Enhance authentication security and password validation

[ShashankFC]

This PR improves authentication security by adding comprehensive password strength validation, enhanced error handling in password verification, and configurable hashing parameters.

---

EntelligenceAI PR Summary

Enhanced authentication module with password strength validation, improved error handling, and type safety across password hashing and verification functions.

• Added new passwordStrength.ts module with scoring system (0-100), validation functions, and user-facing error messages
• Implemented input validation in verifyPassword() with try-catch error handling and early returns for null/undefined values
• Added minimum password length validation (8 characters) and configurable salt rounds (default 12) in hashPassword()
• Enhanced all functions with explicit Promise return types and comprehensive JSDoc documentation
• Implemented pattern detection for weak passwords (repeating/sequential characters) and character variety checks

[entelligence-ai-pr-reviews]

Entelligence AI Vulnerability Scanner

Status: No security vulnerabilities found

Your code passed our comprehensive security analysis.

Analyzed 3 files in total

[entelligence-ai-pr-reviews]

Review Summary

❌ Rejected Comments (1)

This section lists 1 comments that were identified as fundamentally incorrect and filtered out during review validation. It is only visible on our internal repositories.

packages/lib/auth/hashPassword.ts (1)

12-18: hashPassword always performs bcrypt hashing even if the same password is hashed repeatedly with the same salt rounds, missing an opportunity for caching expensive hash computations in high-throughput scenarios.

📊 Impact Scores:

• Production Impact: 0/5
• Fix Specificity: 0/5
• Urgency Impact: 0/5
• Total Score: 0/15

Reason for rejection: This comment should be removed because it suggests caching password hashes, which is a serious security anti-pattern. Password hashing functions like bcrypt are intentionally CPU-intensive and designed to be slow to prevent brute force attacks. Caching plaintext passwords in memory (as shown in the suggestion with ${password}:${saltRounds}) creates a massive security vulnerability by storing sensitive user credentials in memory. Additionally, bcrypt generates different hashes for the same input by design due to its salt generation, making caching counterproductive to its security model.

Analysis: While the line numbers correctly identify the hashPassword function, the fundamental premise is technically flawed. The comment misunderstands the purpose of password hashing - it's supposed to be expensive and produce different results each time. The suggested caching mechanism would store plaintext passwords in memory and undermine bcrypt's security guarantees. This represents a critical security misunderstanding rather than a valid performance optimization.

---

🏷️ Draft Comments (5)

Skipped posting 5 draft comments that were valid but scored below your review threshold (>=13/15). Feel free to update them here.

packages/features/auth/lib/verifyPassword.ts (2)

10-11: verifyPassword returns false if either password or hashedPassword is an empty string, which may incorrectly reject valid (but empty) passwords if allowed by business logic.

📊 Impact Scores:

• Production Impact: 3/5
• Fix Specificity: 5/5
• Urgency Impact: 2/5
• Total Score: 10/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/features/auth/lib/verifyPassword.ts, lines 10-11, the function currently returns false if either `password` or `hashedPassword` is falsy, which includes empty strings. This may incorrectly reject valid empty passwords if your business logic allows them. Change the check to only return false if either value is null or undefined, not just falsy.

---

18-18: Use of console.error in production code can cause significant performance degradation under high load due to synchronous I/O and should be replaced with a proper logging mechanism.

📊 Impact Scores:

• Production Impact: 2/5
• Fix Specificity: 2/5
• Urgency Impact: 2/5
• Total Score: 6/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/features/auth/lib/verifyPassword.ts, on line 18, replace the use of `console.error` with a proper logging mechanism or remove it entirely. Console statements can cause significant performance issues in production environments due to synchronous I/O. Update the code to use a non-blocking logger or comment it out with a TODO for future logging integration.

---

packages/lib/auth/hashPassword.ts (1)

12-15: hashPassword throws an error if password is an empty string or less than 8 chars, but does not check for non-string types, allowing non-string values to be hashed, which can cause runtime errors.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 5/5
• Urgency Impact: 3/5
• Total Score: 12/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/lib/auth/hashPassword.ts, lines 12-15, the function `hashPassword` only checks for falsy or short passwords, but does not verify that `password` is a string. This allows non-string values (like numbers or objects) to be passed, which can cause runtime errors when calling `.length` or hashing. Update the check to ensure `password` is a string before proceeding.

