Skip to content

fix(auth): verify current password on password changes#14034

Merged
erichare merged 2 commits into
release-1.10.3from
fix/le-1780-password-change-validation-backport
Jul 14, 2026
Merged

fix(auth): verify current password on password changes#14034
erichare merged 2 commits into
release-1.10.3from
fix/le-1780-password-change-validation-backport

Conversation

@erichare

@erichare erichare commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • require users to confirm their current password before changing it
  • preserve self-only account targeting and the existing password-reuse check
  • update the Settings form/request contract and all locale files
  • add positive and negative regression coverage

Validation

  • owning users API module: 20 passed
  • focused password-change tests: 5 passed
  • legacy reset-password test: 1 passed
  • Ruff, Biome, and pre-commit hooks
  • frontend production build

Scope note

This change does not introduce a new password-complexity policy because the release line has no established minimum-length or character-class standard. That remains a separate product decision.

Summary by CodeRabbit

  • New Features

    • Password changes now require the current password and a different new password.
    • Added validation for incorrect, missing, or reused passwords and unauthorized account targets.
    • Updated the settings form with a current-password field and responsive layout.
    • Added localized labels and validation messages in supported languages.
  • Bug Fixes

    • Improved password reset security and clearer validation feedback.
  • Tests

    • Expanded coverage for successful and rejected password reset scenarios.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e65d8088-7770-43df-94d0-b7d6cffa146d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

The password reset flow now requires both the current and new passwords. Backend schemas and validation, frontend form state and localization, and unit tests were updated accordingly. Secret-detection baseline entries were regenerated.

Changes

Password reset flow

Layer / File(s) Summary
Backend reset contract and validation
src/backend/base/langflow/api/v1/schemas/__init__.py, src/backend/base/langflow/api/v1/users.py, src/backend/tests/unit/api/v1/test_users.py, src/backend/tests/unit/test_user.py
Adds PasswordResetRequest, validates the current password and target user, rejects password reuse, and expands endpoint test coverage.
Frontend password reset form and state
src/frontend/src/types/api/index.ts, src/frontend/src/types/components/index.ts, src/frontend/src/constants/constants.ts, src/frontend/src/pages/SettingsPage/..., src/frontend/src/locales/*
Adds current-password state, request typing, form validation, responsive input rendering, reset handling, and translations across supported locales.
Secret baseline regeneration
.secrets.baseline
Regenerates affected secret baseline hashes and line numbers and updates the generation timestamp.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PasswordForm
  participant GeneralPage
  participant reset_password
  participant UserRecord
  PasswordForm->>GeneralPage: Submit currentPassword and password
  GeneralPage->>reset_password: PATCH reset-password request
  reset_password->>UserRecord: Verify current password and update password
  UserRecord-->>reset_password: Return updated user record
  reset_password-->>GeneralPage: Return reset result
Loading

Suggested reviewers: vjgit96, gs-costa, cristhianzl, ramgopalsrikar, jordanrfrazier


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Test Coverage For New Implementations ❌ Error Backend reset-password tests were added, but the new frontend password-reset flow has no corresponding unit/integration tests in the PR. Add frontend tests for GeneralPage/PasswordForm (or the reset-password hook) covering current-password input, submit payload, validation, and success/error cases; keep the backend regression tests.
Test Quality And Coverage ⚠️ Warning Backend reset-password tests are thorough, but I found no frontend test coverage for the new current-password settings flow, so overall coverage is incomplete. Add Playwright coverage for the settings password form: current-password field, successful reset, mismatch, invalid current password, and missing-field validation.
✅ Passed checks (7 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: requiring verification of the current password before allowing password changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Test File Naming And Structure ✅ Passed Touched backend tests are proper test_*.py pytest modules with descriptive async test names, fixtures, and positive/negative cases; no frontend test files were added.
Excessive Mock Usage Warning ✅ Passed No mock libraries/usages found in the changed tests; they exercise real API calls with DB-backed fixtures and user auth flows.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/le-1780-password-change-validation-backport

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the bug Something isn't working label Jul 13, 2026
@erichare erichare marked this pull request as ready for review July 13, 2026 19:47
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Test Coverage Advisor — tests appear to be missing

This PR changes source code but does not add or modify any test files.
This is an advisory check: it will not block this PR or any other job —
please add tests if the change is testable.

Frontend (TS/TSX) — no *.test.* / *.spec.* / tests/ change found

src/frontend/src/constants/constants.ts
src/frontend/src/pages/SettingsPage/pages/GeneralPage/components/PasswordForm/index.tsx
src/frontend/src/pages/SettingsPage/pages/GeneralPage/index.tsx
src/frontend/src/types/api/index.ts
src/frontend/src/types/components/index.ts

Advisory check only — it always passes and is never a required status.

@erichare erichare requested a review from Adam-Aghili July 13, 2026 19:49
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 13, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/backend/base/langflow/api/v1/users.py (1)

144-145: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Dead guard: if not user is unreachable here.

CurrentActiveUser already guarantees a non-null active user, and Line 141 (user_id != user.id) dereferences user.id before this check — so if not user can never be true. Safe to drop.

♻️ Suggested cleanup
     if user_id != user.id:
         raise HTTPException(status_code=404, detail="You can't change another user's password")

-    if not user:
-        raise HTTPException(status_code=404, detail="User not found")
-
     auth = get_auth_service()
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/backend/base/langflow/api/v1/users.py` around lines 144 - 145, Remove the
unreachable `if not user` guard and its 404 exception from the user endpoint,
leaving the existing `CurrentActiveUser` dependency and `user_id != user.id`
validation unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/backend/base/langflow/api/v1/users.py`:
- Around line 144-145: Remove the unreachable `if not user` guard and its 404
exception from the user endpoint, leaving the existing `CurrentActiveUser`
dependency and `user_id != user.id` validation unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5994e45c-c835-4200-b65a-c5c5113a55e4

📥 Commits

Reviewing files that changed from the base of the PR and between 2433e87 and e5bd21a.

