From b45717a1e10f72d3e8f64201b31b9f259c086b87 Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Wed, 3 Jan 2024 12:00:25 +0100
Subject: [PATCH] Move password checks to db

---
 packages/backend-core/src/users/db.ts               | 7 +++++++
 packages/worker/src/api/controllers/global/users.ts | 6 ------
 packages/worker/src/sdk/auth/auth.ts                | 6 ------
 3 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/packages/backend-core/src/users/db.ts b/packages/backend-core/src/users/db.ts
index 01fa4899d1..6cc5d2de5a 100644
--- a/packages/backend-core/src/users/db.ts
+++ b/packages/backend-core/src/users/db.ts
@@ -27,6 +27,7 @@ import {
 } from "./utils"
 import { searchExistingEmails } from "./lookup"
 import { hash } from "../utils"
+import { security } from ".."
 
 type QuotaUpdateFn = (
   change: number,
@@ -110,6 +111,12 @@ export class UserDB {
       if (await UserDB.isPreventPasswordActions(user, account)) {
         throw new HTTPError("Password change is disabled for this user", 400)
       }
+
+      const passwordValidation = security.validatePassword(password)
+      if (!passwordValidation.valid) {
+        throw new HTTPError(passwordValidation.error, 400)
+      }
+
       hashedPassword = opts.hashPassword ? await hash(password) : password
     } else if (dbUser) {
       hashedPassword = dbUser.password
diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts
index 257d2b9a89..b0e3219656 100644
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@@ -27,7 +27,6 @@ import {
   platform,
   tenancy,
   db,
-  security,
 } from "@budibase/backend-core"
 import { checkAnyUserExists } from "../../../utilities/users"
 import { isEmailConfigured } from "../../../utilities/email"
@@ -99,11 +98,6 @@ export const adminUser = async (
     ctx.throw(403, "Organisation already exists.")
   }
 
-  const passwordValidation = security.validatePassword(password)
-  if (!passwordValidation.valid) {
-    ctx.throw(400, passwordValidation.error)
-  }
-
   if (env.MULTI_TENANCY) {
     // store the new tenant record in the platform db
     await platform.tenants.addTenant(tenantId)
diff --git a/packages/worker/src/sdk/auth/auth.ts b/packages/worker/src/sdk/auth/auth.ts
index 5ddccdd2b1..f8796f0bed 100644
--- a/packages/worker/src/sdk/auth/auth.ts
+++ b/packages/worker/src/sdk/auth/auth.ts
@@ -7,7 +7,6 @@ import {
   tenancy,
   utils as coreUtils,
   cache,
-  security,
 } from "@budibase/backend-core"
 import { PlatformLogoutOpts, User } from "@budibase/types"
 import jwt from "jsonwebtoken"
@@ -77,11 +76,6 @@ export const resetUpdate = async (resetCode: string, password: string) => {
   const { userId } = await cache.passwordReset.getCode(resetCode)
   let user = await userSdk.db.getUser(userId)
 
-  const validation = security.validatePassword(password)
-  if (!validation.valid) {
-    throw new HTTPError(validation.error, 400)
-  }
-
   user.password = password
   user = await userSdk.db.save(user)