feat: check current password on change (#2364)

staaldraad · web-flow · commit 33b87ae0671a · 2026-02-11T12:18:50.000-07:00
## What kind of change does this PR introduce?

feature - allows requiring current password when changing the password


## What is the new behavior?

Adds config flag `update_password_require_current_password`
When set, the currentPassword must be sent in the user update request.
diff --git a/internal/api/apierrors/errorcode.go b/internal/api/apierrors/errorcode.go
@@ -71,6 +71,8 @@ const (
 	ErrorCodeReauthenticationNeeded            ErrorCode = "reauthentication_needed"
 	ErrorCodeSamePassword                      ErrorCode = "same_password"
 	ErrorCodeReauthenticationNotValid          ErrorCode = "reauthentication_not_valid"
+	ErrorCodeCurrentPasswordMismatch           ErrorCode = "current_password_invalid"
+	ErrorCodeCurrentPasswordRequired           ErrorCode = "current_password_required"
 	ErrorCodeOTPExpired                        ErrorCode = "otp_expired"
 	ErrorCodeOTPDisabled                       ErrorCode = "otp_disabled"
 	ErrorCodeIdentityNotFound                  ErrorCode = "identity_not_found"
diff --git a/internal/api/user.go b/internal/api/user.go
@@ -18,6 +18,7 @@ import (
 type UserUpdateParams struct {
 	Email               string                 `json:"email"`
 	Password            *string                `json:"password"`
+	CurrentPassword     *string                `json:"current_password,omitempty"`
 	Nonce               string                 `json:"nonce"`
 	Data                map[string]interface{} `json:"data"`
 	AppData             map[string]interface{} `json:"app_metadata,omitempty"`
@@ -165,6 +166,31 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 			isSamePassword := false
 
 			if user.HasPassword() {
+				// current password required when updating password
+				if config.Security.UpdatePasswordRequireCurrentPassword {
+					// user may be in a password reset flow, where they do not have a currentPassword
+					isRecoverySession := false
+					for _, claim := range session.AMRClaims {
+						// password recovery flows can be via otp or a magic link, check if the current session
+						// was created with one of those
+						if claim.GetAuthenticationMethod() == "otp" || claim.GetAuthenticationMethod() == "magiclink" {
+							isRecoverySession = true
+							break
+						}
+					}
+					if !isRecoverySession {
+						if params.CurrentPassword == nil || *params.CurrentPassword == "" {
+							return apierrors.NewBadRequestError(apierrors.ErrorCodeCurrentPasswordRequired, "Current password required when setting new password.")
+						}
+						isCurrentPasswordCorrect, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
+						if err != nil {
+							return err
+						}
+						if !isCurrentPasswordCorrect {
+							return apierrors.NewBadRequestError(apierrors.ErrorCodeCurrentPasswordMismatch, "Current password required when setting new password.")
+						}
+					}
+				}
 				auth, _, err := user.Authenticate(ctx, db, password, config.Security.DBEncryption.DecryptionKeys, false, "")
 				if err != nil {
 					return err
diff --git a/internal/api/user_test.go b/internal/api/user_test.go
@@ -297,8 +297,10 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 	var cases = []struct {
 		desc                    string
 		newPassword             string
+		currentPassword         string
 		nonce                   string
 		requireReauthentication bool
+		requireCurrentPassword  bool
 		sessionId               *uuid.UUID
 		expected                expected
 	}{
@@ -334,13 +336,48 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 			sessionId:               r.SessionId,
 			expected:                expected{code: http.StatusOK, isAuthenticated: true},
 		},
+		{
+			desc:                    "Current password checked when require current password set",
+			newPassword:             "updateToNewpassword123",
+			currentPassword:         "newpassword123", // match to the test case above
+			nonce:                   "",
+			requireReauthentication: false,
+			requireCurrentPassword:  true,
+			sessionId:               r.SessionId,
+			expected:                expected{code: http.StatusOK, isAuthenticated: true},
+		},
+		{
+			desc:                    "Fails if current password incorrect when require current password set",
+			newPassword:             "newpassword123",
+			currentPassword:         "randompassword",
+			nonce:                   "",
+			requireReauthentication: false,
+			requireCurrentPassword:  true,
+			sessionId:               r.SessionId,
+			expected:                expected{code: http.StatusBadRequest, isAuthenticated: false},
+		},
+		{
+			desc:                    "Fails if current password not set when required",
+			newPassword:             "newpassword123",
+			nonce:                   "",
+			requireReauthentication: false,
+			requireCurrentPassword:  true,
+			sessionId:               r.SessionId,
+			expected:                expected{code: http.StatusBadRequest, isAuthenticated: false},
+		},
 	}
 
 	for _, c := range cases {
 		ts.Run(c.desc, func() {
 			ts.Config.Security.UpdatePasswordRequireReauthentication = c.requireReauthentication
+			ts.Config.Security.UpdatePasswordRequireCurrentPassword = c.requireCurrentPassword
+
+			userUpdateBody := map[string]string{"password": c.newPassword, "nonce": c.nonce}
+			if c.requireCurrentPassword {
+				userUpdateBody["current_password"] = c.currentPassword
+			}
 			var buffer bytes.Buffer
-			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]string{"password": c.newPassword, "nonce": c.nonce}))
+			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(userUpdateBody))
 
 			req := httptest.NewRequest(http.MethodPut, "http://localhost/user", &buffer)
 			req.Header.Set("Content-Type", "application/json")
@@ -365,7 +402,96 @@ func (ts *UserTestSuite) TestUserUpdatePassword() {
 	}
 }
 
