FusionAuth
ChangePasswordByIdentity API works without current password [URGENT]
This API: https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Client.go#L290 has the functionality to:
// ChangePasswordByIdentity // Changes a user's password using their identity (login id and password). Using a loginId instead of the changePasswordId // bypasses the email verification and allows a password to be changed directly without first calling the #forgotPassword // method. // ChangePasswordRequest request The change password request that contains all of the information used to change the password.
If I do not pass the current_password in this API, it still changes the user's password without the current password. If I pass something as current_password in the request it does check if it matches the user's current password.
The abnormal behavior happens when nothing is passed as current_password.
Similarly, in the fusionauth dashboard, I can change any User's password without the previous password. Is this behavior intended? Or are these 2 issues related and pointing to a bigger overall problem with how fusionauth changes passwords.
