken PDF reading on ARM

* Updated all but one api in collections to admin only policy

* Ensure all config folders are created or exist on first load

* Ensure plugins can authenticate

* Updated some headers we use on Kavita to tighten security.

* Tightened up cover upload flow to restrict more APIs to only the admin

* Enhanced the reset password flow to ensure that the user passes their existing password in (if already authenticated). Admins can still change other users without having existing password.

* Removed an additional copy during build and copied over the prod appsettings and not Development.

* Fixed up the caching mechanism for cover resets and migrated to profiles. Left an etag filter for reference.

* Fixed up manual jump key calculation to include period in #

* Added jumpbar to reading lists page

* Fixed a double scrollbar on library detail page

* Fixed weird scroll issues with want to read

* Fixed a bug where remove from want to read list wasn't hooked up on series card

* Cleaned up Clear bookmarks to use a dedicated api for bulk clearing. Converted Bookmark page to OnPush.

* Fixed jump bar being offset when clicking a jump key

* Ensure we don't overflow on add to reading list

* Fixed a bad name format on reading list items

API/Controllers/AccountController.cs

@@ -79,14 +79,25 @@ namespace API.Controllers
 
             var user = await _userManager.Users.SingleOrDefaultAsync(x => x.UserName == resetPasswordDto.UserName);
             if (user == null) return Ok(); // Don't report BadRequest as that would allow brute forcing to find accounts on system
+            var isAdmin = User.IsInRole(PolicyConstants.AdminRole);
 
 
-            if (resetPasswordDto.UserName == User.GetUsername() && !(User.IsInRole(PolicyConstants.ChangePasswordRole) || User.IsInRole(PolicyConstants.AdminRole)))
+            if (resetPasswordDto.UserName == User.GetUsername() && !(User.IsInRole(PolicyConstants.ChangePasswordRole) || isAdmin))
                 return Unauthorized("You are not permitted to this operation.");
 
-            if (resetPasswordDto.UserName != User.GetUsername() && !User.IsInRole(PolicyConstants.AdminRole))
+            if (resetPasswordDto.UserName != User.GetUsername() && !isAdmin)
                 return Unauthorized("You are not permitted to this operation.");
 
+            if (string.IsNullOrEmpty(resetPasswordDto.OldPassword) && !isAdmin)
+                return BadRequest(new ApiException(400, "You must enter your existing password to change your account unless you're an admin"));
+
+            // If you're an admin and the username isn't yours, you don't need to validate the password
+            var isResettingOtherUser = (resetPasswordDto.UserName != User.GetUsername() && isAdmin);
+            if (!isResettingOtherUser && !await _userManager.CheckPasswordAsync(user, resetPasswordDto.OldPassword))
+            {
+                return BadRequest("Invalid Password");
+            }
+
             var errors = await _accountService.ChangeUserPassword(user, resetPasswordDto.Password);
             if (errors.Any())
             {