---

packages/lib/auth/passwordStrength.ts (2)

89-98: isPasswordValid returns true if password contains only letters or only numbers, allowing weak passwords that do not meet minimum security requirements.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 5/5
• Urgency Impact: 3/5
• Total Score: 12/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/lib/auth/passwordStrength.ts, lines 89-98, the function isPasswordValid currently returns true if the password contains either letters or numbers, which allows weak passwords (e.g., all letters or all numbers). Update the return condition so that it only returns true if the password contains both at least one letter and at least one number. Replace 'return hasLetter || hasNumber;' with 'return hasLetter && hasNumber;'.

---

41-62: evaluatePasswordStrength uses multiple regular expressions on the same password, causing redundant scans and increased CPU usage for long passwords or high-throughput scenarios.

📊 Impact Scores:

• Production Impact: 2/5
• Fix Specificity: 5/5
• Urgency Impact: 2/5
• Total Score: 9/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/lib/auth/passwordStrength.ts, lines 41-62, the function `evaluatePasswordStrength` runs four separate regular expressions on the password, causing redundant scans and increased CPU usage for long passwords or high-throughput scenarios. Refactor this block to compute all four regex results once, store them in variables, and use those variables for the subsequent checks. This will reduce the number of times the password string is scanned.

---

[entelligence-ai-pr-reviews]

🔬 Multi-Approach Review Summary

This PR was reviewed by 2 different approaches for comparison:

• 🟢 Standard Reviewer: 0 comments
• 🟠 LangGraph v3: 3 comments

Total: 3 review comments

Each comment is labeled with its source approach. This allows you to compare different AI review strategies.

🔒 Security Scan: Run once and shared across all approaches for efficiency.

Walkthrough

This PR enhances the authentication module with improved password security, validation, and error handling. The changes introduce a new password strength evaluation utility that scores passwords based on length, character variety, and pattern detection. Existing password hashing and verification functions have been fortified with input validation, explicit type annotations, comprehensive JSDoc documentation, and robust error handling. The hashing function now enforces a minimum password length of 8 characters and allows configurable salt rounds. The verification function implements graceful error handling with try-catch blocks to prevent exceptions from propagating. These improvements collectively strengthen the authentication system's security posture and developer experience.

Changes

File(s)	Summary
packages/features/auth/lib/verifyPassword.ts packages/lib/auth/hashPassword.ts	Enhanced functions with explicit Promise return type annotations, comprehensive JSDoc documentation, and input validation. Added try-catch error handling in verification and minimum password length validation (8 characters) in hashing. Made salt rounds configurable with default value of 12.
packages/lib/auth/passwordStrength.ts	Added new password strength validation utility module with three functions: evaluatePasswordStrength() for scoring (0-100) based on length, character variety, and pattern detection; isPasswordValid() for basic validation; and getPasswordValidationError() for user-facing error messages. Includes TypeScript interface and regex-based character type detection.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Caller
    participant verifyPassword
    participant bcryptjs

    Caller->>verifyPassword: verifyPassword(password, hashedPassword)
    
    alt password or hashedPassword is empty/null
        verifyPassword-->>Caller: return false
    else valid inputs
        verifyPassword->>bcryptjs: compare(password, hashedPassword)
        
        alt comparison successful
            bcryptjs-->>verifyPassword: isValid (boolean)
            verifyPassword-->>Caller: return isValid
        else comparison throws error
            bcryptjs-->>verifyPassword: throw error
            verifyPassword-->>Caller: return false
        end
    end

Loading

🔒 Security Analysis

• Vulnerabilities: 0
• Bugs: 0
• Code Smells: 3
• Security Hotspots: 0

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

Correctness: 🟠 [LangGraph v3] Remove the console.error statement to avoid exposing sensitive information in production. Use a logging library if necessary.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	import { compare } from "bcryptjs";
	export async function verifyPassword(password: string, hashedPassword: string) {
	const isValid = await compare(password, hashedPassword);
	return isValid;
	/**
	* Verifies a password against a hashed password with timing attack protection
	* @param password - Plain text password to verify
	* @param hashedPassword - Hashed password to compare against
	* @returns Promise<boolean> indicating if password is valid
	*/
	export async function verifyPassword(password: string, hashedPassword: string): Promise<boolean> {
	if (!password || !hashedPassword) {
	return false;
	}
	try {
	const isValid = await compare(password, hashedPassword);
	return isValid;
	} catch (error) {
	console.error("Password verification failed", error);
	return false;
	}
	}
	import { compare } from "bcryptjs";
	/**
	* Verifies a password against a hashed password with timing attack protection
	* @param password - Plain text password to verify
	* @param hashedPassword - Hashed password to compare against
	* @returns Promise<boolean> indicating if password is valid
	*/
	export async function verifyPassword(password: string, hashedPassword: string): Promise<boolean> {
	if (!password || !hashedPassword) {
	return false;
	}
	try {
	const isValid = await compare(password, hashedPassword);
	return isValid;
	} catch (error) {
	// Log the error using a logging library instead of console.error
	// Example: logger.error("Password verification failed", error);
	return false;
	}
	}

