From f92217976512ca297b0087c126ead440f0aa0315 Mon Sep 17 00:00:00 2001
From: asif <md.asif5@tcs.com>
Date: Sat, 8 Nov 2025 20:28:21 +0530
Subject: [PATCH] fix: change tpin match with hashing and not directly

---
 src/controllers/auth.controller.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js
index 8e1f73e..2c0c88f 100644
--- a/src/controllers/auth.controller.js
+++ b/src/controllers/auth.controller.js
@@ -187,12 +187,12 @@ async function changeTpin(req, res) {
     if (!user.tpin)
       return res.status(400).json({ error: 'USER_DOESNT_HAVE_A_TPIN' });
     const { oldTpin, newTpin } = req.body;
-    if (oldTpin !== user.tpin)
-      return res.status(400).json({ error: 'TPIN_DOESNT_MATCH' });
+    const isMatch = await comparePassword(oldTpin, user.tpin);
+    if (!isMatch) return res.status(400).json({ error: 'TPIN_DOESNT_MATCH' });
 
     if (!/^\d{6}$/.test(newTpin))
       return res.status(400).json({ error: 'INVALID_TPIN_FORMAT' });
-    authService.setTpin(customerNo, tpin);
+    await authService.setTpin(customerNo, newTpin);
     return res.json({ message: 'TPIN_SET' });
   } catch (error) {
     logger.error(error);