fix: vulnerability allows users to reset owner passwords

[wssheldon]

fix password reset vulnerability

summary

fixes a vulnerability where any user could take over other user accounts by setting their password to None through the general user update endpoint. this was possible because password updates were incorrectly handled in the general update endpoint.

changes

• removed password handling from general user update endpoint
• added dedicated password change endpoints with proper validation
• renamed check_password to verify_password for consistency
• added password complexity requirements
• implemented proper role-based access controls for password changes

test results

# 1. user registration tests
✅ owner registration successful
./venv/bin/dispatch user register --organization default --role Owner test.owner@example.com
> User registered successfully.

✅ member registration successful
./venv/bin/dispatch user register --organization default --role Member test.member@example.com
> User registered successfully.

# 2. cli password reset tests
✅ owner password reset successful
./venv/bin/dispatch user reset test.owner@example.com
> User password successfully updated.

✅ member password reset successful
./venv/bin/dispatch user reset test.member@example.com
> User password successfully updated.

# 3. login tests
✅ owner login successful
curl -X POST "http://localhost:8000/api/v1/default/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email": "test.owner@example.com", "password": "test123456"}'
> {"projects":[...], "token": "..."}

✅ member login successful
curl -X POST "http://localhost:8000/api/v1/default/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email": "test.member@example.com", "password": "test123456"}'
> {"projects":[...], "token": "..."}

# 4. password change security tests
✅ general update endpoint no longer accepts password changes
curl -X PUT "http://localhost:8000/api/v1/default/users/1" \
  -H "Authorization: Bearer MEMBER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"id": 1, "password": null, "email": "test.owner@example.com"}'
> {"detail":[{"msg":"Could not validate credentials"}]}

✅ member cannot change owner's password
curl -X POST "http://localhost:8000/api/v1/default/users/12541/change-password" \
  -H "Authorization: Bearer MEMBER_TOKEN" \
  -d '{"current_password": "test123456", "new_password": "NewPassword123"}'
> {"detail":[{"msg":"Not authorized to change other user passwords"}]}

✅ member can change own password with correct current password
curl -X POST "http://localhost:8000/api/v1/default/users/12542/change-password" \
  -H "Authorization: Bearer MEMBER_TOKEN" \
  -d '{"current_password": "test123456", "new_password": "NewPassword123"}'
> {"email":"test.member@example.com",...}

✅ password validation enforced
curl -X POST "http://localhost:8000/api/v1/default/users/12542/change-password" \
  -H "Authorization: Bearer MEMBER_TOKEN" \
  -d '{"current_password": "wrong", "new_password": "NewPassword123"}'
> {"detail":[{"msg":"Invalid current password"}]}

summary: 8/8 tests passed ✅