[entelligence-ai-pr-reviews]

Correctness: 🟠 [LangGraph v3] The hashPassword function lacks error handling for the async hash operation. This can lead to unhandled promise rejections if the hashing fails. Wrap the hash call in a try/catch block to handle potential errors gracefully.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	import { hash } from "bcryptjs";
	export async function hashPassword(password: string) {
	const hashedPassword = await hash(password, 12);
	const DEFAULT_SALT_ROUNDS = 12;
	const MIN_PASSWORD_LENGTH = 8;
	/**
	* Hashes a password using bcrypt with configurable salt rounds
	* @param password - Plain text password to hash
	* @param saltRounds - Number of salt rounds (default: 12)
	* @returns Promise<string> containing the hashed password
	*/
	export async function hashPassword(password: string, saltRounds: number = DEFAULT_SALT_ROUNDS): Promise<string> {
	if (!password || password.length < MIN_PASSWORD_LENGTH) {
	throw new Error(`Password must be at least ${MIN_PASSWORD_LENGTH} characters long`);
	}
	const hashedPassword = await hash(password, saltRounds);
	return hashedPassword;
	}
	import { hash } from "bcryptjs";
	const DEFAULT_SALT_ROUNDS = 12;
	const MIN_PASSWORD_LENGTH = 8;
	/**
	* Hashes a password using bcrypt with configurable salt rounds
	* @param password - Plain text password to hash
	* @param saltRounds - Number of salt rounds (default: 12)
	* @returns Promise<string> containing the hashed password
	*/
	export async function hashPassword(password: string, saltRounds: number = DEFAULT_SALT_ROUNDS): Promise<string> {
	if (!password || password.length < MIN_PASSWORD_LENGTH) {
	throw new Error(`Password must be at least ${MIN_PASSWORD_LENGTH} characters long`);
	}
	try {
	const hashedPassword = await hash(password, saltRounds);
	return hashedPassword;
	} catch (error) {
	throw new Error('Failed to hash password');
	}
	}

[entelligence-ai-pr-reviews]

