Avoid user from setting the same old password

2025-11-12 15:53:02 +10:00 · 2023-06-05 16:36:16 +00:00
parent 4136811e32
commit 2b9a2ff250
3 changed files with 29 additions and 3 deletions
--- a/apps/web/pages/api/auth/forgot-password.ts
+++ b/apps/web/pages/api/auth/forgot-password.ts
@ -1,5 +1,5 @@
 import { NextApiRequest, NextApiResponse } from "next";
-import { sendResetPassword, sendResetPasswordSuccessMail } from "@documenso/lib/mail";
+import { sendResetPassword } from "@documenso/lib/mail";
 import { defaultHandler, defaultResponder } from "@documenso/lib/server";
 import prisma from "@documenso/prisma";
 import crypto from "crypto";
--- a/apps/web/pages/api/auth/reset-password.ts
+++ b/apps/web/pages/api/auth/reset-password.ts
@ -1,5 +1,5 @@
 import { NextApiRequest, NextApiResponse } from "next";
-import { hashPassword } from "@documenso/lib/auth";
+import { hashPassword, verifyPassword } from "@documenso/lib/auth";
 import { sendResetPasswordSuccessMail } from "@documenso/lib/mail";
 import { defaultHandler, defaultResponder } from "@documenso/lib/server";
 import prisma from "@documenso/prisma";
@ -22,7 +22,15 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
  });

  if (!foundToken) {
-    return res.status(400).json({ message: "Invalid token." });
+    return res.status(404).json({ message: "Invalid token." });
+  }
+
+  const isSamePassword = await verifyPassword(password, foundToken.User.password!);
+
+  if (isSamePassword) {
+    return res
+      .status(400)
+      .json({ message: "New password must be different from the current password." });
  }

  const hashedPassword = await hashPassword(password);