fix security vulnerability with update password API route

apps/artboard/src/pages/artboard.tsx

@@ -1,10 +1,12 @@
 import { useEffect, useMemo } from "react";
+import { Helmet } from "react-helmet-async";
 import { Outlet } from "react-router";
 import webfontloader from "webfontloader";
 
 import { useArtboardStore } from "../store/artboard";
 
 export const ArtboardPage = () => {
+  const name = useArtboardStore((state) => state.resume.basics.name);
   const metadata = useArtboardStore((state) => state.resume.metadata);
 
   const fontString = useMemo(() => {
@@ -57,7 +59,11 @@ export const ArtboardPage = () => {
 
   return (
     <>
-      {metadata.css.visible && <style lang="css">{`[data-page] { ${metadata.css.value} }`}</style>}
+      <Helmet>
+        <title>{name} | Reactive Resume</title>
+
+        {metadata.css.visible && <style lang="css">{metadata.css.value}</style>}
+      </Helmet>
 
       <Outlet />
     </>

apps/client/src/pages/dashboard/settings/_sections/security.tsx

@@ -8,10 +8,10 @@ import {
   Button,
   Form,
   FormControl,
-  FormDescription,
   FormField,
   FormItem,
   FormLabel,
+  FormMessage,
   Input,
 } from "@reactive-resume/ui";
 import { AnimatePresence, motion } from "framer-motion";
@@ -23,16 +23,10 @@ import { useUpdatePassword } from "@/client/services/auth";
 import { useUser } from "@/client/services/user";
 import { useDialog } from "@/client/stores/dialog";
 
-const formSchema = z
-  .object({
-    password: z.string().min(6),
-    confirmPassword: z.string().min(6),
-  })
-  .refine((data) => data.password === data.confirmPassword, {
-    path: ["confirmPassword"],
-    // eslint-disable-next-line lingui/t-call-in-function
-    message: t`The passwords you entered do not match.`,
-  });
+const formSchema = z.object({
+  currentPassword: z.string().min(6),
+  newPassword: z.string().min(6),
+});
 
 type FormValues = z.infer<typeof formSchema>;
 
@@ -44,15 +38,18 @@ export const SecuritySettings = () => {
 
   const form = useForm<FormValues>({
     resolver: zodResolver(formSchema),
-    defaultValues: { password: "", confirmPassword: "" },
+    defaultValues: { currentPassword: "", newPassword: "" },
   });
 
   const onReset = () => {
-    form.reset({ password: "", confirmPassword: "" });
+    form.reset({ currentPassword: "", newPassword: "" });
   };
 
   const onSubmit = async (data: FormValues) => {
-    await updatePassword({ password: data.password });
+    await updatePassword({
+      currentPassword: data.currentPassword,
+      newPassword: data.newPassword,
+    });
 
     toast({
       variant: "success",
@@ -78,32 +75,29 @@ export const SecuritySettings = () => {
             <Form {...form}>
               <form className="grid gap-6 sm:grid-cols-2" onSubmit={form.handleSubmit(onSubmit)}>
                 <FormField
-                  name="password"
+                  name="currentPassword"
                   control={form.control}
                   render={({ field }) => (
                     <FormItem>
-                      <FormLabel>{t`New Password`}</FormLabel>
+                      <FormLabel>{t`Current Password`}</FormLabel>
                       <FormControl>
-                        <Input type="password" autoComplete="new-password" {...field} />
+                        <Input type="password" autoComplete="current-password" {...field} />
                       </FormControl>
+                      <FormMessage />
                     </FormItem>
                   )}
                 />
 
                 <FormField
-                  name="confirmPassword"
+                  name="newPassword"
                   control={form.control}
                   render={({ field, fieldState }) => (
                     <FormItem>
-                      <FormLabel>{t`Confirm New Password`}</FormLabel>
+                      <FormLabel>{t`New Password`}</FormLabel>
                       <FormControl>
                         <Input type="password" autoComplete="new-password" {...field} />
                       </FormControl>
-                      {fieldState.error && (
-                        <FormDescription className="text-error-foreground">
-                          {fieldState.error.message}
-                        </FormDescription>
-                      )}
+                      <FormMessage />
                     </FormItem>
                   )}
                 />

apps/server/src/auth/auth.controller.ts

@@ -173,8 +173,11 @@ export class AuthController {
 
   @Patch("password")
   @UseGuards(TwoFactorGuard)
-  async updatePassword(@User("email") email: string, @Body() { password }: UpdatePasswordDto) {
-    await this.authService.updatePassword(email, password);
+  async updatePassword(
+    @User("email") email: string,
+    @Body() { currentPassword, newPassword }: UpdatePasswordDto,
+  ) {
+    await this.authService.updatePassword(email, currentPassword, newPassword);
 
     return { message: "Your password has been successfully updated." };
   }

apps/server/src/auth/auth.service.ts

@@ -159,11 +159,19 @@ export class AuthService {
     await this.mailService.sendEmail({ to: email, subject, text });
   }
 
