From 531cafb5b492a7c84e9f7c1b6caed17a12450f77 Mon Sep 17 00:00:00 2001 From: tylor Date: Mon, 15 Jun 2026 10:14:58 +0800 Subject: [PATCH] fix: allow legacy weak old password when updating password Old users may have passwords set before the current complexity policy. Skip strength validation on oldPassword and only verify via hash check. Co-authored-by: Cursor --- src/user/dto/update-password.dto.ts | 4 ++-- test/user.e2e-spec.ts | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/user/dto/update-password.dto.ts b/src/user/dto/update-password.dto.ts index cf3d762..51c0bb0 100644 --- a/src/user/dto/update-password.dto.ts +++ b/src/user/dto/update-password.dto.ts @@ -1,4 +1,4 @@ -import { IsNotEmpty, IsOptional } from 'class-validator'; +import { IsNotEmpty, IsOptional, IsString } from 'class-validator'; import { IsPassword } from 'src/common/validate'; @@ -7,7 +7,7 @@ export class UpdatePasswordDto { * 旧密码 */ @IsOptional() - @IsPassword() + @IsString() oldPassword?: string; /** diff --git a/test/user.e2e-spec.ts b/test/user.e2e-spec.ts index 3b25eb9..ecd1bb0 100644 --- a/test/user.e2e-spec.ts +++ b/test/user.e2e-spec.ts @@ -179,6 +179,20 @@ describe('User crud (e2e)', () => { .set('Accept', 'application/json') .expect(200); + // 旧密码不符合当前强度策略时仍可改密(legacy 用户) + const legacyUserDoc = { ...mockUser(), password: 'abc123' }; + const legacyUser = await userService.create(legacyUserDoc); + await request(app.getHttpServer()) + .post(`/users/${legacyUser.id}/@updatePassword`) + .send({ + oldPassword: 'abc123', + newPassword: '^tR123456', + }) + .set('Content-Type', 'application/json') + .set('x-api-key', auth.apiKey) + .set('Accept', 'application/json') + .expect(204); + // username 不合法 await request(app.getHttpServer()) .patch(`/users/${user.id}`)