Skip to content

feat: require current password when resetting password#4099

Open
lequangsang01 wants to merge 1 commit into
conversejs:masterfrom
lequangsang01:feat/current-password-for-reset
Open

feat: require current password when resetting password#4099
lequangsang01 wants to merge 1 commit into
conversejs:masterfrom
lequangsang01:feat/current-password-for-reset

Conversation

@lequangsang01

Copy link
Copy Markdown

Summary

This PR addresses issue #3120 by adding a current password field to the password reset form. Currently, anyone with access to the browser can change the user's password without knowing the current one, which is a security concern.

Changes

  • Added a "Current password" input field to the password reset form
  • Updated the XMPP IQ stanza to include the <old_password> field when submitting the password change request
  • Added handling for not-authorized error responses (shown when the current password is incorrect)
  • Updated existing tests to include the current password field
  • Added a new test case for incorrect current password scenarios

Technical Details

The form now requires three fields:

  1. Current password (required) - authenticates the user before allowing password change
  2. New password (required) - the new password to set
  3. Confirm new password (required) - ensures the user typed the new password correctly

When the form is submitted, the XMPP registration query includes both the new password and the old password, allowing the server to validate the current credentials before processing the change.

Related Issues

This change adds a current password field to the password reset form,
ensuring that users must provide their current password before they can
set a new one. This prevents unauthorized password changes by anyone
with access to the browser.

Changes:
- Added current_password input field to the password reset form
- Updated the XMPP IQ stanza to include the old_password field
- Added handling for not-authorized error (incorrect current password)
- Updated existing tests and added new test for incorrect password case

Fixes conversejs#3120
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Ask user to provide current password in order to reset password

2 participants