'plugin::users-permissions.user', confirm current password?

System Information
  • Strapi Version:
  • Operating System:
  • Database:
  • Node Version:
  • NPM Version:
  • Yarn Version:


I have successful built a change password form as part of my front-end web application using a Strapi ‘plugin::users-permissions.user’ plugin. As part of the change password process, I want to check to make sure the current password is correct. Does anyone know how I can achieve this.

const _ = require('lodash');

module.exports = (plugin) => {
  const getController = name => {
    return strapi.plugins['users-permissions'].controller(name);

  // Create the new controller
  plugin.controllers.user.updateMe = async (ctx) => {
    const user = ctx.state.user;

    // User has to be logged in to update themselves
    if (!user) {
      return ctx.unauthorized();

    // Pick only specific fields for security
    const newData = _.pick(ctx.request.body, ['email', 'username', 'password', 'confirmPassword', 'firstName', 'lastName', 'genderIdentity']);

    // Make sure there is no duplicate user with the same username
    if (newData.username) {
      const userWithSameUsername = await strapi
        .findOne({ where: { username: newData.username } });

      if (userWithSameUsername && userWithSameUsername.id != user.id) {
        return ctx.badRequest('Username already taken');

    // Make sure there is no duplicate user with the same email
    if (newData.email) {
      const userWithSameEmail = await strapi
        .findOne({ where: { email: newData.email.toLowerCase() } });

      if (userWithSameEmail && userWithSameEmail.id != user.id) {
        return ctx.badRequest('Email already taken');
      newData.email = newData.email.toLowerCase();

    // Check if user is changing password and make sure passwords match
    if (newData.password) {
      if (!newData.confirmPassword) {
        return ctx.badRequest('Missing password confirmation');
      } else if (newData.password !== newData.confirmPassword) {
        return ctx.badRequest('Passwords don\'t match')
      delete newData.confirmPassword

    // Reconstruct context so we can pass to the controller
    ctx.request.body = newData
    ctx.params = { id: user.id }

    // Update the user and return the sanitized data
    return await getController('user').update(ctx)

  // Add the custom route
    method: 'PUT',
    path: '/users/me',
    handler: 'user.updateMe',
    config: {
      prefix: ''

  return plugin;

Hey @pullbear12, you can achieve that by using this:

Fetch the user existing password by filtering it using user_email or user_id from params.

const user = await strapi.db.query("plugin::users-permissions.user").findOne({
        where: { email: params.user_email.toLowerCase() },

Then use the below:

const validPassword = await strapi.plugins['users-permissions'].services.user.validatePassword(params.current_password, user.password);

This will return true if the current password matches.

Hope this helps you :slight_smile:

1 Like

Thank you for your reply.

Is this to be done within the strap-server.js file or the front-end?

Within the strapi-server.js