From e9d087cb991f47f0d350cfe9fc02b9ab4fb39b30 Mon Sep 17 00:00:00 2001 From: nikita Date: Mon, 8 Jun 2026 12:08:57 +0530 Subject: [PATCH] Add Password Strength Validation During User Registration --- backend/src/controllers/auth.controller.js | 52 +++++++++++++--------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/backend/src/controllers/auth.controller.js b/backend/src/controllers/auth.controller.js index 9abeb65..e4f89d9 100644 --- a/backend/src/controllers/auth.controller.js +++ b/backend/src/controllers/auth.controller.js @@ -30,31 +30,41 @@ const getGoogleClient = () => { */ export const signup = catchAsync(async (req, res) => { const { name, email, password } = req.body; - const existing = await User.findOne({ email }); - if (existing) { - return res.status(409).json({ message: "An account with this email already exists" }); - } - // Secure password hashing with 10 salt rounds - const hashedPassword = await bcrypt.hash(password, 10); - - // Sanitize string attributes before insertion - const user = await User.create({ - name: name.trim(), - email: email.toLowerCase().trim(), - password: hashedPassword + // Password Strength Validation + const passwordRegex = + /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&^#()[\]{}\-_=+|\\:;"'<>,./~`]).{8,}$/; + + if (!passwordRegex.test(password)) { + return res.status(400).json({ + message: + "Password must be at least 8 characters long and contain uppercase, lowercase, number, and special character", }); + } - // Set secure HTTP-Only authentication cookie - generateTokenAndSetCookie(user._id, res); - - res.status(201).json({ - _id: user._id, - name: user.name, - email: user.email, - profilePicture: user.profilePicture, - statusMood: user.statusMood || null, + const existing = await User.findOne({ email }); + if (existing) { + return res.status(409).json({ + message: "An account with this email already exists", }); + } + + const hashedPassword = await bcrypt.hash(password, 10); + + const user = await User.create({ + name: name.trim(), + email: email.toLowerCase().trim(), + password: hashedPassword, + }); + + generateTokenAndSetCookie(user._id, res); + + res.status(201).json({ + _id: user._id, + name: user.name, + email: user.email, + profilePicture: user.profilePicture, + }); }); /**