1
0
forked from baron/baron-sso

fix: resolve nil pointer panic in password reset handler (issue #79)

- Add nil check for DescopeClient before accessing password policy.
- Use fallback password policy (min 8 chars) if DescopeClient is nil or policy fetch fails.
- Ensure 400 Bad Request is returned for weak passwords even in test environments without DescopeClient.
- Fix syntax errors introduced during manual edit.
This commit is contained in:
Lectom C Han
2026-01-27 19:56:59 +09:00
parent 41f0549435
commit 492919e104

View File

@@ -1045,11 +1045,26 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
ale.Log(slog.LevelInfo, "Received new password for reset") ale.Log(slog.LevelInfo, "Received new password for reset")
// Validate password complexity dynamically based on Descope policy // Validate password complexity dynamically based on Descope policy
policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background()) // If DescopeClient is nil (e.g. in tests) or fetch fails, fallback to basic policy
var policy *descope.PasswordPolicy
if h.DescopeClient != nil {
p, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
if err != nil { if err != nil {
// If policy fetch fails, log warning and proceed (or fallback to basic check)
ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error()) ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error())
} else { } else {
policy = p
}
} else {
ale.Log(slog.LevelWarn, "DescopeClient is nil, using fallback password policy")
}
// Default fallback policy if not fetched
if policy == nil {
policy = &descope.PasswordPolicy{
MinLength: 8, // Basic requirement
}
}
if len(req.NewPassword) < int(policy.MinLength) { if len(req.NewPassword) < int(policy.MinLength) {
ale.Status = fiber.StatusBadRequest ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
@@ -1093,7 +1108,6 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
} }
} }
}
ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API") ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API")