kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(auth): prevent reuse of current password on first-access change

Browse Source 
When must_change_password is true the user must pick a genuinely new
password. Added a verify_password check against the existing hash before
accepting the new value, raising BusinessRuleViolation if they match.
This commit is contained in:
kitos
2026-05-28 16:56:47 +02:00
parent 8d64905739
commit f0bd4b7e7d
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/services/auth_service.py
+4
View File
@@ -41,5 +41,9 @@ def change_password(
""" """
if not verify_password(current_password, user.hashed_password): if not verify_password(current_password, user.hashed_password):
raise BusinessRuleViolation("Current password is incorrect") raise BusinessRuleViolation("Current password is incorrect")
if verify_password(new_password, user.hashed_password):
raise BusinessRuleViolation(
"New password must be different from the current password"
)
user.hashed_password = hash_password(new_password) user.hashed_password = hash_password(new_password)
user.must_change_password = False user.must_change_password = False