Merge pull request #1047 from pixelated/validate-password

[#934] Add back-end password validation

2 files changed, 86 insertions, 7 deletions

diff --git a/service/pixelated/resources/account_recovery_resource.py b/service/pixelated/resources/account_recovery_resource.py
index 6781f209..209a7693 100644
--- a/service/pixelated/resources/account_recovery_resource.py
+++ b/service/pixelated/resources/account_recovery_resource.py
@@ -15,14 +15,23 @@
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import json
 
-from pixelated.resources import BaseResource
 from twisted.python.filepath import FilePath
-from pixelated.resources import get_public_static_folder
 from twisted.web.http import OK, INTERNAL_SERVER_ERROR
 from twisted.web.template import Element, XMLFile, renderElement
 from twisted.web.server import NOT_DONE_YET
 from twisted.internet import defer
+from twisted.logger import Logger
+
+from pixelated.resources import BaseResource
+from pixelated.resources import get_public_static_folder
+
+log = Logger()
+
+
+class InvalidPasswordError(Exception):
+    pass
 
 
 class AccountRecoveryPage(Element):
@@ -52,10 +61,27 @@ class AccountRecoveryResource(BaseResource):
             request.setResponseCode(OK)
             request.finish()
 
-        def error_response(response):
+        def error_response(failure):
+            log.warn(failure)
             request.setResponseCode(INTERNAL_SERVER_ERROR)
             request.finish()
 
-        d = defer.succeed('Done!')
+        d = self._handle_post(request)
         d.addCallbacks(success_response, error_response)
         return NOT_DONE_YET
+
+    def _get_post_form(self, request):
+        return json.loads(request.content.getvalue())
+
+    def _validate_password(self, password, confirm_password):
+        return password == confirm_password and len(password) >= 8 and len(password) <= 9999
+
+    def _handle_post(self, request):
+        form = self._get_post_form(request)
+        password = form.get('password')
+        confirm_password = form.get('confirmPassword')
+
+        if not self._validate_password(password, confirm_password):
+            return defer.fail(InvalidPasswordError('The user entered an invalid password or confirmation'))
+
+        return defer.succeed('Done!')
diff --git a/service/test/unit/resources/test_account_recovery_resource.py b/service/test/unit/resources/test_account_recovery_resource.py
index cd9acae7..4e26fc5b 100644
--- a/service/test/unit/resources/test_account_recovery_resource.py
+++ b/service/test/unit/resources/test_account_recovery_resource.py
@@ -14,14 +14,12 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 
-import os
-
 from mock import MagicMock
 from twisted.trial import unittest
 from twisted.web.test.requesthelper import DummyRequest
 from twisted.internet import defer
 
-from pixelated.resources.account_recovery_resource import AccountRecoveryResource
+from pixelated.resources.account_recovery_resource import AccountRecoveryResource, InvalidPasswordError
 from test.unit.resources import DummySite
 
 
@@ -46,6 +44,8 @@ class TestAccountRecoveryResource(unittest.TestCase):
     def test_post_returns_successfully(self):
         request = DummyRequest(['/account-recovery'])
         request.method = 'POST'
+        self.resource._handle_post = MagicMock(return_value=defer.succeed(None))
+
         d = self.web.get(request)
 
         def assert_successful_response(_):
@@ -53,3 +53,56 @@ class TestAccountRecoveryResource(unittest.TestCase):
 
         d.addCallback(assert_successful_response)
         return d
+
+    def test_post_returns_failure(self):
+        request = DummyRequest(['/account-recovery'])
+        request.method = 'POST'
+        self.resource._handle_post = MagicMock(return_value=defer.fail(InvalidPasswordError))
+
+        d = self.web.get(request)
+
+        def assert_error_response(_):
+            self.assertEqual(500, request.responseCode)
+
+        d.addCallback(assert_error_response)
+        return d
+
+    def test_handle_post_successfully(self):
+        request = MagicMock()
+        self.resource._get_post_form = MagicMock()
+        self.resource._validate_password = MagicMock(return_value=True)
+
+        d = self.resource._handle_post(request)
+
+        def assert_successful(success):
+            self.assertEqual(success, 'Done!')
+
+        d.addCallback(assert_successful)
+        return d
+
+    @defer.inlineCallbacks
+    def test_handle_post_failed(self):
+        request = MagicMock()
+        self.resource._get_post_form = MagicMock()
+        self.resource._validate_password = MagicMock(return_value=False)
+
+        with self.assertRaises(InvalidPasswordError):
+            yield self.resource._handle_post(request)
+
+    def test_get_post_form(self):
+        request = MagicMock()
+        request.content.getvalue.return_value = '{"userCode": "abc", "password": "123", "confirmPassword": "456"}'
+        form = self.resource._get_post_form(request)
+
+        self.assertEqual(form.get('userCode'), 'abc')
+        self.assertEqual(form.get('password'), '123')
+        self.assertEqual(form.get('confirmPassword'), '456')
+
+    def test_validate_password_successfully(self):
+        self.assertTrue(self.resource._validate_password('12345678', '12345678'))
+
+    def test_validate_password_failed_by_confirmation(self):
+        self.assertFalse(self.resource._validate_password('12345678', '1234'))
+
+    def test_validate_password_failed_by_length(self):
+        self.assertFalse(self.resource._validate_password('1234', '1234'))