Fix mismatching passwords preventing registration

If a user entered a non-matching password pair when registering, they would be unable to complete registration as the old password pair was retained inside the ancilliary request data and would override the form.
CSSUoB · Jan 28, 2024 · d41a06b · d41a06b
1 parent 6747b81
commit d41a06b
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/internal/httpcore/endpoints_auth.go b/internal/httpcore/endpoints_auth.go
@@ -147,6 +147,18 @@ func (endpoints) authLogin(ctx *fiber.Ctx) error {
 
 		if requestData.PasswordConfirmation != requestData.Password {
 			requestProblem = "Passwords do not match."
+
+			// Since unregisteredAskPassword still includes previous request data, we need to remove the old passwords to prevent them from overriding the new passwords the user will input.
+			// If this were not done, a user that entered an non-matching password pair would never be able to set their password.
+
+			requestData.Password = ""
+			requestData.PasswordConfirmation = ""
+
+			requestDataJSON, err = json.Marshal(&requestData)
+			if err != nil {
+				return fmt.Errorf("authLogin marshal request data to JSON after removing passwords: %w", err)
+			}
+
 			goto unregisteredAskPassword
 		}