From af941920c84b1b1ee5f630993eba0d2d3699aa61 Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Wed, 5 Apr 2017 17:58:32 -0300 Subject: [#934] Add back-end password validation --- .../resources/account_recovery_resource.py | 31 ++++++++++++++-- .../resources/test_account_recovery_resource.py | 43 ++++++++++++++++++++-- 2 files changed, 67 insertions(+), 7 deletions(-) diff --git a/service/pixelated/resources/account_recovery_resource.py b/service/pixelated/resources/account_recovery_resource.py index 6781f209..6e80f360 100644 --- a/service/pixelated/resources/account_recovery_resource.py +++ b/service/pixelated/resources/account_recovery_resource.py @@ -15,14 +15,23 @@ # along with Pixelated. If not, see . import os +import json -from pixelated.resources import BaseResource from twisted.python.filepath import FilePath -from pixelated.resources import get_public_static_folder from twisted.web.http import OK, INTERNAL_SERVER_ERROR from twisted.web.template import Element, XMLFile, renderElement from twisted.web.server import NOT_DONE_YET from twisted.internet import defer +from twisted.logger import Logger + +from pixelated.resources import BaseResource +from pixelated.resources import get_public_static_folder + +log = Logger() + + +class InvalidPasswordError(Exception): + pass class AccountRecoveryPage(Element): @@ -52,10 +61,24 @@ class AccountRecoveryResource(BaseResource): request.setResponseCode(OK) request.finish() - def error_response(response): + def error_response(failure): + log.warn(failure) request.setResponseCode(INTERNAL_SERVER_ERROR) request.finish() - d = defer.succeed('Done!') + d = self._validate_password(request) d.addCallbacks(success_response, error_response) return NOT_DONE_YET + + def _get_post_form(self, request): + return json.loads(request.content.getvalue()) + + def _validate_password(self, request): + form = self._get_post_form(request) + password = form.get('password') + confirmPassword = form.get('confirmPassword') + + if password == confirmPassword and len(password) >= 8 and len(password) <= 9999: + return defer.succeed('Done!') + + return defer.fail(InvalidPasswordError('The user entered an invalid password or confirmation')) diff --git a/service/test/unit/resources/test_account_recovery_resource.py b/service/test/unit/resources/test_account_recovery_resource.py index cd9acae7..bdae15b6 100644 --- a/service/test/unit/resources/test_account_recovery_resource.py +++ b/service/test/unit/resources/test_account_recovery_resource.py @@ -14,14 +14,12 @@ # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see . -import os - from mock import MagicMock from twisted.trial import unittest from twisted.web.test.requesthelper import DummyRequest from twisted.internet import defer -from pixelated.resources.account_recovery_resource import AccountRecoveryResource +from pixelated.resources.account_recovery_resource import AccountRecoveryResource, InvalidPasswordError from test.unit.resources import DummySite @@ -46,6 +44,8 @@ class TestAccountRecoveryResource(unittest.TestCase): def test_post_returns_successfully(self): request = DummyRequest(['/account-recovery']) request.method = 'POST' + request.content = MagicMock() + request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "12345678"}' d = self.web.get(request) def assert_successful_response(_): @@ -53,3 +53,40 @@ class TestAccountRecoveryResource(unittest.TestCase): d.addCallback(assert_successful_response) return d + + def test_get_post_form(self): + request = MagicMock() + request.content.getvalue.return_value = '{"userCode": "abc", "password": "123", "confirmPassword": "456"}' + form = self.resource._get_post_form(request) + + self.assertEqual(form.get('userCode'), 'abc') + self.assertEqual(form.get('password'), '123') + self.assertEqual(form.get('confirmPassword'), '456') + + def test_validate_password_successfully(self): + request = MagicMock() + request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "12345678"}' + + d = self.resource._validate_password(request) + + def assert_successful(success): + self.assertEqual(success, 'Done!') + + d.addCallback(assert_successful) + return d + + @defer.inlineCallbacks + def test_validate_password_failed_by_confirmation(self): + request = MagicMock() + request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "1234"}' + + with self.assertRaises(InvalidPasswordError): + yield self.resource._validate_password(request) + + @defer.inlineCallbacks + def test_validate_password_failed_by_length(self): + request = MagicMock() + request.content.getvalue.return_value = '{"password": "1234", "confirmPassword": "1234"}' + + with self.assertRaises(InvalidPasswordError): + yield self.resource._validate_password(request) -- cgit v1.2.3 From 934a9409501e24198bad22a504ac4476e2fda03e Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Thu, 6 Apr 2017 11:20:07 -0300 Subject: [#934] Handle post in a dedicate method --- .../resources/account_recovery_resource.py | 15 +++--- .../resources/test_account_recovery_resource.py | 56 ++++++++++++++-------- 2 files changed, 45 