feat(core): check password policy before changing password (#6649)

2024-12-30 20:33:54 -05:00 · 2024-10-10 07:55:47 +08:00 · 2024-10-10 07:55:47 +08:00 · 72a57e23cd
commit 72a57e23cd
parent e3be97b528
2 changed files with 20 additions and 2 deletions
--- a/packages/core/src/routes/profile/index.ts
+++ b/packages/core/src/routes/profile/index.ts
@ -12,13 +12,15 @@ import {
  verifyUserSensitivePermission,
 } from '../../libraries/verification.js';
 import assertThat from '../../utils/assert-that.js';
+import { PasswordValidator } from '../experience/classes/libraries/password-validator.js';
 import type { UserRouter, RouterInitArgs } from '../types.js';

 export default function profileRoutes<T extends UserRouter>(
  ...[router, { queries, libraries }]: RouterInitArgs<T>
 ) {
  const {
-    users: { updateUserById },
+    users: { updateUserById, findUserById },
+    signInExperiences: { findDefaultSignInExperience },
  } = queries;

  const {
@ -80,7 +82,10 @@ export default function profileRoutes<T extends UserRouter>(
      const { id: userId } = ctx.auth;
      const { password, verificationRecordId } = ctx.guard.body;

-      // TODO(LOG-9947): apply password policy
+      const user = await findUserById(userId);
+      const signInExperience = await findDefaultSignInExperience();
+      const passwordPolicyChecker = new PasswordValidator(signInExperience.passwordPolicy, user);
+      await passwordPolicyChecker.validatePassword(password, user);

      await verifyUserSensitivePermission({
        userId,
--- a/packages/integration-tests/src/tests/api/profile/index.test.ts
+++ b/packages/integration-tests/src/tests/api/profile/index.test.ts
@ -128,6 +128,19 @@ describe('profile', () => {
      await deleteDefaultTenantUser(user.id);
    });

+    it('should fail if password does not meet the password policy', async () => {
+      const { user, username, password } = await createDefaultTenantUserWithPassword();
+      const api = await signInAndGetUserApi(username, password);
+      const newPassword = '123456';
+
+      await expectRejects(updatePassword(api, 'invalid-varification-record-id', newPassword), {
+        code: 'password.rejected',
+        status: 422,
+      });
+
+      await deleteDefaultTenantUser(user.id);
+    });
+
    it('should be able to update password', async () => {
      const { user, username, password } = await createDefaultTenantUserWithPassword();
      const api = await signInAndGetUserApi(username, password);