feature: implement strong password policy for signup and reset-password

[PranavObliterates]

🔒 Fixes #90

Summary

This PR implements a comprehensive strong password policy for user authentication to enhance account security across the Edulume platform.

Changes Made

New Files

• server/utils/passwordValidator.js: Created a new utility module for password validation with comprehensive security checks

Modified Files

• server/routes/auth.js:
  • Added import for password validation utilities
  • Updated /signup route to use strong password validation
  • Updated /reset-password route to use strong password validation

Password Policy Requirements

The new password policy enforces the following requirements:

✅ Minimum 8 characters long
✅ At least one uppercase letter (A-Z)
✅ At least one lowercase letter (a-z)
✅ At least one number (0-9)
✅ At least one special character (!@#$%^&*...)
✅ Not a common/weak password (e.g., 'password', '123456')
✅ No sequential characters (e.g., 'abc', '123')
✅ No repeated characters (e.g., 'aaa', '111')

Validation Examples

❌ Passwords that will be REJECTED:

• password → Too common
• Pass123 → No special character, too short
• Password1 → No special character
• Password123! → Contains sequential characters
• Passss123! → Contains repeated characters
• 123456 → Too common, no letters
• Abc123! → Too short (only 7 characters)

✅ Passwords that will be ACCEPTED:

• MyP@ssw0rd!
• Secure#Pass123
• C0mpl3x!Pass
• Str0ng&Secur3

Implementation Details

Backend Validation

• Password validation occurs on the server side in both /signup and /reset-password endpoints
• Clear, detailed error messages are returned to users
  

[PranavObliterates]

@Community-Programmer please review and merge.
Thanks for this opportunity to contribute to this wonderful repo!
If any changes you need then let me know

[Community-Programmer]

Use Zod + zxcvbn (if needed) and remove the custom validator.
Please verify the policy is fully aligned with frontend validation and reuse the same schema to keep messages consistent. Consider this together with PR #85 and specifically check that it reflects the intent of #85

[PranavObliterates]

@Community-Programmer please review and let me know

✅ Updated based on review feedback

Changes made:

• ✅ Replaced custom validator with Zod schema validation
• ✅ Aligned password validation with PR Added password security (visibility toggle, strength meter, generator) #85 frontend PasswordInput component
• ✅ Ensured frontend and backend use the same validation criteria:
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character
• ✅ Reusable schema structure for future validation needs
• ✅ Consistent error messages between frontend and backend

The password policy now matches the strength meter from PR #85 exactly. 🎯

[tarin-lgtm]

Changes Requested 🐈

This PR adds a strong password policy using Zod schemas for signup and reset-password routes, enhancing security and input validation. Reviews found minor bugs, missing documentation, and some code quality issues that need addressing to improve maintainability and clarity.

There are a few things I'd like to see addressed before we merge this:

Before merging

1. Add comprehensive JSDoc comments for all public route handlers and schema files to improve documentation.
2. Fix the import statement typo with the extra space to prevent module resolution errors.
3. Correct the regex for repeated character detection and remove commented-out legacy validation code.

Findings breakdown (32 total)

4 high / 6 medium / 12 low / 10 info

Confidence: 90%

---

🔗 View Full Review Report — detailed findings, severity breakdown, and agent analysis

_{Reviewed by Looks Good To Meow — AI-powered code review}

---

💬 You can interact with me directly in this PR:

• @tarin-lgtm fix [any constraints]
• @tarin-lgtm explain [your question]
• @tarin-lgtm improve [focus area]
• @tarin-lgtm test [what to focus on]