fix(auth): verify current password on password changes#14034
Conversation
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThe password reset flow now requires both the current and new passwords. Backend schemas and validation, frontend form state and localization, and unit tests were updated accordingly. Secret-detection baseline entries were regenerated. ChangesPassword reset flow
Estimated code review effort: 3 (Moderate) | ~30 minutes Sequence Diagram(s)sequenceDiagram
participant PasswordForm
participant GeneralPage
participant reset_password
participant UserRecord
PasswordForm->>GeneralPage: Submit currentPassword and password
GeneralPage->>reset_password: PATCH reset-password request
reset_password->>UserRecord: Verify current password and update password
UserRecord-->>reset_password: Return updated user record
reset_password-->>GeneralPage: Return reset result
Suggested reviewers: Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning)
✅ Passed checks (7 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/backend/base/langflow/api/v1/users.py (1)
144-145: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueDead guard:
if not useris unreachable here.
CurrentActiveUseralready guarantees a non-null active user, and Line 141 (user_id != user.id) dereferencesuser.idbefore this check — soif not usercan never be true. Safe to drop.♻️ Suggested cleanup
if user_id != user.id: raise HTTPException(status_code=404, detail="You can't change another user's password") - if not user: - raise HTTPException(status_code=404, detail="User not found") - auth = get_auth_service()🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/backend/base/langflow/api/v1/users.py` around lines 144 - 145, Remove the unreachable `if not user` guard and its 404 exception from the user endpoint, leaving the existing `CurrentActiveUser` dependency and `user_id != user.id` validation unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/backend/base/langflow/api/v1/users.py`:
- Around line 144-145: Remove the unreachable `if not user` guard and its 404
exception from the user endpoint, leaving the existing `CurrentActiveUser`
dependency and `user_id != user.id` validation unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 5994e45c-c835-4200-b65a-c5c5113a55e4
📒 Files selected for processing (17)
.secrets.baselinesrc/backend/base/langflow/api/v1/schemas/__init__.pysrc/backend/base/langflow/api/v1/users.pysrc/backend/tests/unit/api/v1/test_users.pysrc/backend/tests/unit/test_user.pysrc/frontend/src/constants/constants.tssrc/frontend/src/locales/de.jsonsrc/frontend/src/locales/en.jsonsrc/frontend/src/locales/es.jsonsrc/frontend/src/locales/fr.jsonsrc/frontend/src/locales/ja.jsonsrc/frontend/src/locales/pt.jsonsrc/frontend/src/locales/zh-Hans.jsonsrc/frontend/src/pages/SettingsPage/pages/GeneralPage/components/PasswordForm/index.tsxsrc/frontend/src/pages/SettingsPage/pages/GeneralPage/index.tsxsrc/frontend/src/types/api/index.tssrc/frontend/src/types/components/index.ts
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## release-1.10.3 #14034 +/- ##
=================================================
Coverage ? 58.72%
=================================================
Files ? 2307
Lines ? 220344
Branches ? 33028
=================================================
Hits ? 129402
Misses ? 89457
Partials ? 1485
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Adam-Aghili
left a comment
There was a problem hiding this comment.
LGTM
One comment. do we need a minium password length?
|
@Adam-Aghili Good question. The release line currently has no minimum-length policy on signup or admin-created users either, so I kept this backport scoped to current-password verification instead of introducing an inconsistent rule only on password changes. I called that out in the PR scope note; a minimum-length policy should be handled across all password-entry paths in a follow-up. |
* fix(kb): enforce per-user path containment * fix(security): protect Docling Serve outbound requests (#14033) * fix(security): protect Docling Serve requests * fix(docling): support Self on Python 3.10 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix(auth): verify current password on password changes (#14034) * fix(security): harden MCP stdio configuration (#14036) * fix(security): restrict MCP stdio package sources * fix(security): block MCP Docker host access * fix(security): validate embedded MCP stdio configs * fix: require executable-only MCP commands * test: use allowed MCP commands in timeout tests * fix(security): harden component code module access (#14032) * fix(security): harden component code module access * fix(security): block native FFI imports in generated code * fix: track module assignment aliases in code scanner * fix(security): address alias review findings * fix: correct deprecated model settings behavior (#14047) * fix: prevent deprecated model enablement * test: use supported model in credential cleanup * fix(voice): enforce flow authorization on websocket (#14043) * fix(security): block native FFI imports in generated code (#14040) * fix(security): block native FFI imports in generated code * fix: track module assignment aliases in code scanner * chore: resolve code security conflicts * fix(security): confine AssemblyAI audio file access (#14037) * fix(security): confine AssemblyAI audio file access * [autofix.ci] apply automated fixes * test: stub optional AssemblyAI dependency * fix(security): harden AssemblyAI file submission --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: track assignment aliases in component code scanner (#14041) fix: bind loop and comprehension aliases --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Summary
Validation
Scope note
This change does not introduce a new password-complexity policy because the release line has no established minimum-length or character-class standard. That remains a separate product decision.
Summary by CodeRabbit
New Features
Bug Fixes
Tests