-  async updatePassword(email: string, password: string) {
-    const hashedPassword = await this.hash(password);
+  async updatePassword(email: string, currentPassword: string, newPassword: string) {
+    const user = await this.userService.findOneByIdentifierOrThrow(email);
+
+    if (!user.secrets?.password) {
+      throw new BadRequestException(ErrorMessage.OAuthUser);
+    }
+
+    await this.validatePassword(currentPassword, user.secrets.password);
+
+    const newHashedPassword = await this.hash(newPassword);
 
     await this.userService.updateByEmail(email, {
-      secrets: { update: { password: hashedPassword } },
+      secrets: { update: { password: newHashedPassword } },
     });
   }
 

libs/dto/src/auth/update-password.ts

@@ -2,7 +2,8 @@ import { createZodDto } from "nestjs-zod/dto";
 import { z } from "zod";
 
 export const updatePasswordSchema = z.object({
-  password: z.string().min(6),
+  currentPassword: z.string().min(6),
+  newPassword: z.string().min(6),
 });
 
 export class UpdatePasswordDto extends createZodDto(updatePasswordSchema) {}

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@reactive-resume/source",
   "description": "A free and open-source resume builder that simplifies the process of creating, updating, and sharing your resume.",
-  "version": "4.3.10",
+  "version": "4.4.0",
   "license": "MIT",
   "private": true,
   "author": {
@@ -30,7 +30,7 @@
     "messages:extract": "pnpm exec lingui extract --clean --overwrite"
   },
   "devDependencies": {
-    "@babel/core": "^7.26.0",
+    "@babel/core": "^7.26.7",
     "@babel/preset-react": "^7.26.3",
     "@lingui/cli": "^4.14.1",
     "@lingui/conf": "^4.14.1",
@@ -57,7 +57,7 @@
     "@tailwindcss/typography": "^0.5.16",
     "@tanstack/eslint-plugin-query": "^5.64.2",
     "@testing-library/react": "^16.2.0",
-    "@tiptap/core": "^2.11.2",
+    "@tiptap/core": "^2.11.3",
     "@types/async-retry": "^1.4.9",
     "@types/bcryptjs": "^2.4.6",
     "@types/cookie-parser": "^1.4.8",
@@ -69,7 +69,7 @@
     "@types/lodash.get": "^4.4.9",
     "@types/lodash.set": "^4.3.9",
     "@types/multer": "^1.4.12",
-    "@types/node": "^22.10.7",
+    "@types/node": "^22.10.10",
     "@types/nodemailer": "^6.4.17",
     "@types/papaparse": "^5.3.15",
     "@types/passport": "^1.0.17",
@@ -83,8 +83,8 @@
     "@types/react-is": "^18.3.1",
     "@types/retry": "^0.12.5",
     "@types/webfontloader": "^1.6.38",
-    "@typescript-eslint/eslint-plugin": "^8.20.0",
-    "@typescript-eslint/parser": "^8.20.0",
+    "@typescript-eslint/eslint-plugin": "^8.21.0",
+    "@typescript-eslint/parser": "^8.21.0",
     "@vitejs/plugin-react": "^4.3.4",
     "@vitejs/plugin-react-swc": "^3.7.2",
     "@vitest/coverage-v8": "^2.1.8",
@@ -111,13 +111,13 @@
     "postcss-import": "^16.1.0",
     "postcss-nested": "^6.2.0",
     "prettier": "^3.4.2",
-    "prettier-plugin-tailwindcss": "^0.6.10",
+    "prettier-plugin-tailwindcss": "^0.6.11",
     "tailwindcss": "^3.4.17",
     "tailwindcss-animate": "^1.0.7",
     "ts-jest": "^29.2.5",
     "ts-node": "^10.9.2",
     "typescript": "^5.7.3",
-    "vite": "^5.4.11",
+    "vite": "^5.4.14",
     "vite-plugin-dts": "^4.5.0",
     "vitest": "^2.1.8"
   },
@@ -142,46 +142,46 @@
     "@nestjs/platform-express": "^10.4.15",
     "@nestjs/serve-static": "^4.0.2",
     "@nestjs/swagger": "^7.4.2",
-    "@nestjs/terminus": "^10.2.3",
+    "@nestjs/terminus": "^10.3.0",
     "@paralleldrive/cuid2": "^2.2.2",
