Update to use random string as default password for SSO / Social logins

Author: jmgasper

.env.sample

@@ -143,4 +143,6 @@ SERVICEACC02_CID="devadmin1"
 SERVICEACC02_SECRET="devadmin1"
 SERVICEACC02_UID="100000027"
 
-DEFAULT_REGISTRATION_PASS="default-password"
+# Note: Registration default password is no longer configurable; for social/SSO
+# registrations without a provided password, a unique 16-character random
+# password is generated at registration time.

src/api/user/user.service.spec.ts

@@ -1163,7 +1163,7 @@ describe('UserService', () => {
       ).rejects.toThrow(BadRequestException);
     });
 
-    it('should apply default password when profile present and password missing', async () => {
+    it('should generate a random password when profile present and password missing', async () => {
       const dto: CreateUserBodyDto = {
         param: {
           handle: 'socialuser',
@@ -1206,8 +1206,10 @@ describe('UserService', () => {
 
       await service.registerUser(dto);
 
-      // Since configService.get('defaultPassword') is undefined in mock, it should fall back to 'default-password'
-      expect(mockEncode).toHaveBeenCalledWith('default-password');
+      // Should generate and encode a 16-character alphanumeric random password
+      expect(mockEncode).toHaveBeenCalledWith(
+        expect.stringMatching(/^[A-Za-z0-9]{16}$/),
+      );
     });
 
     it('should throw BadRequestException for short password', async () => {

src/api/user/user.service.ts

@@ -70,7 +70,6 @@ export class UserService {
   private readonly logger = new Logger(UserService.name);
   private readonly AUTH0_PROVIDER_NAME = 'auth0'; // Define constant for Auth0 provider name
   private legacyBlowfishKey: string; // Changed: Store the raw Base64 key string directly
-  private readonly defaultPassword: string;
 
   constructor(
     @Inject(PRISMA_CLIENT)
@@ -107,9 +106,6 @@ export class UserService {
         this.legacyBlowfishKey = '';
       }
     }
-    this.defaultPassword = this.configService.get<string>(
-      'DEFAULT_REGISTRATION_PASS',
-    );
   }
 
   // --- Core User Methods ---
@@ -617,6 +613,18 @@ export class UserService {
     return otp;
   }
 
+  // Generates a cryptographically-strong random password consisting of
+  // alphanumeric characters of the requested length.
+  private generateRandomPassword(length: number): string {
+    const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    const bytes = crypto.randomBytes(length);
+    let result = '';
+    for (let i = 0; i < length; i++) {
+      result += charset[bytes[i] % charset.length];
+    }
+    return result;
+  }
+
   /**
    * Encodes password using the legacy Blowfish/ECB/PKCS5Padding method.
    * Matches the logic from the old Java Utils.encodePassword.
@@ -690,7 +698,8 @@ export class UserService {
         userParams.credential = {} as CredentialDto;
       }
       if (!CommonUtils.validateString(userParams.credential.password)) {
-        userParams.credential.password = this.defaultPassword;
+        // Generate a unique random password for social/SSO registrations
+        userParams.credential.password = this.generateRandomPassword(16);
       }
     }
     // perform initial static validations