From 9a662476ebe70c7f669fb48e5945a4dc9689f110 Mon Sep 17 00:00:00 2001 From: Prakshitha Malla Date: Mon, 8 Jun 2026 21:56:54 +0530 Subject: [PATCH] security: enforce server-side registration string length and complexity metrics (#345) --- backend/src/controllers/auth.controller.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/backend/src/controllers/auth.controller.js b/backend/src/controllers/auth.controller.js index f3dceb1..a0338d4 100644 --- a/backend/src/controllers/auth.controller.js +++ b/backend/src/controllers/auth.controller.js @@ -19,6 +19,18 @@ const getGoogleClient = () => { export async function signup(req, res) { const { name, email, password } = req.body; try { + // STRICT PASSWORD VALIDATION GATEWAY + if (!password || password.length < 8) { + return res.status(400).json({ message: "Password must be at least 8 characters long" }); + } + + const complexityRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/; + if (!complexityRegex.test(password)) { + return res.status(400).json({ + message: "Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character" + }); + } + const existing = await User.findOne({ email }); if (existing) return res.status(409).json({ message: "An account with this email already exists" });