fix(auth): enforce zxcvbn strength check on password reset (#3721) (#3730)

* fix(auth): enforce zxcvbn strength check on password reset (#3721)

The reset handler was calling hashPassword directly without first calling
checkPassword, allowing weak passwords through the token-based reset flow.
Add checkPassword call before hash (mirroring updatePassword), and add an
integration test asserting weak passwords are rejected with 422.

* test(auth): add checkPassword mock to silent-catch unit test

The auth.service mock in auth.silent.catch.unit.tests.js was missing
checkPassword, causing the reset handler to throw a TypeError when the
fix calls AuthService.checkPassword(). Add it as a pass-through stub.

* fix(auth): coerce newPassword to string before checkPassword in reset

Mirrors the String() coercion already applied to token and email inputs
in the same handler; guards against non-string body values reaching zxcvbn.

Author: PierreBrisorgueil

modules/auth/controllers/auth.password.controller.js

@@ -89,12 +89,14 @@ const reset = async (req, res) => {
   // check input
   if (!req.body.token || !req.body.newPassword) return responses.error(res, 400, 'Bad Request', 'Password or Token fields must not be blank')();
   const token = String(req.body.token);
+  const newPassword = String(req.body.newPassword);
   // get user by token, update with new password, login again
   try {
     user = await UserService.getBrut({ resetPasswordToken: token });
     if (!user || !user.email) return responses.error(res, 400, 'Bad Request', 'Password reset token is invalid or has expired.')();
+    const checkedPassword = AuthService.checkPassword(newPassword);
     const edit = {
-      password: await AuthService.hashPassword(req.body.newPassword),
+      password: await AuthService.hashPassword(checkedPassword),
       resetPasswordToken: null,
       resetPasswordExpires: null,
     };

modules/auth/tests/auth.integration.tests.js

@@ -1245,6 +1245,37 @@ describe('Auth integration tests:', () => {
       }
     });
 
+    test('should reject password reset with a weak password (zxcvbn strength gate)', async () => {
+      // Trigger forgot to generate a reset token (email send fails in test env, which is expected)
+      try {
+        await agent.post('/api/auth/forgot').send({ email: credentials[0].email }).expect(400);
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+
+      // Fetch the token directly via UserService
+      let resetToken;
+      try {
+        const userWithToken = await UserService.getBrut({ email: credentials[0].email });
+        resetToken = userWithToken.resetPasswordToken;
+        expect(resetToken).toBeDefined();
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+
+      // Attempt reset with a weak password — must be rejected with 422
+      try {
+        const result = await agent.post('/api/auth/reset').send({ token: resetToken, newPassword: 'password' }).expect(422);
+        expect(result.body.message).toBe('Unprocessable Entity');
+        expect(result.body.description).toBe('Password too weak.');
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+    });
+
     test('should successfully reset password with a valid token', async () => {
       // Trigger forgot to generate a reset token (email send fails in test env, which is expected)
       try {

modules/auth/tests/auth.silent.catch.unit.tests.js

@@ -184,7 +184,7 @@ describe('auth.password.controller silent-catch error logging:', () => {
       }));
 
       jest.unstable_mockModule('../../../modules/auth/services/auth.service.js', () => ({
-        default: { hashPassword: jest.fn().mockResolvedValue('hashed') },
+        default: { checkPassword: jest.fn().mockReturnValue('NewP@ss1!'), hashPassword: jest.fn().mockResolvedValue('hashed') },
       }));
 
       // sendMail rejects