--- issue: "024" title: "POST /api/auth/reset-password-with-code accepts weak passwords — no complexity validation" severity: major domain: auth labels: [backend, security, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 POST /api/auth/reset-password-with-code accepts weak passwords — no complexity validation **Severity:** major **Domain:** auth **Labels:** backend, security, bug ## Description `POST /api/auth/reset-password-with-code` has **no `passwordResetValidation` middleware** (`authRoutes.ts` line ~54-57). The controller only validates that email, code, and password fields are present, and that the code is 6 digits. Passwords like `'123456'`, `'aaaaaa'`, or `'password'` are accepted. By contrast, the legacy `POST /api/auth/reset-password` (token-based) is wired with `passwordResetValidation` which enforces `/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/` — at least one uppercase, one lowercase, one digit. ## Current Behavior `POST /api/auth/reset-password-with-code` with `{ email, code: "123456", password: "aaaaaa" }` → 200, password reset to weak value. ## Expected Behavior Apply `passwordResetValidation` (or equivalent inline validation) to `reset-password-with-code` as well. ## Affected Files - `backend/src/routes/authRoutes.ts` — line ~54-57, add `passwordResetValidation` middleware - `backend/src/shared/middleware/authValidation.ts` — `passwordResetValidation` definition ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding M6