Skip to content

Add Password Strength Validation During User Registration#521

Open
nikita-kashyap-codes wants to merge 1 commit into
UTKARSHH20:mainfrom
nikita-kashyap-codes:main
Open

Add Password Strength Validation During User Registration#521
nikita-kashyap-codes wants to merge 1 commit into
UTKARSHH20:mainfrom
nikita-kashyap-codes:main

Conversation

@nikita-kashyap-codes

@nikita-kashyap-codes nikita-kashyap-codes commented Jun 8, 2026

Copy link
Copy Markdown

This PR enhances user account security by adding password strength validation during user registration. Users must now create passwords that meet minimum security requirements before an account can be created.

Type of Change

  • "Backend"(API routes, MongoDB schemas, Middleware)

Related Issue

Closes #516

Manual Testing

  • Verified weak passwords are rejected.
  • Verified strong passwords are accepted.
  • Verified existing signup flow remains functional.

PR Checklist

  • My code follows the project's style guidelines.
  • I have commented my code, particularly in complex areas (e.g., Smart Contract logic)..
  • My changes generate no new warnings.

Additional Notes

Implemented password validation with the following requirements:

  • Minimum 8 characters
  • At least 1 uppercase letter
  • At least 1 lowercase letter
  • At least 1 number
  • At least 1 special character

Invalid passwords now return a clear validation error message during signup.

Summary by CodeRabbit

  • Security
    • Sign-up passwords now require a combination of uppercase, lowercase, digits, and special characters to strengthen account protection.

@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The signup endpoint in the auth controller now validates password strength before processing account creation. Weak passwords are rejected with HTTP 400 before any database queries. The success response was updated to exclude the statusMood field while preserving user identity and profile data.

Changes

Password Strength Validation and Response Update

Layer / File(s) Summary
Signup handler password validation and response update
backend/src/controllers/auth.controller.js
Password validation enforces a minimum 8-character requirement with at least one uppercase letter, one lowercase letter, one digit, and one special character via regex. Non-matching passwords are rejected with HTTP 400 before database lookup. The HTTP 201 response payload is updated to omit statusMood while retaining _id, name, email, and profilePicture.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

Possibly related PRs

  • UTKARSHH20/fullstack-chat-app#309 — Frontend strong password regex/checklist/feedback changes for signup that complement this backend password validation enforcement.

Suggested labels

quality:exceptional, level:intermediate

Suggested reviewers

  • UTKARSHH20

Poem

🐰 A rabbit hops through password gates,
Strong rules now guard authentication's fates,
Eight chars, capitals, and digits shine,
Special symbols in the line,
Weak passwords bounce—security's divine! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The change removes statusMood from the signup response payload, which is unrelated to the password validation objective and may break client expectations. Restore the statusMood field in the signup response or justify the removal in a separate issue if intentional.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding password strength validation during user registration, which matches the core objective of the PR.
Linked Issues check ✅ Passed The implementation meets all coding requirements from issue #516: password validation with regex (lowercase, uppercase, digits, special character), 400 HTTP response for invalid passwords, and preservation of existing signup flow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/src/controllers/auth.controller.js`:
- Around line 45-50: Normalize the incoming email before performing the
duplicate lookup so it matches how users are created: compute a normalizedEmail
(e.g., email.toLowerCase().trim()) and use User.findOne({ email: normalizedEmail
}) for the duplicate check, then reuse normalizedEmail when creating the user so
User.findOne, the duplicate check, and the creation all use the same normalized
value.
- Around line 62-67: The signup response omits the statusMood field causing an
inconsistent API shape versus login and googleAuth; update the signup response
in the signup handler to include statusMood: user.statusMood || null (same key
and fallback used by login and googleAuth) so the returned payloads from signup,
login, and googleAuth are consistent; locate the signup function in
auth.controller.js and add the statusMood property to the res.status(201).json
object alongside _id, name, email, and profilePicture.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f4d2b086-b8cb-4799-9f03-1d34e4f45d96

📥 Commits

Reviewing files that changed from the base of the PR and between 52b8fa6 and e9d087c.

📒 Files selected for processing (1)
  • backend/src/controllers/auth.controller.js

Comment on lines +45 to +50
const existing = await User.findOne({ email });
if (existing) {
return res.status(409).json({
message: "An account with this email already exists",
});
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Email duplicate check must normalize the email consistently with user creation.

The duplicate check queries using the raw email parameter, but line 56 creates the user with email.toLowerCase().trim(). This normalization mismatch allows the duplicate check to pass for emails that differ only in casing (e.g., "Test@Example.com" vs "test@example.com"), which will either:

  • Create duplicate accounts if the database lacks a case-insensitive unique constraint, or
  • Cause a database constraint violation error after the duplicate check passed
🔧 Proposed fix
-    const existing = await User.findOne({ email });
+    const existing = await User.findOne({ email: email.toLowerCase().trim() });
     if (existing) {
         return res.status(409).json({
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const existing = await User.findOne({ email });
if (existing) {
return res.status(409).json({
message: "An account with this email already exists",
});
}
const existing = await User.findOne({ email: email.toLowerCase().trim() });
if (existing) {
return res.status(409).json({
message: "An account with this email already exists",
});
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/src/controllers/auth.controller.js` around lines 45 - 50, Normalize
the incoming email before performing the duplicate lookup so it matches how
users are created: compute a normalizedEmail (e.g., email.toLowerCase().trim())
and use User.findOne({ email: normalizedEmail }) for the duplicate check, then
reuse normalizedEmail when creating the user so User.findOne, the duplicate
check, and the creation all use the same normalized value.

Comment on lines +62 to +67
res.status(201).json({
_id: user._id,
name: user.name,
email: user.email,
profilePicture: user.profilePicture,
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

API contract inconsistency: Response payload omits statusMood field.

The signup response returns only _id, name, email, and profilePicture, but the login (line 96) and googleAuth (line 149) endpoints include statusMood: user.statusMood || null. This creates an inconsistent API shape across authentication endpoints.

Impact:
The frontend stores the entire response as authUser (see context snippet 1). The Settings page initializes state from authUser?.statusMood (see context snippet 2). After signup, statusMood will be undefined, but after login/OAuth it will be present. This asymmetry can cause UI inconsistencies or require special handling in downstream components.

🔧 Proposed fix for consistency
     res.status(201).json({
         _id: user._id,
         name: user.name,
         email: user.email,
         profilePicture: user.profilePicture,
+        statusMood: user.statusMood || null,
     });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
res.status(201).json({
_id: user._id,
name: user.name,
email: user.email,
profilePicture: user.profilePicture,
});
res.status(201).json({
_id: user._id,
name: user.name,
email: user.email,
profilePicture: user.profilePicture,
statusMood: user.statusMood || null,
});
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/src/controllers/auth.controller.js` around lines 62 - 67, The signup
response omits the statusMood field causing an inconsistent API shape versus
login and googleAuth; update the signup response in the signup handler to
include statusMood: user.statusMood || null (same key and fallback used by login
and googleAuth) so the returned payloads from signup, login, and googleAuth are
consistent; locate the signup function in auth.controller.js and add the
statusMood property to the res.status(201).json object alongside _id, name,
email, and profilePicture.

@nikita-kashyap-codes

Copy link
Copy Markdown
Author

hi,@UTKARSHH20 please review my pr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Password Strength Validation During User Registration

1 participant