+func (ts *UserTestSuite) TestUserUpdatePasswordViaRecovery() {
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = true
+	ts.Config.SMTP.MaxFrequency = 60
+	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
+	require.NoError(ts.T(), err)
+	u.RecoverySentAt = &time.Time{}
+	require.NoError(ts.T(), ts.API.db.Update(u))
+
+	type expected struct {
+		code            int
+		isAuthenticated bool
+	}
+
+	var cases = []struct {
+		desc            string
+		newPassword     string
+		currentPassword string
+		recoveryType    models.AuthenticationMethod
+		expected        expected
+	}{
+		{
+			desc:         "Current password not required in OTP recovery flow",
+			newPassword:  "newpassword123",
+			recoveryType: models.OTP,
+			expected:     expected{code: http.StatusOK, isAuthenticated: true},
+		},
+		{
+			desc:         "Current password not required in magiclink recovery flow",
+			newPassword:  "newpassword456",
+			recoveryType: models.MagicLink,
+			expected:     expected{code: http.StatusOK, isAuthenticated: true},
+		},
+		{
+			desc:         "Current password required for any other claim",
+			newPassword:  "newpassword456",
+			recoveryType: models.EmailChange,
+			expected:     expected{code: http.StatusBadRequest, isAuthenticated: true},
+		},
+	}
+
+	for _, c := range cases {
+		ts.Run(c.desc, func() {
+			require.NoError(ts.T(), models.ClearAllOneTimeTokensForUser(ts.API.db, u.ID))
+
+			// Create a session
+			session, err := models.NewSession(u.ID, nil)
+			require.NoError(ts.T(), err)
+			require.NoError(ts.T(), ts.API.db.Create(session))
+
+			// Add AMR claim to session to simulate recovery flow
+			require.NoError(ts.T(), models.AddClaimToSession(ts.API.db, session.ID, c.recoveryType))
+
+			// Reload session with AMR claims
+			session, err = models.FindSessionByID(ts.API.db, session.ID, true)
+			require.NoError(ts.T(), err)
+			require.NotEmpty(ts.T(), session.AMRClaims, "Session should have AMR claims")
+
+			// Generate access token with the recovery authentication method
+			req := httptest.NewRequest(http.MethodPut, "http://localhost/user", nil)
+			token, _, err := ts.API.generateAccessToken(req, ts.API.db, u, &session.ID, c.recoveryType)
+			require.NoError(ts.T(), err)
+
+			// Update password without current password
+			userUpdateBody := map[string]string{"password": c.newPassword}
+			var buffer bytes.Buffer
+			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(userUpdateBody))
+
+			req = httptest.NewRequest(http.MethodPut, "http://localhost/user", &buffer)
+			req.Header.Set("Content-Type", "application/json")
+			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+			// Setup response recorder
+			w := httptest.NewRecorder()
+			ts.API.handler.ServeHTTP(w, req)
+			require.Equal(ts.T(), c.expected.code, w.Code)
+
+			// Verify password was updated
+			u, err = models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
+			require.NoError(ts.T(), err)
+
+			isAuthenticated, _, err := u.Authenticate(context.Background(), ts.API.db, c.newPassword, ts.API.config.Security.DBEncryption.DecryptionKeys, ts.API.config.Security.DBEncryption.Encrypt, ts.API.config.Security.DBEncryption.EncryptionKeyID)
+			require.NoError(ts.T(), err)
+
+			require.Equal(ts.T(), c.expected.isAuthenticated, isAuthenticated)
+		})
+	}
+}
+
 func (ts *UserTestSuite) TestUserUpdatePasswordNoReauthenticationRequired() {
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
@@ -429,7 +555,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordNoReauthenticationRequired() {
 
 func (ts *UserTestSuite) TestUserUpdatePasswordReauthentication() {
 	ts.Config.Security.UpdatePasswordRequireReauthentication = true
-
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
@@ -487,6 +613,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordReauthentication() {
 
 func (ts *UserTestSuite) TestUserUpdatePasswordLogoutOtherSessions() {
 	ts.Config.Security.UpdatePasswordRequireReauthentication = false
+	ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
@@ -586,6 +713,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordSendsNotificationEmail() {
 	for _, c := range cases {
 		ts.Run(c.desc, func() {
 			ts.Config.Security.UpdatePasswordRequireReauthentication = false
+			ts.Config.Security.UpdatePasswordRequireCurrentPassword = false
 			ts.Config.Mailer.Autoconfirm = false
 			ts.Config.Mailer.Notifications.PasswordChangedEnabled = c.notificationEnabled
 
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
@@ -731,6 +731,7 @@ type SecurityConfiguration struct {
 	RefreshTokenReuseInterval             int                  `json:"refresh_token_reuse_interval" split_words:"true"`
 	RefreshTokenAllowReuse                bool                 `json:"refresh_token_allow_reuse" split_words:"true"`
 	UpdatePasswordRequireReauthentication bool                 `json:"update_password_require_reauthentication" split_words:"true"`
+	UpdatePasswordRequireCurrentPassword  bool                 `json:"update_password_require_current_password" split_words:"true"`
 	ManualLinkingEnabled                  bool                 `json:"manual_linking_enabled" split_words:"true" default:"false"`
 	SbForwardedForEnabled                 bool                 `json:"sb_forwarded_for_enabled" split_words:"true" default:"false"`
 
