kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(auth): prevent reuse of current password on first-access change
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Details

Browse Source 
When must_change_password is true the user must pick a genuinely new
password. Added a verify_password check against the existing hash before
accepting the new value, raising BusinessRuleViolation if they match.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
kitos
2026-05-28 16:56:47 +02:00
parent 8b035b5c5c
commit 2865846db2
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/app/services/auth_service.py
View File

@@ -41,5 +41,9 @@ def change_password(
""" """
if not verify_password(current_password, user.hashed_password): if not verify_password(current_password, user.hashed_password):
raise BusinessRuleViolation("Current password is incorrect") raise BusinessRuleViolation("Current password is incorrect")
if verify_password(new_password, user.hashed_password):
raise BusinessRuleViolation(
"New password must be different from the current password"
)
user.hashed_password = hash_password(new_password) user.hashed_password = hash_password(new_password)
user.must_change_password = False user.must_change_password = False