Description of the Bug
The PUT /auth/password endpoint in backend/app/routes/auth.py allows any authenticated user to change their account password by providing only a new password and confirm_password. It never asks for, or verifies, the current (old) password before making the change.
This is a security vulnerability — if an attacker obtains a valid JWT (via XSS, token leakage, or a compromised device), they can permanently lock the legitimate user out by changing the password in a single request, without knowing the original.
Affected files:
backend/app/routes/auth.py — update_password() functionbackend/app/schemas.py — UpdatePassword schema (only has password + confirm_password, no current_password field)
Steps to Reproduce
- Log in with a valid account and obtain an access token (JWT).
- Send the following request:
PUT /auth/password
Authorization: Bearer <access_token>
{
"password": "NewPassword@123",
"confirm_password": "NewPassword@123"
}
- Observe that the password is updated immediately — no current/old password was required.
Expected Behavior
The endpoint should require the user to provide their current password and verify it against the stored hash using verify_password() before accepting the new password. This is standard security practice for any password-change flow.
Suggested fix:
- Add
current_password: str to the UpdatePassword schema in schemas.py.
- In
update_password() in auth.py, verify it before proceeding:
if not verify_password(payload.current_password, user.hashed_password):
raise UnauthorizedException("Current password is incorrect")
Note: Issue #430 proposes a new password-change endpoint — this bug is about the existing PUT /auth/password being insecure and needs a separate fix.
Screenshots / Logs
No logs needed — the issue is directly reproducible via any HTTP client (curl, Postman, etc.) with a valid JWT.
Environment
FastAPI backend (Python) — backend/app/routes/auth.py & backend/app/schemas.py — reproducible in all environments
GSSoC '26
Description of the Bug
The
PUT /auth/passwordendpoint inbackend/app/routes/auth.pyallows any authenticated user to change their account password by providing only a newpasswordandconfirm_password. It never asks for, or verifies, the current (old) password before making the change.This is a security vulnerability — if an attacker obtains a valid JWT (via XSS, token leakage, or a compromised device), they can permanently lock the legitimate user out by changing the password in a single request, without knowing the original.
Affected files:
backend/app/routes/auth.py—update_password()functionbackend/app/schemas.py—UpdatePasswordschema (only haspassword+confirm_password, nocurrent_passwordfield)Steps to Reproduce
PUT /auth/password
Authorization: Bearer <access_token>
{
"password": "NewPassword@123",
"confirm_password": "NewPassword@123"
}
Expected Behavior
The endpoint should require the user to provide their current password and verify it against the stored hash using
verify_password()before accepting the new password. This is standard security practice for any password-change flow.Suggested fix:
current_password: strto theUpdatePasswordschema inschemas.py.update_password()inauth.py, verify it before proceeding:if not verify_password(payload.current_password, user.hashed_password):
raise UnauthorizedException("Current password is incorrect")
Note: Issue #430 proposes a new password-change endpoint — this bug is about the existing
PUT /auth/passwordbeing insecure and needs a separate fix.Screenshots / Logs
No logs needed — the issue is directly reproducible via any HTTP client (curl, Postman, etc.) with a valid JWT.
Environment
FastAPI backend (Python) — backend/app/routes/auth.py & backend/app/schemas.py — reproducible in all environments
GSSoC '26