Description
Bug Report: Google-Auth users are permanently locked out from setting a native password
Problem
In backend/controllers/authController.js, when a new user registers using Google OAuth (googleLogin), the system generates a random 32-byte hex string, hashes it, and saves it as their password to satisfy database constraints.
If this user later navigates to their profile settings and wishes to set up a native password (e.g., to log in with email/password instead of Google), they hit a dead end. The updateProfile endpoint strictly enforces that currentPassword must be provided and must match the database hash before a newPassword can be saved.
Because the user does not know the randomly generated 32-byte hex string (and there is no "Forgot Password" functionality currently implemented to reset it via email), they are permanently locked out of setting a native password for their account.
Expected Behavior
updateProfile should recognize when an account is a "Google Auth only" account (e.g., perhaps by checking a flag or checking if the password matches a specific placeholder strategy) and allow the user to set an initial password without requiring a currentPassword. Alternatively, the schema should allow null passwords for OAuth users, and updateProfile should bypass the currentPassword check if the existing password is null.
Description
Bug Report: Google-Auth users are permanently locked out from setting a native password
Problem
In
backend/controllers/authController.js, when a new user registers using Google OAuth (googleLogin), the system generates a random 32-byte hex string, hashes it, and saves it as theirpasswordto satisfy database constraints.If this user later navigates to their profile settings and wishes to set up a native password (e.g., to log in with email/password instead of Google), they hit a dead end. The
updateProfileendpoint strictly enforces thatcurrentPasswordmust be provided and must match the database hash before anewPasswordcan be saved.Because the user does not know the randomly generated 32-byte hex string (and there is no "Forgot Password" functionality currently implemented to reset it via email), they are permanently locked out of setting a native password for their account.
Expected Behavior
updateProfileshould recognize when an account is a "Google Auth only" account (e.g., perhaps by checking a flag or checking if the password matches a specific placeholder strategy) and allow the user to set an initial password without requiring acurrentPassword. Alternatively, the schema should allow null passwords for OAuth users, andupdateProfileshould bypass thecurrentPasswordcheck if the existing password is null.