From daaf59ebf4a00e395f6bcf0467afd73b8eff70d5 Mon Sep 17 00:00:00 2001
From: Atibali <saiyedatibali@gmail.com>
Date: Fri, 27 Feb 2026 16:45:09 +0530
Subject: [PATCH] fix: enforce password policy on profile update

---
 src/services/auth.service.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/services/auth.service.js b/src/services/auth.service.js
index ee2b7f2..2ba7b53 100644
--- a/src/services/auth.service.js
+++ b/src/services/auth.service.js
@@ -8,6 +8,8 @@ const logger = require("../utils/logger");
 const { logAudit } = require("../utils/auditLogger");
 const { sendWelcomeEmail, sendPasswordResetEmail } = require("./email.service");
 
+const MIN_PASSWORD_LENGTH = 6;
+
 /**
  * Register a new user
  */
@@ -146,6 +148,13 @@ const updateProfile = async (userId, updateData) => {
 
   // If password change requested
   if (newPassword) {
+    if (newPassword.length < MIN_PASSWORD_LENGTH) {
+      throw new AppError(
+        `Password must be at least ${MIN_PASSWORD_LENGTH} characters`,
+        400
+      );
+    }
+
     if (!currentPassword) {
       throw new AppError("Current password is required", 400);
     }