Correctness: 🟠 [LangGraph v3] Update the sequential character regex to include uppercase sequences for improved detection.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	/**
	* Password strength validation utilities
	*/
	export interface PasswordStrengthResult {
	isStrong: boolean;
	score: number;
	feedback: string[];
	}
	const MIN_LENGTH = 8;
	const RECOMMENDED_LENGTH = 12;
	/**
	* Evaluates password strength based on various criteria
	* @param password - Password to evaluate
	* @returns PasswordStrengthResult with score and feedback
	*/
	export function evaluatePasswordStrength(password: string): PasswordStrengthResult {
	const feedback: string[] = [];
	let score = 0;
	if (!password) {
	return {
	isStrong: false,
	score: 0,
	feedback: ["Password is required"],
	};
	}
	if (password.length >= MIN_LENGTH) {
	score += 20;
	} else {
	feedback.push(`Password must be at least ${MIN_LENGTH} characters`);
	}
	if (password.length >= RECOMMENDED_LENGTH) {
	score += 10;
	}
	if (/[a-z]/.test(password)) {
	score += 15;
	} else {
	feedback.push("Add lowercase letters");
	}
	if (/[A-Z]/.test(password)) {
	score += 15;
	} else {
	feedback.push("Add uppercase letters");
	}
	if (/[0-9]/.test(password)) {
	score += 20;
	} else {
	feedback.push("Add numbers");
	}
	if (/[^a-zA-Z0-9]/.test(password)) {
	score += 20;
	} else {
	feedback.push("Add special characters");
	}
	const hasRepeatingChars = /(.)\1{2,}/.test(password);
	if (hasRepeatingChars) {
	score -= 10;
	feedback.push("Avoid repeating characters");
	}
	const hasSequentialChars = /(abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz|012|123|234|345|456|567|678|789)/i.test(password);
	if (hasSequentialChars) {
	score -= 10;
	feedback.push("Avoid sequential characters");
	}
	return {
	isStrong: score > 70,
	score: Math.max(0, Math.min(100, score)),
	feedback,
	};
	}
	/**
	* Checks if password meets minimum security requirements
	* @param password - Password to validate
	* @returns boolean indicating if password is valid
	*/
	export function isPasswordValid(password: string): boolean {
	if (!password || password.length < MIN_LENGTH) {
	return false;
	}
	const hasLetter = /[a-zA-Z]/.test(password);
	const hasNumber = /[0-9]/.test(password);
	return hasLetter || hasNumber;
	}
	/**
	* Generates password validation error message
	* @param password - Password to validate
	* @returns Error message or null if valid
	*/
	export function getPasswordValidationError(password: string): string | null {
	if (!password) {
	return "Password is required";
	}
	if (password.length < MIN_LENGTH) {
	return `Password must be at least ${MIN_LENGTH} characters long`;
	}
	const result = evaluatePasswordStrength(password);
	if (!result.isStrong && result.feedback.length > 0) {
	return result.feedback[0];
	}
	return null;
	}
	/**
	* Password strength validation utilities
	*/
	export interface PasswordStrengthResult {
	isStrong: boolean;
	score: number;
	feedback: string[];
	}
	const MIN_LENGTH = 8;
	const RECOMMENDED_LENGTH = 12;
	/**
	* Evaluates password strength based on various criteria
	* @param password - Password to evaluate
	* @returns PasswordStrengthResult with score and feedback
	*/
	export function evaluatePasswordStrength(password: string): PasswordStrengthResult {
	const feedback: string[] = [];
	let score = 0;
	if (!password) {
	return {
	isStrong: false,
	score: 0,
	feedback: ["Password is required"],
	};
	}
	if (password.length >= MIN_LENGTH) {
	score += 20;
	} else {
	feedback.push(`Password must be at least ${MIN_LENGTH} characters`);
	}
	if (password.length >= RECOMMENDED_LENGTH) {
	score += 10;
	}
	if (/[a-z]/.test(password)) {
	score += 15;
	} else {
	feedback.push("Add lowercase letters");
	}
	if (/[A-Z]/.test(password)) {
	score += 15;
	} else {
	feedback.push("Add uppercase letters");
	}
	if (/[0-9]/.test(password)) {
	score += 20;
	} else {
	feedback.push("Add numbers");
	}
	if (/[^a-zA-Z0-9]/.test(password)) {
	score += 20;
	} else {
	feedback.push("Add special characters");
	}
	const hasRepeatingChars = /(.)\1{2,}/.test(password);
	if (hasRepeatingChars) {
	score -= 10;
	feedback.push("Avoid repeating characters");
	}
	const hasSequentialChars = /(abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz|ABC|BCD|CDE|DEF|EFG|FGH|GHI|HIJ|IJK|JKL|KLM|LMN|MNO|NOP|OPQ|PQR|QRS|RST|STU|TUV|UVW|VWX|WXY|XYZ|012|123|234|345|456|567|678|789)/.test(password);
	if (hasSequentialChars) {
	score -= 10;
	feedback.push("Avoid sequential characters");
	}
	return {
	isStrong: score > 70,
	score: Math.max(0, Math.min(100, score)),
	feedback,
	};
	}
	/**
	* Checks if password meets minimum security requirements
	* @param password - Password to validate
	* @returns boolean indicating if password is valid
	*/
	export function isPasswordValid(password: string): boolean {
	if (!password || password.length < MIN_LENGTH) {
	return false;
	}
	const hasLetter = /[a-zA-Z]/.test(password);
	const hasNumber = /[0-9]/.test(password);
	return hasLetter || hasNumber;
	}
	/**
	* Generates password validation error message
	* @param password - Password to validate
	* @returns Error message or null if valid
	*/
	export function getPasswordValidationError(password: string): string | null {
	if (!password) {
	return "Password is required";
	}
	if (password.length < MIN_LENGTH) {
	return `Password must be at least ${MIN_LENGTH} characters long`;
	}
	const result = evaluatePasswordStrength(password);
	if (!result.isStrong && result.feedback.length > 0) {
	return result.feedback[0];
	}
	return null;
	}