prevent password reuse when changing passwords (#678)

For #375 Closes #448
2026-05-23 17:08:53 +00:00 · 2016-12-22 12:08:29 -05:00 · 2016-12-22 12:08:29 -05:00 · e7e57ddbc0
commit e7e57ddbc0
parent a47179f142
2 changed files with 21 additions and 1 deletions
--- a/server/service/service_users.go
+++ b/server/service/service_users.go
@ -158,8 +158,12 @@ func (svc service) ChangePassword(ctx context.Context, oldPass, newPass string)
 		return errNoContext
 	}

+	if err := vc.User.ValidatePassword(newPass); err == nil {
+		return newInvalidArgumentError("new_password", "cannot reuse old password")
+	}
+
 	if err := vc.User.ValidatePassword(oldPass); err != nil {
-		return errors.Wrap(err, "password validation failed")
+		return newInvalidArgumentError("old_password", "old password does not match")
 	}

 	return errors.Wrap(svc.setNewPassword(ctx, vc.User, newPass), "setting new password")
@ -175,6 +179,11 @@ func (svc service) ResetPassword(ctx context.Context, token, password string) er
 		return errors.Wrap(err, "retrieving user")
 	}

+	// prevent setting the same password
+	if err := user.ValidatePassword(password); err == nil {
+		return newInvalidArgumentError("new_password", "cannot reuse old password")
+	}
+
 	err = svc.setNewPassword(ctx, user, password)
 	if err != nil {
 		return errors.Wrap(err, "setting new password")
--- a/server/service/service_users_test.go
+++ b/server/service/service_users_test.go
@ -264,6 +264,12 @@ func TestChangePassword(t *testing.T) {
 			oldPassword: "foobar",
 			newPassword: "123cat!",
 		},
+		{ // prevent password reuse
+			user:        users["admin1"],
+			oldPassword: "foobar",
+			newPassword: "foobar",
+			wantErr:     &invalidArgumentError{invalidArgument{name: "new_password", reason: "cannot reuse old password"}},
+		},
 		{ // all good
 			user:        users["user1"],
 			oldPassword: "foobar",
@ -321,6 +327,11 @@ func TestResetPassword(t *testing.T) {
 			token:       "abcd",
 			newPassword: "123cat!",
 		},
+		{ // prevent reuse
+			token:       "abcd",
+			newPassword: "123cat!",
+			wantErr:     &invalidArgumentError{invalidArgument{name: "new_password", reason: "cannot reuse old password"}},
+		},
 		{ // bad token
 			token:       "dcbaz",
 			newPassword: "123cat!",