all repos

onasty @ 33a27b8

a one-time notes service
2 files changed, 8 insertions(+), 5 deletions(-) 
fix(api): change password exposes internal error (#194)

If current user's password and provided ones didn't match, api
returned ErrUserInvalidPassword, now it's ErrUserWrongCredentials
Author: Olexandr Smirnov olexsmir@gmail.com
Committed by: GitHub noreply@github.com
Committed at: 2025-08-25 14:31:25 +0300
Parent: 673a1f7
jump to
M e2e/apiv1_auth_test.go
M internal/service/usersrv/usersrv.go
M e2e/apiv1_auth_test.go 
@@ -347,16 +347,15 @@ NewPassword     string `json:"new_password"`
 }
 
 func (e *AppTestSuite) TestAuthV1_ChangePassword() {
-	password := e.uuid()
-	newPassword := e.uuid()
+	oldPassword, newPassword := e.uuid(), e.uuid()
 	email := e.uuid() + "@test.com"
-	_, toks := e.createAndSingIn(email, password)
+	_, toks := e.createAndSingIn(email, oldPassword)
 
 	httpResp := e.httpRequest(
 		http.MethodPost,
 		"/api/v1/auth/change-password",
 		e.jsonify(apiv1AuthChangePasswordRequest{
-			CurrentPassword: password,
+			CurrentPassword: oldPassword,
 			NewPassword:     newPassword,
 		}),
 		toks.AccessToken,

@@ -385,6 +384,10 @@ toks.AccessToken,
 	)
 
 	e.Equal(http.StatusBadRequest, httpResp.Code)
+
+	var body errorResponse
+	e.readBodyAndUnjsonify(httpResp.Body, &body)
+	e.Equal(models.ErrUserWrongCredentials.Error(), body.Message)
 
 	userDB := e.getUserByEmail(email)
M internal/service/usersrv/usersrv.go 
@@ -264,7 +264,7 @@ return err
 	}
 
 	if err = u.hasher.Compare(user.Password, inp.CurrentPassword); err != nil {
-		return errors.Join(err, models.ErrUserInvalidPassword)
+		return models.ErrUserWrongCredentials
 	}
 
 	newPass, err := u.hasher.Hash(inp.NewPassword)