     "@pdf-lib/fontkit": "^1.1.1",
     "@phosphor-icons/react": "^2.1.7",
     "@prisma/client": "^5.22.0",
     "@radix-ui/react-accordion": "^1.2.2",
-    "@radix-ui/react-alert-dialog": "^1.1.4",
+    "@radix-ui/react-alert-dialog": "^1.1.5",
     "@radix-ui/react-aspect-ratio": "^1.1.1",
     "@radix-ui/react-avatar": "^1.1.2",
     "@radix-ui/react-checkbox": "^1.1.3",
-    "@radix-ui/react-context-menu": "^2.2.4",
-    "@radix-ui/react-dialog": "^1.1.4",
-    "@radix-ui/react-dropdown-menu": "^2.1.4",
-    "@radix-ui/react-hover-card": "^1.1.4",
+    "@radix-ui/react-context-menu": "^2.2.5",
+    "@radix-ui/react-dialog": "^1.1.5",
+    "@radix-ui/react-dropdown-menu": "^2.1.5",
+    "@radix-ui/react-hover-card": "^1.1.5",
     "@radix-ui/react-label": "^2.1.1",
-    "@radix-ui/react-popover": "^1.1.4",
+    "@radix-ui/react-popover": "^1.1.5",
     "@radix-ui/react-portal": "^1.1.3",
     "@radix-ui/react-scroll-area": "^1.2.2",
-    "@radix-ui/react-select": "^2.1.4",
+    "@radix-ui/react-select": "^2.1.5",
     "@radix-ui/react-separator": "^1.1.1",
     "@radix-ui/react-slider": "^1.2.2",
     "@radix-ui/react-slot": "^1.1.1",
     "@radix-ui/react-switch": "^1.1.2",
     "@radix-ui/react-tabs": "^1.1.2",
-    "@radix-ui/react-toast": "^1.2.4",
+    "@radix-ui/react-toast": "^1.2.5",
     "@radix-ui/react-toggle": "^1.1.1",
     "@radix-ui/react-toggle-group": "^1.1.1",
-    "@radix-ui/react-tooltip": "^1.1.6",
+    "@radix-ui/react-tooltip": "^1.1.7",
     "@radix-ui/react-visually-hidden": "^1.1.1",
     "@sindresorhus/slugify": "^2.2.1",
     "@swc/helpers": "^0.5.15",
     "@tanstack/react-query": "^5.64.2",
-    "@tiptap/extension-highlight": "^2.11.2",
-    "@tiptap/extension-image": "^2.11.2",
-    "@tiptap/extension-link": "^2.11.2",
-    "@tiptap/extension-text-align": "^2.11.2",
-    "@tiptap/extension-underline": "^2.11.2",
-    "@tiptap/pm": "^2.11.2",
-    "@tiptap/react": "^2.11.2",
-    "@tiptap/starter-kit": "^2.11.2",
+    "@tiptap/extension-highlight": "^2.11.3",
+    "@tiptap/extension-image": "^2.11.3",
+    "@tiptap/extension-link": "^2.11.3",
+    "@tiptap/extension-text-align": "^2.11.3",
+    "@tiptap/extension-underline": "^2.11.3",
+    "@tiptap/pm": "^2.11.3",
+    "@tiptap/react": "^2.11.3",
+    "@tiptap/starter-kit": "^2.11.3",
     "@types/passport-jwt": "^4.0.1",
     "async-retry": "^1.3.3",
     "axios": "^1.7.9",
@@ -195,7 +195,7 @@
     "deepmerge": "^4.3.1",
     "express-session": "^1.18.1",
     "file-saver": "^2.0.5",
-    "framer-motion": "^11.18.1",
+    "framer-motion": "^11.18.2",
     "fuzzy": "^0.1.3",
     "helmet": "^7.2.0",
     "immer": "^10.1.1",
@@ -203,13 +203,13 @@
     "lodash.debounce": "^4.0.8",
     "lodash.get": "^4.4.2",
     "lodash.set": "^4.3.2",
-    "minio": "^8.0.3",
+    "minio": "^8.0.4",
     "nest-raven": "^10.1.0",
     "nestjs-minio-client": "^2.2.0",
     "nestjs-prisma": "^0.24.0",
     "nestjs-zod": "^3.0.0",
-    "nodemailer": "^6.9.16",
-    "openai": "^4.79.1",
+    "nodemailer": "^6.10.0",
+    "openai": "^4.80.1",
     "otplib": "^12.0.1",
     "papaparse": "^5.5.1",
     "passport": "^0.7.0",
@@ -228,7 +228,7 @@
     "react-dom": "^18.3.1",
     "react-helmet-async": "^2.0.5",
     "react-hook-form": "^7.54.2",
-    "react-parallax-tilt": "^1.7.272",
+    "react-parallax-tilt": "^1.7.274",
     "react-resizable-panels": "^2.1.7",
     "react-router": "^7.1.3",
     "react-simple-code-editor": "^0.14.1",