From a68535cbe4dc0aae7205f22beedb0f7e5fbf4ade Mon Sep 17 00:00:00 2001
From: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai>
Date: Fri, 8 Sep 2023 16:42:56 -0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(users.py):=20prevent=20users?=
 =?UTF-8?q?=20from=20changing=20their=20password=20in=20the=20patch=5Fuser?=
 =?UTF-8?q?=20endpoint=20to=20ensure=20security=20=F0=9F=90=9B=20fix(users?=
 =?UTF-8?q?.py):=20prevent=20users=20from=20using=20their=20current=20pass?=
 =?UTF-8?q?word=20when=20resetting=20their=20password=20to=20ensure=20secu?=
 =?UTF-8?q?rity?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/backend/langflow/api/v1/users.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/backend/langflow/api/v1/users.py b/src/backend/langflow/api/v1/users.py
index 81b0c2332..dca8b23d2 100644
--- a/src/backend/langflow/api/v1/users.py
+++ b/src/backend/langflow/api/v1/users.py
@@ -97,6 +97,10 @@ def patch_user(
         raise HTTPException(
             status_code=403, detail="You don't have the permission to update this user"
         )
+    if user.password:
+        raise HTTPException(
+            status_code=400, detail="You can't change your password here"
+        )
 
     if user_db := get_user_by_id(session, user_id):
         return update_user(user_db, user_update, session)
@@ -122,6 +126,10 @@ def reset_password(
     if not user:
         raise HTTPException(status_code=404, detail="User not found")
     new_password = get_password_hash(user_update.password)
+    if new_password == user.password:
+        raise HTTPException(
+            status_code=400, detail="You can't use your current password"
+        )
     user.password = new_password
     session.commit()
     session.refresh(user)