forked from baron/baron-sso
fix: resolve nil pointer panic in password reset handler (issue #79)
- Add nil check for DescopeClient before accessing password policy. - Use fallback password policy (min 8 chars) if DescopeClient is nil or policy fetch fails. - Ensure 400 Bad Request is returned for weak passwords even in test environments without DescopeClient. - Fix syntax errors introduced during manual edit.
This commit is contained in:
@@ -1045,11 +1045,26 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
|
||||
ale.Log(slog.LevelInfo, "Received new password for reset")
|
||||
|
||||
// Validate password complexity dynamically based on Descope policy
|
||||
policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
|
||||
// If DescopeClient is nil (e.g. in tests) or fetch fails, fallback to basic policy
|
||||
var policy *descope.PasswordPolicy
|
||||
if h.DescopeClient != nil {
|
||||
p, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
|
||||
if err != nil {
|
||||
// If policy fetch fails, log warning and proceed (or fallback to basic check)
|
||||
ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error())
|
||||
} else {
|
||||
policy = p
|
||||
}
|
||||
} else {
|
||||
ale.Log(slog.LevelWarn, "DescopeClient is nil, using fallback password policy")
|
||||
}
|
||||
|
||||
// Default fallback policy if not fetched
|
||||
if policy == nil {
|
||||
policy = &descope.PasswordPolicy{
|
||||
MinLength: 8, // Basic requirement
|
||||
}
|
||||
}
|
||||
|
||||
if len(req.NewPassword) < int(policy.MinLength) {
|
||||
ale.Status = fiber.StatusBadRequest
|
||||
ale.LatencyMs = time.Since(startTime)
|
||||
@@ -1093,7 +1108,6 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user