Validates recovery code as hexadecimal data.

Related with https://github.com/pixelated/pixelated-user-agent/issues/924
With @aarni

2 files changed, 12 insertions, 2 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 215a3b0..f8869cd 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -35,8 +35,8 @@ class User < CouchRest::Model::Base
 
   validate :identity_is_valid
 
-  validates :password_salt, :password_verifier,
-    :format => { :with => /\A[\dA-Fa-f]+\z/, :message => "Only hex numbers allowed" }
+  validates :password_salt, :password_verifier, :recovery_code_verifier, :recovery_code_salt,
+    :format => { :with => /\A[\h]*\z/, :message => "Only hex numbers allowed" }
 
   validates :password, :presence => true,
     :confirmation => true,
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index 02e94df..e181765 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -28,6 +28,16 @@ class UserTest < ActiveSupport::TestCase
     assert !@user.valid?
   end
 
+  test "validates hex for recovery_code_verifier" do
+    @user.recovery_code_verifier = "1234567abcdef"
+    assert @user.valid?
+  end
+
+  test "validates recovery_code_verifier with non hex chars" do
+    @user.recovery_code_verifier = "gkpq"
+    assert !@user.valid?
+  end
+
   test "test require alphanumerical for login" do
     @user.login = "qw#r"
     assert !@user.valid?