Add current password verification endpoint

[sidhujag]

Summary

• Adds POST /auth/verify-password as a read-only authenticated credential check.
• Requires CSRF and validates the submitted auth hash without rotating sessions or changing credentials.
• Adds route coverage for success, mismatch, malformed body, unauthenticated, and missing-CSRF cases.

Test plan

• npm test -- tests/auth.routes.test.js

Made with Cursor

[sidhujag]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7df68f6550

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add rate limiting to verify-password endpoint

POST /auth/verify-password is wired with only requireAuth and CSRF checks, so it exposes an unthrottled 401/204 credential oracle (verifyPasswordStepUp) for any actor who obtains a live session+CSRF token (for example via session theft or XSS). Unlike /auth/change-password, successful guesses here have no user-visible side effect (no password rotation email/session churn), which makes password discovery significantly stealthier and easier to automate; this endpoint should use a limiter (ideally per user/session) similar to other auth-sensitive probes.

Useful? React with 👍 / 👎.

[sidhujag]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7883fc7482

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Guard missing verifyPassword limiter before route registration

createAuthRouter now always injects limiters.verifyPassword into POST /auth/verify-password, but this commit did not make the new key optional. Any caller still passing the previous limiter shape (for example the existing builders in tests/govProposals.routes.test.js that omit verifyPassword) will pass undefined as middleware and fail router construction at startup. This is a backward-incompatible crash path introduced by this change; add a safe default (e.g., disabled limiter) or update all call sites that construct limiters manually.

Useful? React with 👍 / 👎.

[sidhujag]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Breezy!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[sidhujag]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".