Skip to content

fix(auth): hash new password in updatePassword to stop plaintext storage (#3925)#3937

Merged
PierreBrisorgueil merged 1 commit into
masterfrom
fix/updatepassword-hash
Jul 2, 2026
Merged

fix(auth): hash new password in updatePassword to stop plaintext storage (#3925)#3937
PierreBrisorgueil merged 1 commit into
masterfrom
fix/updatepassword-hash

Conversation

@PierreBrisorgueil

Copy link
Copy Markdown
Contributor

Problem

The change-password endpoint validated strength then persisted the raw password — the User model has no pre-save hash hook, so the new password was stored in plaintext, and the next bcrypt.compare login failed against it (self-lockout). The sibling reset() in the same file hashes correctly.

Fix

Hash before persisting, mirroring reset(): checkPasswordhashPasswordUserService.update. Inside the existing try, so the weak-password 422 path is unchanged; response still strips the password via removeSensitive.

Test

Strengthened the success-path integration test to read the stored value (asserts it matches /^$2[aby]$/, not the plaintext) and round-trip a real signin with the new password (200) and the old (401). Verified red-green: reverting the fix makes the test fail on the plaintext value.

Follow-up (out of scope, downstream ops)

Remediating any already-corrupted plaintext rows in a running deployment is a downstream-operations task, not part of this devkit fix.

Closes #3925

https://claude.ai/code/session_01V1mhCDsSUnn3WGtevd3YFX

…age + self-lockout (#3925)

The change-password handler validated strength via checkPassword (zxcvbn only,
returns the raw string) then persisted it verbatim. The user model has no
pre-save hash hook, so the new password landed in the DB in plaintext — storing
credentials at rest AND locking the user out on next signin (comparePassword
compares the entered password against the stored plaintext, never matching).

Mirror the sibling reset() path: hashPassword(checkedPassword) before persisting.

Tests: strengthen the change-password success test to read the stored value and
assert bcrypt format (/^$2[aby]$/), plus a runtime signin oracle (new password
authenticates, old one 401). This bug shipped undetected because no test ever
checked the persisted value. Verified the strengthened test fails on the
pre-fix code.

Follow-up (out of scope, downstream ops): remediate any already-corrupted rows
with a plaintext password persisted before this fix.
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@PierreBrisorgueil, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c3435d46-4a3c-481f-b32f-412c0cd92f48

📥 Commits

Reviewing files that changed from the base of the PR and between 7916876 and 212a793.

📒 Files selected for processing (2)
  • modules/auth/controllers/auth.password.controller.js
  • modules/users/tests/user.account.integration.tests.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/updatepassword-hash

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.68%. Comparing base (7916876) to head (212a793).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #3937   +/-   ##
=======================================
  Coverage   92.67%   92.68%           
=======================================
  Files         169      169           
  Lines        5546     5547    +1     
  Branches     1782     1783    +1     
=======================================
+ Hits         5140     5141    +1     
  Misses        326      326           
  Partials       80       80           
Flag Coverage Δ
integration 61.07% <100.00%> (+<0.01%) ⬆️
unit 74.27% <0.00%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7916876...212a793. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@PierreBrisorgueil PierreBrisorgueil merged commit e8ef982 into master Jul 2, 2026
8 checks passed
@PierreBrisorgueil PierreBrisorgueil deleted the fix/updatepassword-hash branch July 2, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

🔒 updatePassword persists the new password in plaintext (+ self-lockout)

1 participant