webupdatev1

backend/routes/users.js

@@ -2,6 +2,7 @@ const express = require("express");
 const bcrypt = require("bcrypt");
 const { query } = require("../config/database");
 const { requireAuth, requireRole } = require("../middleware/auth");
+const { apiLimiter } = require("../config/rateLimiter");
 const logger = require("../config/logger");
 const {
   validators,
@@ -10,6 +11,9 @@ const {
 const { asyncHandler } = require("../middleware/errorHandler");
 const router = express.Router();
 
+// Apply rate limiting
+router.use(apiLimiter);
+
 // Require admin role for all routes
 router.use(requireAuth);
 router.use(requireRole("role-admin"));
@@ -211,12 +215,28 @@ router.put("/:id", async (req, res) => {
 
     // Handle password update if provided
     if (password !== undefined && password !== "") {
-      if (password.length < 8) {
+      // Validate password strength
+      if (password.length < 12) {
         return res.status(400).json({
           success: false,
-          message: "Password must be at least 8 characters long",
+          message: "Password must be at least 12 characters long",
         });
       }
+
+      // Check password complexity
+      const hasUpperCase = /[A-Z]/.test(password);
+      const hasLowerCase = /[a-z]/.test(password);
+      const hasNumber = /\d/.test(password);
+      const hasSpecialChar = /[@$!%*?&#]/.test(password);
+
+      if (!hasUpperCase || !hasLowerCase || !hasNumber || !hasSpecialChar) {
+        return res.status(400).json({
+          success: false,
+          message:
+            "Password must contain uppercase, lowercase, number, and special character",
+        });
+      }
+
       const hashedPassword = await bcrypt.hash(password, 10);
       updates.push(`passwordhash = $${paramCount++}`);
       values.push(hashedPassword);