A user with password=NULL passed the missing/disabled guard and reached comparePasswordHash(pw, null), which native bcrypt rejects -> 500 on /api/auth/login and, on /mcp, a leaky 401 that the brute-force limiter ignored (enumeration oracle + limiter evasion). Treat a null/empty password like a missing user in verifyUserCredentials (dummy compare for timing parity + unified CREDENTIALS_MISMATCH_MESSAGE) and reject early in changePassword before bcrypt. Contract spec asserts the null-password guard. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A progressive Node.js framework for building efficient and scalable server-side applications.
Description
Nest framework TypeScript starter repository.
Installation
$ npm install
Running the app
# development
$ npm run start
# watch mode
$ npm run start:dev
# production mode
$ npm run start:prod
Migrations
# This creates a new empty migration file named 'init'
$ npm run migration:create --name=init
# Generates 'init' migration file from existing entities to update the database schema
$ npm run migration:generate --name=init
# Runs all pending migrations to update the database schema
$ npm run migration:run
# Reverts the last executed migration
$ npm run migration:revert
# Reverts all migrations
$ npm run migration:revert
# Shows the list of executed and pending migrations
$ npm run migration:show
## Test
```bash
# unit tests
$ npm run test
# e2e tests
$ npm run test:e2e
# test coverage
$ npm run test:cov
Support
Nest is an MIT-licensed open source project. It can grow thanks to the sponsors and support by the amazing backers. If you'd like to join them, please read more here.
Stay in touch
- Author - Kamil Myśliwiec
- Website - https://nestjs.com
- Twitter - @nestframework
License
Nest is MIT licensed.