feat: add password change validation to ensure new password differs from current password (#4134)

2025-09-07 02:20:28 +08:00 · 2025-09-01 17:22:06 +08:00
parent 3b16406442
commit 8fa681f883
28 changed files with 57 additions and 0 deletions
--- a/object/check_password_complexity.go
+++ b/object/check_password_complexity.go
@@ -16,6 +16,8 @@ package object

 import (
 	"regexp"
+
+	"github.com/casdoor/casdoor/cred"
 )

 type ValidatorFunc func(password string) string
@@ -96,3 +98,26 @@ func checkPasswordComplexity(password string, options []string) string {
 	}
 	return ""
 }
+
+// CheckPasswordNotSameAsCurrent checks if the new password is different from the current password
+func CheckPasswordNotSameAsCurrent(user *User, newPassword string, organization *Organization) bool {
+	if user.Password == "" {
+		// User doesn't have a password set (e.g., OAuth-only users), allow any password
+		return true
+	}
+
+	credManager := cred.GetCredManager(organization.PasswordType)
+	if credManager == nil {
+		// If no credential manager is available, we can't compare passwords
+		return true
+	}
+
+	// Check if the new password is the same as the current password
+	// Try with both organization salt and user salt (like CheckPassword function does)
+	if credManager.IsPasswordCorrect(newPassword, user.Password, organization.PasswordSalt) ||
+		credManager.IsPasswordCorrect(newPassword, user.Password, user.PasswordSalt) {
+		return false
+	}
+
+	return true
+}