insertions(+), 26 deletions(-) diff --git a/service/pixelated/resources/account_recovery_resource.py b/service/pixelated/resources/account_recovery_resource.py index 6e80f360..209a7693 100644 --- a/service/pixelated/resources/account_recovery_resource.py +++ b/service/pixelated/resources/account_recovery_resource.py @@ -66,19 +66,22 @@ class AccountRecoveryResource(BaseResource): request.setResponseCode(INTERNAL_SERVER_ERROR) request.finish() - d = self._validate_password(request) + d = self._handle_post(request) d.addCallbacks(success_response, error_response) return NOT_DONE_YET def _get_post_form(self, request): return json.loads(request.content.getvalue()) - def _validate_password(self, request): + def _validate_password(self, password, confirm_password): + return password == confirm_password and len(password) >= 8 and len(password) <= 9999 + + def _handle_post(self, request): form = self._get_post_form(request) password = form.get('password') - confirmPassword = form.get('confirmPassword') + confirm_password = form.get('confirmPassword') - if password == confirmPassword and len(password) >= 8 and len(password) <= 9999: - return defer.succeed('Done!') + if not self._validate_password(password, confirm_password): + return defer.fail(InvalidPasswordError('The user entered an invalid password or confirmation')) - return defer.fail(InvalidPasswordError('The user entered an invalid password or confirmation')) + return defer.succeed('Done!') diff --git a/service/test/unit/resources/test_account_recovery_resource.py b/service/test/unit/resources/test_account_recovery_resource.py index bdae15b6..4e26fc5b 100644 --- a/service/test/unit/resources/test_account_recovery_resource.py +++ b/service/test/unit/resources/test_account_recovery_resource.py @@ -44,8 +44,8 @@ class TestAccountRecoveryResource(unittest.TestCase): def test_post_returns_successfully(self): request = DummyRequest(['/account-recovery']) request.method = 'POST' - request.content = MagicMock() - request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "12345678"}' + self.resource._handle_post = MagicMock(return_value=defer.succeed(None)) + d = self.web.get(request) def assert_successful_response(_): @@ -54,20 +54,25 @@ class TestAccountRecoveryResource(unittest.TestCase): d.addCallback(assert_successful_response) return d - def test_get_post_form(self): - request = MagicMock() - request.content.getvalue.return_value = '{"userCode": "abc", "password": "123", "confirmPassword": "456"}' - form = self.resource._get_post_form(request) + def test_post_returns_failure(self): + request = DummyRequest(['/account-recovery']) + request.method = 'POST' + self.resource._handle_post = MagicMock(return_value=defer.fail(InvalidPasswordError)) - self.assertEqual(form.get('userCode'), 'abc') - self.assertEqual(form.get('password'), '123') - self.assertEqual(form.get('confirmPassword'), '456') + d = self.web.get(request) - def test_validate_password_successfully(self): + def assert_error_response(_): + self.assertEqual(500, request.responseCode) + + d.addCallback(assert_error_response) + return d + + def test_handle_post_successfully(self): request = MagicMock() - request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "12345678"}' + self.resource._get_post_form = MagicMock() + self.resource._validate_password = MagicMock(return_value=True) - d = self.resource._validate_password(request) + d = self.resource._handle_post(request) def assert_successful(success): self.assertEqual(success, 'Done!') @@ -76,17 +81,28 @@ class TestAccountRecoveryResource(unittest.TestCase): return d @defer.inlineCallbacks - def test_validate_password_failed_by_confirmation(self): + def test_handle_post_failed(self): request = MagicMock() - request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "1234"}' + self.resource._get_post_form = MagicMock() + self.resource._validate_password = MagicMock(return_value=False) with self.assertRaises(InvalidPasswordError): - yield self.resource._validate_password(request) + yield self.resource._handle_post(request) - @defer.inlineCallbacks - def test_validate_password_failed_by_length(self): + def test_get_post_form(self): request = MagicMock() - request.content.getvalue.return_value = '{"password": "1234", "confirmPassword": "1234"}' + request.content.getvalue.return_value = '{"userCode": "abc", "password": "123", "confirmPassword": "456"}' + form = self.resource._get_post_form(request) - with self.assertRaises(InvalidPasswordError): - yield self.resource._validate_password(request) + self.assertEqual(form.get('userCode'), 'abc') + self.assertEqual(form.get('password'), '123') + self.assertEqual(form.get('confirmPassword'), '456') + + def test_validate_password_successfully(self): + self.assertTrue(self.resource._validate_password('12345678', '12345678')) + + def test_validate_password_failed_by_confirmation(self): + self.assertFalse(self.resource._validate_password('12345678', '1234')) + + def test_validate_password_failed_by_length(self): + self.assertFalse(self.resource._validate_password('1234', '1234')) -- cgit v1.2.3