From d397f4734a2c361795163d8322f68ebc16ffc902 Mon Sep 17 00:00:00 2001
From: "ankitatripathi.mp@gmail.com" <ankitatripathi.mp@gmail.com>
Date: Mon, 13 Apr 2026 13:40:16 +0530
Subject: [PATCH] fix: resolve 400 error when switching between flexible and
 legacy password policy on database connections

---
 src/tools/auth0/handlers/databases.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/tools/auth0/handlers/databases.ts b/src/tools/auth0/handlers/databases.ts
index 6f9496071..486f4e801 100644
--- a/src/tools/auth0/handlers/databases.ts
+++ b/src/tools/auth0/handlers/databases.ts
@@ -289,6 +289,26 @@ export default class DatabaseHandler extends DefaultAPIHandler {
             delete connection.options?.attributes;
           }
 
+          // When switching between flexible and legacy password policy, remove the conflicting
+          // group from the existing state before merging to avoid a 400 from the API.
+          const passwordOptions = payload?.options?.password_options;
+          const legacyPasswordSettings =
+            payload?.options?.passwordPolicy ||
+            payload?.options?.password_complexity_options ||
+            payload?.options?.password_history ||
+            payload?.options?.password_no_personal_info ||
+            payload?.options?.password_dictionary;
+
+          if (passwordOptions) {
+            delete connection.options?.passwordPolicy;
+            delete connection.options?.password_complexity_options;
+            delete connection.options?.password_history;
+            delete connection.options?.password_no_personal_info;
+            delete connection.options?.password_dictionary;
+          } else if (legacyPasswordSettings) {
+            delete connection.options?.password_options;
+          }
+
           payload.options = { ...connection.options, ...payload.options };
 
           if (payload.options && Object.keys(payload.options).length === 0) {