fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

If "currentPassword" provided wrong, getting "password history" error.

Open sujkattimani opened this issue 3 years ago • 3 comments

If "currentPassword" provided wrong, getting "password history" error.

Problem

We are using /api/user/change-password api to change the password and we are some having below observations on this, please do the needful on the same. Suppose your currentPassword is "Test@123" and trying to change the password with below request.

{
    "loginId": "[email protected]",
    "currentPassword": "Test@123Wrong",
    "password": "Test@123"
}

Ideally it should throw “Provided currentPassword is not valid” as we have provided currentPassword wrong and provided currentPassword in password property, as we have enabled Reject previous passwords as 1, so we are getting “The [password] property may not be the same as the previously [1] used passwords.” error message.

Solution

Ideally the preference should be given to the currentPassword validation, once its proven validated then only password validation should be done. Because it’s quite misleading to the user.

Alternatives/workarounds

A clear and concise description of any alternative solutions or workarounds you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

sujkattimani avatar Sep 24 '22 16:09 sujkattimani

Hi Team, Any update on the above issue? Thanks.

sujkattimani avatar Jan 23 '23 06:01 sujkattimani

Thanks for your feedback. I think one could argue that the password is invalid in both ways (the current password doesn't match and the desired password is disallowed because it matches a previous password) so it doesn't matter which validation occurs first.

Maybe I misunderstand your point, though.

Either way, this work is not currently scheduled.

Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

mooreds avatar Jan 23 '23 15:01 mooreds

One option would be to return both validation errors at once.

If we wanted to change this order, or potentially return both errors at the same we'd have to validate the current password during validation instead of during change.

But I would tend to agree that this is working as designed, and not incorrect. But I can appreciate that someone may wish to have both errors at once to provide a different user experience.

robotdan avatar Jun 15 '24 01:06 robotdan