Skip to content

enforce password policy complexity on profile update#1662

Open
Abhishek2005-ard wants to merge 3 commits into
aryandas2911:mainfrom
Abhishek2005-ard:fix/password-policy-bypass-profile-update
Open

enforce password policy complexity on profile update#1662
Abhishek2005-ard wants to merge 3 commits into
aryandas2911:mainfrom
Abhishek2005-ard:fix/password-policy-bypass-profile-update

Conversation

@Abhishek2005-ard

Copy link
Copy Markdown
Contributor

Summary

This PR addresses a password policy bypass vulnerability in the profile update (updateProfile) endpoint. Previously, password complexity constraints (minimum 8 characters, at least one uppercase letter, one digit, and one special character) were only validated during signup. Users could update their password to weak passwords via the profile settings, bypassing these requirements.

Changes

  • Updated the updateProfile function in backend/controllers/authController.js.
  • Added a validation check to require both currentPassword and newPassword when a password change is requested.
  • Implemented validation for newPassword against the application's standard password complexity regular expression: /^(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$/.
  • Returned an HTTP 400 response code with a descriptive validation error message upon check failures.

Testing & Verification

  • Validated name-only updates to ensure they continue to succeed.
  • Verified that providing one password field without the other fails with a 400 error.
  • Verified that providing a weak new password fails validation and returns a 400 error.
  • Ran code linter (npm run lint) to ensure styling is consistent.

close#1650

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant