From 2865846db258f2515cbd7b2794e4f2768f1b965b Mon Sep 17 00:00:00 2001
From: kitos <kitos@aegis.local>
Date: Thu, 28 May 2026 16:56:47 +0200
Subject: [PATCH] fix(auth): prevent reuse of current password on first-access
 change

When must_change_password is true the user must pick a genuinely new
password. Added a verify_password check against the existing hash before
accepting the new value, raising BusinessRuleViolation if they match.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/services/auth_service.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backend/app/services/auth_service.py b/backend/app/services/auth_service.py
index 91e34f9..fcb9798 100644
--- a/backend/app/services/auth_service.py
+++ b/backend/app/services/auth_service.py
@@ -41,5 +41,9 @@ def change_password(
     """
     if not verify_password(current_password, user.hashed_password):
         raise BusinessRuleViolation("Current password is incorrect")
+    if verify_password(new_password, user.hashed_password):
+        raise BusinessRuleViolation(
+            "New password must be different from the current password"
+        )
     user.hashed_password = hash_password(new_password)
     user.must_change_password = False