[Bug] Frontend password validation in Signup.tsx is weaker than backend — valid-looking passwords rejected by server with no clear error

[anshul23102]

Description

The password validation regex in src/pages/Signup/Signup.tsx and the backend schema in backend/validators/authValidator.js enforce different rules, causing a mismatch where passwords that pass frontend validation are silently rejected by the backend.

Frontend regex (Signup.tsx)

!/^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d@$!%*#?&]{8,}$/.test(value)
// Requires: at least one letter + one digit, 8+ characters
// Allows: # as a special character
// Does NOT require uppercase or a special character

Backend regex (authValidator.js)

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]+$/
// Requires: uppercase + lowercase + digit + special character (all four)
// Does NOT allow: #

Concrete examples of the mismatch

Password	Frontend result	Backend result
password1	Valid	Rejected (no uppercase, no special char)
Password1	Valid	Rejected (no special char)
Password1#	Valid (# allowed by frontend)	Rejected (# not in backend allowlist)
Password1!	Valid	Valid

Impact

A user who enters Password1 sees no frontend error and clicks submit. The backend then returns a Zod validation error ("Password must contain uppercase, lowercase, number, and special character") which surfaces as a generic server error. The user has no inline guidance about what the password actually needs to contain.

This creates a broken and confusing signup experience: the form appears to accept the password but the server rejects it with no actionable inline message.

Steps to Reproduce

1. Navigate to the Sign Up page.
2. Fill in a valid username and email.
3. Enter password Password1 (has uppercase, lowercase, digit — but no special character).
4. Observe: no inline error is shown, the submit button is enabled.
5. Click Create Account.
6. Observe: a server-side error is returned and displayed as a generic message.

Expected Behavior

The frontend should enforce the same rules as the backend. The inline error message should list all requirements: uppercase, lowercase, digit, and one of @0%*?&.

Proposed Fix

Update the password regex in src/pages/Signup/Signup.tsx to match the backend rule exactly:

// Before
!/^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d@$!%*#?&]{8,}$/.test(value)

// After
!/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/.test(value)

Update the error message to:

"Password must be at least 8 characters and include uppercase, lowercase, a number, and a special character (@0%*?&)"

Apply the same fix in the handleSubmit block.

Affected Files

• src/pages/Signup/Signup.tsx (both handleChange and handleSubmit validation blocks)
• backend/validators/authValidator.js (source of truth)

Suggested Labels

type:bug level:intermediate quality:exceptional

I would like to work on this issue under GSSoC 2026. Could you please assign it to me? @GitMetricsLab

/assign

[anshul23102]

Opened PR #465 with the fix.

Root cause: Signup.tsx used a different regex from the Zod schema in backend/validators/authValidator.js. The frontend only required one letter and one digit, also allowed # which the backend does not, and never required uppercase or a special character. Passwords like Password1 passed the form but were silently rejected by the server.

Fix: extracted a PASSWORD_REGEX constant that mirrors the backend Zod rule exactly (lowercase + uppercase + digit + one of @$!%*?&, 8+ chars), applied it in both handleChange and handleSubmit, and updated the error message to list all four requirements. No backend changes needed.