fix: enforce password policy on profile update

[Atibali]

Team Number : Team 137

Description

Fixes a security bug where PUT /api/auth/profile accepted weak newPassword values (e.g. "1"), allowing password policy bypass during profile update.

Related Issue

Closes #60

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Style/UI improvement

Changes Made

• Added validateProfileUpdate middleware in src/controllers/auth.controller.js.
• Added validation handling in updateProfile controller using validationResult.
• Wired profile update route to use validation middleware in src/routes/auth.routes.js.
• Added service-layer guard in src/services/auth.service.js to enforce min password length (>= 6) before hashing/updating password.

Testing

• Code builds/runs successfully (module load sanity check)
• Manual API validation tested via Postman
• Tested on Desktop (Chrome/Firefox/Safari)
• Tested on Mobile (iOS/Android)
• Tested responsive design (different screen sizes)
• No console errors or warnings
• Code builds successfully (npm run build)

Manual verification:

1. Login with valid user and token.
2. Call PUT /api/auth/profile with:
   { "currentPassword": "secret123", "newPassword": "1" }
3. Confirm API returns 400 and password is not updated.
4. Retry with strong password (length >= 6) and valid current password; confirm update succeeds.

Checklist

• My code follows the project's code style guidelines
• I have performed a self-review of my code
• I have commented my code where necessary
• My changes generate no new warnings
• I have tested my changes thoroughly
• All TypeScript types are properly defined
• Tailwind CSS classes are used appropriately (no inline styles)
• Component is responsive across different screen sizes
• I have read and followed the CONTRIBUTING.md guidelines

Additional Notes

This fix applies defense-in-depth:

• Request-level validation rejects weak input early.
• Service-level policy check prevents bypass even if route validation is skipped.

[krishnapaljadeja]

⚠️ PR Validation Failed

Hey @Atibali! Your PR is missing a required field:

Team Number missing — add your team number anywhere in the PR description.
Example: Team 07

How to fix:

1. Click the pencil ✏️ icon on your PR description
2. Add your team number (e.g. Team 07)
3. Save — this check will re-run automatically

GDG CHARUSAT Open Source Contri Sprintathon

[krishnapaljadeja]

✅ PR Validation Passed

Hey @Atibali! Your PR looks good. Here is what we found:

Field	Value
Team Number	Team 137
Linked Issue	Closes #60

A maintainer will review your PR within 24–48 hours. Stay responsive to feedback!

GDG CHARUSAT Open Source Contri Sprintathon

[krishnapaljadeja]

@Atibali can you please resolve the conflicts and rebase it. thankyou

[krishnapaljadeja]

🎉 PR Merged — Points Awarded!

Congratulations @Atibali! Your contribution has been merged.

Field	Value
Repo	Code_duel_backend
Team	Team 137
Contributor	@Atibali
Level	Level 1 — Beginner
Points Awarded	5 pts
Source	Linked Issue #60

The central leaderboard has been updated. Keep contributing!

GDG CHARUSAT Open Source Contri Sprintathon