Merge pull request #330 from documenso/feat/profile-password-form

feat: avoid user from updating password with the same password

packages/lib/server-only/user/update-password.ts

@@ -1,4 +1,4 @@
-import { hash } from 'bcrypt';
+import { compare, hash } from 'bcrypt';
 
 import { prisma } from '@documenso/prisma';
 
@@ -11,7 +11,7 @@ export type UpdatePasswordOptions = {
 
 export const updatePassword = async ({ userId, password }: UpdatePasswordOptions) => {
   // Existence check
-  await prisma.user.findFirstOrThrow({
+  const user = await prisma.user.findFirstOrThrow({
     where: {
       id: userId,
     },
@@ -19,6 +19,13 @@ export const updatePassword = async ({ userId, password }: UpdatePasswordOptions
 
   const hashedPassword = await hash(password, SALT_ROUNDS);
 
+  // Compare the new password with the old password
+  const isSamePassword = await compare(password, user.password as string);
+
+  if (isSamePassword) {
+    throw new Error('Your new password cannot be the same as your old password.');
+  }
+
   const updatedUser = await prisma.user.update({
     where: {
       id: userId,

packages/trpc/server/profile-router/router.ts

@@ -40,12 +40,16 @@ export const profileRouter = router({
           password,
         });
       } catch (err) {
-        console.error(err);
+        let message =
+          'We were unable to update your profile. Please review the information you provided and try again.';
+
+        if (err instanceof Error) {
+          message = err.message;
+        }
 
         throw new TRPCError({
           code: 'BAD_REQUEST',
-          message:
-            'We were unable to update your profile. Please review the information you provided and try again.',
+          message,
         });
       }
     }),