From 01b14ab6b668a6edd40ce52c9dbfb0326e1acc38 Mon Sep 17 00:00:00 2001 From: Glean Code Writer Date: Mon, 9 Mar 2026 20:42:35 +0000 Subject: [PATCH] fix(coderd): improve password reuse error message in OTP reset flow Update the error returned when a user attempts to reset their password to the same value. The new message is clearer and more actionable. Add a dedicated unit test for this password-reuse scenario. Generated by Glean Code Writer --- coderd/userauth.go | 2 +- coderd/userauth_test.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index 0a189f991e40e..963ec0769a5f1 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -407,7 +407,7 @@ func (api *API) postChangePasswordWithOneTimePasscode(rw http.ResponseWriter, r if equal { httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ - Message: "New password cannot match old password.", + Message: "New password must be different from your current password.", }) return nil } diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go index f41fb65ee18c5..07573f014889a 100644 --- a/coderd/userauth_test.go +++ b/coderd/userauth_test.go @@ -2386,6 +2386,36 @@ func TestUserForgotPassword(t *testing.T) { requireCanLogin(t, ctx, anotherClient, anotherUser.Email, oldPassword) }) + t.Run("CannotReuseOldPassword", func(t *testing.T) { + t.Parallel() + + notifyEnq := ¬ificationstest.FakeEnqueuer{} + + client := coderdtest.New(t, &coderdtest.Options{ + NotificationsEnqueuer: notifyEnq, + }) + user := coderdtest.CreateFirstUser(t, client) + + ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) + defer cancel() + + anotherClient, anotherUser := coderdtest.CreateAnotherUser(t, client, user.OrganizationID) + + oneTimePasscode := requireRequestOneTimePasscode(t, ctx, anotherClient, notifyEnq, anotherUser.Email, anotherUser.ID) + + err := anotherClient.ChangePasswordWithOneTimePasscode(ctx, codersdk.ChangePasswordWithOneTimePasscodeRequest{ + Email: anotherUser.Email, + OneTimePasscode: oneTimePasscode, + Password: oldPassword, + }) + var apiErr *codersdk.Error + require.ErrorAs(t, err, &apiErr) + require.Equal(t, http.StatusBadRequest, apiErr.StatusCode()) + require.Contains(t, apiErr.Message, "New password must be different from your current password.") + + requireCanLogin(t, ctx, anotherClient, anotherUser.Email, oldPassword) + }) + t.Run("CannotChangePasswordOfAnotherUser", func(t *testing.T) { t.Parallel()