k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enforce consistent password policy across all auth flows

Browse Source 
Replace duplicated inline validation with a shared validatePassword()
utility that checks minimum length (8), rejects repetitive and common
passwords, and requires uppercase, lowercase, a digit, and a special
character.

- Add server/src/services/passwordPolicy.ts as single source of truth
- Apply to registration, password change, and admin create/edit user
  (admin routes previously had zero validation)
- Fix client min-length mismatch (6 vs 8) in RegisterPage and LoginPage
- Add client-side password length guard to AdminPage forms
- Update register.passwordTooShort and settings.passwordWeak i18n keys
  in all 12 locales to reflect the corrected requirements
This commit is contained in:
jubnl
2026-04-01 07:02:53 +02:00
parent ce8d498f2d
commit e03505dca2
18 changed files with 77 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/routes/admin.ts
+8
View File
@@ -10,6 +10,7 @@ import { writeAudit, getClientIp, logInfo } from '../services/auditLog';
import { getAllPermissions, savePermissions, PERMISSION_ACTIONS } from '../services/permissions';
import { revokeUserSessions } from '../mcp';
import { maybe_encrypt_api_key, decrypt_api_key } from '../services/apiKeyCrypto';
import { validatePassword } from '../services/passwordPolicy';
import { updateJwtSecret } from '../config';
const router = express.Router();
@@ -47,6 +48,9 @@ router.post('/users', (req: Request, res: Response) => {
return res.status(400).json({ error: 'Username, email and password are required' });
}
const pwCheck = validatePassword(password.trim());
if (!pwCheck.ok) return res.status(400).json({ error: pwCheck.reason });
if (role && !['user', 'admin'].includes(role)) {
return res.status(400).json({ error: 'Invalid role' });
}
@@ -97,6 +101,10 @@ router.put('/users/:id', (req: Request, res: Response) => {
if (conflict) return res.status(409).json({ error: 'Email already taken' });
}
if (password) {
const pwCheck = validatePassword(password);
if (!pwCheck.ok) return res.status(400).json({ error: pwCheck.reason });
}
const passwordHash = password ? bcrypt.hashSync(password, 12) : null;
db.prepare(`