Updates to change password functionality #5294
Conversation
0xi4o
commented
Oct 6, 2025
0xi4o
commented
- Change password now requires old password to be filled and validated before applying new password
| if (!compareHash(newUserData.oldPassword, oldUserData.credential)) { | ||
| throw new InternalFlowiseError(StatusCodes.UNAUTHORIZED, UserErrorMessage.INVALID_USER_CREDENTIAL) | ||
| } | ||
| if (newUserData.newPassword !== newUserData.confirmPassword) { |
There was a problem hiding this comment.
For consistency, shouldn't this also use the compareHash() function to do the comparison?
There was a problem hiding this comment.
The compareHash function compares a plain-text password to an already-hashed password. It's faster to compare the new password and confirm password in plain-text than hashing one of them and then calling compareHash. The end result is the same.
| // @ts-ignore | ||
| const hash = bcrypt.hashSync(newUserData.password, salt) | ||
| if (newUserData.oldPassword && newUserData.newPassword && newUserData.confirmPassword) { | ||
| if (!oldUserData.credential) { |
There was a problem hiding this comment.
Is this because you can't change your password if you authenticated with social login? If that's the case, is there nothing more explicit on the user model that could be used to drive this condition rather than the presence or absence of a password?
There was a problem hiding this comment.
That's correct. There's no login type column on the user model.