📒 Files selected for processing (17)
  • .secrets.baseline
  • src/backend/base/langflow/api/v1/schemas/__init__.py
  • src/backend/base/langflow/api/v1/users.py
  • src/backend/tests/unit/api/v1/test_users.py
  • src/backend/tests/unit/test_user.py
  • src/frontend/src/constants/constants.ts
  • src/frontend/src/locales/de.json
  • src/frontend/src/locales/en.json
  • src/frontend/src/locales/es.json
  • src/frontend/src/locales/fr.json
  • src/frontend/src/locales/ja.json
  • src/frontend/src/locales/pt.json
  • src/frontend/src/locales/zh-Hans.json
  • src/frontend/src/pages/SettingsPage/pages/GeneralPage/components/PasswordForm/index.tsx
  • src/frontend/src/pages/SettingsPage/pages/GeneralPage/index.tsx
  • src/frontend/src/types/api/index.ts
  • src/frontend/src/types/components/index.ts

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 13, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Frontend Unit Test Coverage Report

Coverage Summary

Lines Statements Branches Functions
Coverage: 43%
43.53% (58073/133389) 69.2% (7884/11392) 41.56% (1298/3123)

Unit Test Results

Tests Skipped Failures Errors Time
4978 0 💤 0 ❌ 0 🔥 14m 18s ⏱️

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 17.77778% with 37 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-1.10.3@61d6490). Learn more about missing BASE report.

Files with missing lines Patch % Lines
...ages/GeneralPage/components/PasswordForm/index.tsx 0.00% 28 Missing ⚠️
...src/pages/SettingsPage/pages/GeneralPage/index.tsx 25.00% 6 Missing ⚠️
src/frontend/src/types/api/index.ts 0.00% 2 Missing ⚠️
src/frontend/src/types/components/index.ts 0.00% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@                Coverage Diff                @@
##             release-1.10.3   #14034   +/-   ##
=================================================
  Coverage                  ?   58.72%           
=================================================
  Files                     ?     2307           
  Lines                     ?   220344           
  Branches                  ?    33028           
=================================================
  Hits                      ?   129402           
  Misses                    ?    89457           
  Partials                  ?     1485           
Flag Coverage Δ
backend 65.83% <100.00%> (?)
frontend 57.92% <7.50%> (?)
lfx 54.65% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/backend/base/langflow/api/v1/users.py 74.22% <100.00%> (ø)
src/frontend/src/constants/constants.ts 99.90% <100.00%> (ø)
src/frontend/src/types/components/index.ts 0.00% <0.00%> (ø)
src/frontend/src/types/api/index.ts 0.00% <0.00%> (ø)
...src/pages/SettingsPage/pages/GeneralPage/index.tsx 27.69% <25.00%> (ø)
...ages/GeneralPage/components/PasswordForm/index.tsx 10.52% <0.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Adam-Aghili Adam-Aghili left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

One comment. do we need a minium password length?

@github-actions github-actions Bot added the lgtm This PR has been approved by a maintainer label Jul 14, 2026
@erichare

Copy link
Copy Markdown
Collaborator Author

@Adam-Aghili Good question. The release line currently has no minimum-length policy on signup or admin-created users either, so I kept this backport scoped to current-password verification instead of introducing an inconsistent rule only on password changes. I called that out in the PR scope note; a minimum-length policy should be handled across all password-entry paths in a follow-up.

@erichare erichare merged commit 16725f0 into release-1.10.3 Jul 14, 2026
317 of 322 checks passed
@erichare erichare deleted the fix/le-1780-password-change-validation-backport branch July 14, 2026 17:40
erichare added a commit that referenced this pull request Jul 14, 2026
* fix(kb): enforce per-user path containment

* fix(security): protect Docling Serve outbound requests (#14033)

* fix(security): protect Docling Serve requests

* fix(docling): support Self on Python 3.10

* [autofix.ci] apply automated fixes

* [autofix.ci] apply automated fixes (attempt 2/3)

* fix(auth): verify current password on password changes (#14034)

* fix(security): harden MCP stdio configuration (#14036)

* fix(security): restrict MCP stdio package sources

* fix(security): block MCP Docker host access

* fix(security): validate embedded MCP stdio configs

* fix: require executable-only MCP commands

* test: use allowed MCP commands in timeout tests

* fix(security): harden component code module access (#14032)

* fix(security): harden component code module access

* fix(security): block native FFI imports in generated code

* fix: track module assignment aliases in code scanner

* fix(security): address alias review findings

* fix: correct deprecated model settings behavior (#14047)

* fix: prevent deprecated model enablement

* test: use supported model in credential cleanup

* fix(voice): enforce flow authorization on websocket (#14043)

* fix(security): block native FFI imports in generated code (#14040)

* fix(security): block native FFI imports in generated code

* fix: track module assignment aliases in code scanner

* chore: resolve code security conflicts

* fix(security): confine AssemblyAI audio file access (#14037)

* fix(security): confine AssemblyAI audio file access

* [autofix.ci] apply automated fixes

* test: stub optional AssemblyAI dependency

* fix(security): harden AssemblyAI file submission

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: track assignment aliases in component code scanner (#14041)

fix: bind loop and comprehension aliases

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants