Ryan/Reactive-Resume
1
0
Fork 0
mirror of https://github.com/AmruthPillai/Reactive-Resume.git synced 2025-11-15 09:11:57 +10:00
Code Issues Packages Projects Releases Wiki Activity

fix security vulnerability with update password API route

Browse Source
This commit is contained in:
Amruth Pillai
2025-01-24 21:13:24 +01:00
parent 460a40711e
commit 4c90cc1838
7 changed files with 1155 additions and 1165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps/server/src/auth/auth.controller.ts
View File

@ -173,8 +173,11 @@ export class AuthController {
@Patch("password")
@UseGuards(TwoFactorGuard)
async updatePassword(@User("email") email: string, @Body() { password }: UpdatePasswordDto) {
await this.authService.updatePassword(email, password);
async updatePassword(
@User("email") email: string,
@Body() { currentPassword, newPassword }: UpdatePasswordDto,
) {
await this.authService.updatePassword(email, currentPassword, newPassword);
return { message: "Your password has been successfully updated." };
}

14
apps/server/src/auth/auth.service.ts
View File

@ -159,11 +159,19 @@ export class AuthService {
await this.mailService.sendEmail({ to: email, subject, text });
}
async updatePassword(email: string, password: string) {
const hashedPassword = await this.hash(password);
async updatePassword(email: string, currentPassword: string, newPassword: string) {
const user = await this.userService.findOneByIdentifierOrThrow(email);
if (!user.secrets?.password) {
throw new BadRequestException(ErrorMessage.OAuthUser);
}
await this.validatePassword(currentPassword, user.secrets.password);
const newHashedPassword = await this.hash(newPassword);
await this.userService.updateByEmail(email, {
secrets: { update: { password: hashedPassword } },
secrets: { update: { password: newHashedPassword } },
});
}