--- issue: 039 title: "reset-password-with-code endpoint has no password complexity validation — accepts weak passwords rejected by token-based reset" severity: major domain: Authentication labels: [security, bug, backend, major, auth] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 reset-password-with-code endpoint has no password complexity validation — accepts weak passwords rejected by token-based reset **Severity:** major **Domain:** Authentication **Labels:** security, bug, backend, major, auth ## Description POST /api/auth/reset-password-with-code has no validation middleware (authRoutes.ts:54-56). A new password of '123456' or 'aaaaaa' is accepted. POST /api/auth/reset-password uses passwordResetValidation enforcing uppercase+lowercase+digit. Inconsistent security between the two reset paths. ## Current Behavior Code-based password reset accepts any non-empty password without complexity requirements. ## Expected Behavior POST /api/auth/reset-password-with-code should apply the same passwordResetValidation middleware as the token-based reset. ## Affected Files - `backend/src/routes/authRoutes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)