diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-02-06 17:03:46 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-02-06 22:53:30 +0000 |
| commit | 1e301bf1e07daf35150d54b132bbbe66f0a8095e (patch) | |
| tree | eb7fa1be4b978cb16b70b7346aa100627e3ebc07 | |
| parent | 6edf79cb0ecd150ea0f054c8faa7be0b055fc2d0 (diff) | |
| parent | 3e201f8d48554ab8c4b8132eaa50b5fe7dd1d67e (diff) | |
Merge branch 'password-tests'
23 files changed, 221 insertions, 31 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index dbc96e04c..5606a3c0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ - Zoom out as much as necessary on body map page, even on mobile. #1958 - Show loading message on initial /around map load #1976 - Ask for current password/send email on password change. #1974 + - Add minimum password length and common password checking. - Nicer display of national phone numbers. - Bugfixes: - Fix bug specifying category in URL on /around. #1950 @@ -34,6 +34,7 @@ requires 'Authen::SASL'; requires 'Cache::Memcached'; requires 'Carp'; requires 'Crypt::Eksblowfish::Bcrypt'; +requires 'Data::Password::Common'; requires 'DateTime'; requires 'DateTime::Format::HTTP'; requires 'DateTime::Format::ISO8601'; diff --git a/cpanfile.snapshot b/cpanfile.snapshot index d222dc9b0..5fa44e318 100644 --- a/cpanfile.snapshot +++ b/cpanfile.snapshot @@ -1401,6 +1401,20 @@ DISTRIBUTIONS Module::Build 0.35 Test::Exception 0 Test::More 0 + Data-Password-Common-0.004 + pathname: D/DA/DAGOLDEN/Data-Password-Common-0.004.tar.gz + provides: + Data::Password::Common 0.004 + requirements: + ExtUtils::MakeMaker 6.17 + File::ShareDir 0 + File::ShareDir::Install 0.03 + IO::File 0 + Search::Dict 0 + Sub::Exporter 0 + autodie 2.00 + strict 0 + warnings 0 Data-Visitor-0.28 pathname: D/DO/DOY/Data-Visitor-0.28.tar.gz provides: diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm index fe980af0d..95f8bb9a2 100644 --- a/perllib/FixMyStreet/App/Controller/Auth.pm +++ b/perllib/FixMyStreet/App/Controller/Auth.pm @@ -5,6 +5,7 @@ use namespace::autoclean; BEGIN { extends 'Catalyst::Controller'; } use Email::Valid; +use Data::Password::Common 'found'; use Digest::HMAC_SHA1 qw(hmac_sha1); use JSON::MaybeXS; use MIME::Base64; @@ -149,6 +150,11 @@ sub email_sign_in : Private { return; } + my $password = $c->get_param('password_register'); + if ($password) { + return unless $c->forward('/auth/test_password', [ $password ]); + } + # If user registration is disabled then bail out at this point # if there's not already a user with this email address. # NB this uses the same template as a successful sign in to stop @@ -162,8 +168,7 @@ sub email_sign_in : Private { } my $user_params = {}; - $user_params->{password} = $c->get_param('password_register') - if $c->get_param('password_register'); + $user_params->{password} = $password if $password; my $user = $c->model('DB::User')->new( $user_params ); my $token_data = { @@ -354,6 +359,55 @@ sub no_csrf_token : Private { $c->detach('/page_error_400_bad_request', []); } +=item common_password + +Returns 1/0 depending on if password is common or not. + +=cut + +sub common_password : Local : Args(0) { + my ($self, $c) = @_; + + my $password = $c->get_param('password_register'); + + my $return = JSON->true; + if (!$c->cobrand->call_hook('bypass_password_checks') && found($password)) { + $return = _('Please choose a less commonly-used password'); + } + + my $body = JSON->new->utf8->allow_nonref->encode($return); + $c->res->content_type('application/json; charset=utf-8'); + $c->res->body($body); +} + +=item test_password + +Checks a password is not too weak; returns true if okay, +false if weak (and sets stash error). + +=cut + +sub test_password : Private { + my ($self, $c, $password) = @_; + + return 1 if $c->cobrand->call_hook('bypass_password_checks'); + + my @errors; + + my $min_length = $c->cobrand->password_minimum_length; + push @errors, sprintf(_('Please make sure your password is at least %d characters long'), $min_length) + if length($password) < $min_length; + + push @errors, _('Please choose a less commonly-used password') + if found($password); + + if (@errors) { + $c->stash->{field_errors}->{password_register} = join('<br>', @errors); + return 0; + } + return 1; +} + =head2 sign_out Log the user out. Tell them we've done so. diff --git a/perllib/FixMyStreet/App/Controller/Auth/Phone.pm b/perllib/FixMyStreet/App/Controller/Auth/Phone.pm index 8387b9d64..8e3150df9 100644 --- a/perllib/FixMyStreet/App/Controller/Auth/Phone.pm +++ b/perllib/FixMyStreet/App/Controller/Auth/Phone.pm @@ -59,6 +59,11 @@ sub sign_in : Private { return; } + my $password = $c->get_param('password_register'); + if ($password) { + return unless $c->forward('/auth/test_password', [ $password ]); + } + (my $number = $parsed->{phone}->format) =~ s/\s+//g; if ( FixMyStreet->config('SIGNUPS_DISABLED') @@ -70,8 +75,7 @@ sub sign_in : Private { } my $user_params = {}; - $user_params->{password} = $c->get_param('password_register') - if $c->get_param('password_register'); + $user_params->{password} = $password if $password; my $user = $c->model('DB::User')->new( $user_params ); my $token_data = { diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm index 441f222d1..2d8ae081e 100644 --- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm +++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm @@ -62,6 +62,7 @@ sub change_password : Path('/auth/change_password') { $password_error ||= !$new && !$confirm ? 'missing' : $new ne $confirm ? 'mismatch' + : !$c->forward('/auth/test_password', [ $new ]) ? 'failed' : ''; if ($password_error) { diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm index 166c0614d..05d082e45 100644 --- a/perllib/FixMyStreet/App/Controller/Report/New.pm +++ b/perllib/FixMyStreet/App/Controller/Report/New.pm @@ -813,8 +813,10 @@ sub process_user : Private { } $c->forward('update_user', [ \%params ]); - $report->user->password( Utils::trim_text( $params{password_register} ) ) - if $params{password_register}; + if ($params{password_register}) { + $c->forward('/auth/test_password', [ $params{password_register} ]); + $report->user->password(Utils::trim_text($params{password_register})); + } return 1; } diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm index c28039808..c684e46ad 100644 --- a/perllib/FixMyStreet/App/Controller/Report/Update.pm +++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm @@ -144,11 +144,14 @@ sub process_user : Private { $update->user->name( Utils::trim_text( $params{name} ) ) if $params{name}; - $update->user->password( Utils::trim_text( $params{password_register} ) ) - if $params{password_register}; $update->user->title( Utils::trim_text( $params{fms_extra_title} ) ) if $params{fms_extra_title}; + if ($params{password_register}) { + $c->forward('/auth/test_password', [ $params{password_register} ]); + $update->user->password(Utils::trim_text($params{password_register})); + } + return 1; } diff --git a/perllib/FixMyStreet/Cobrand/Borsetshire.pm b/perllib/FixMyStreet/Cobrand/Borsetshire.pm index 7ddcff469..d9b018d69 100644 --- a/perllib/FixMyStreet/Cobrand/Borsetshire.pm +++ b/perllib/FixMyStreet/Cobrand/Borsetshire.pm @@ -29,4 +29,6 @@ sub send_questionnaires { return 0; } +sub bypass_password_checks { 1 } + 1; diff --git a/perllib/FixMyStreet/Cobrand/Default.pm b/perllib/FixMyStreet/Cobrand/Default.pm index 7888f8ccf..c6ca5c56b 100644 --- a/perllib/FixMyStreet/Cobrand/Default.pm +++ b/perllib/FixMyStreet/Cobrand/Default.pm @@ -59,6 +59,14 @@ sub path_to_email_templates { return $paths; } +=item password_minimum_length + +Returns the minimum length a password can be set to. + +=cut + +sub password_minimum_length { 6 } + =item country Returns the country that this cobrand operates in, as an ISO3166-alpha2 code. diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t index 8d60137a2..bec8698d5 100644 --- a/t/app/controller/auth.t +++ b/t/app/controller/auth.t @@ -5,7 +5,7 @@ my $mech = FixMyStreet::TestMech->new; my $test_email = 'test@example.com'; my $test_email3 = 'newuser@example.org'; -my $test_password = 'foobar'; +my $test_password = 'foobar123'; END { done_testing(); @@ -276,3 +276,26 @@ subtest "check logging in with token" => sub { $mech->delete_header('Authorization'); }; + +subtest 'check password length/common' => sub { + $mech->get_ok('/auth'); + $mech->submit_form_ok({ + form_name => 'general_auth', + fields => { username => $test_email, password_register => 'short' }, + button => 'sign_in_by_code', + }); + $mech->content_contains("Please make sure your password is at least"); + $mech->submit_form_ok({ + form_name => 'general_auth', + fields => { username => $test_email, password_register => 'common' }, + button => 'sign_in_by_code', + }); + $mech->content_contains("Please choose a less commonly-used password"); +}; + +subtest 'check common password AJAX call' => sub { + $mech->post_ok('/auth/common_password', { password_register => 'password' }); + $mech->content_contains("Please choose a less commonly-used password"); + $mech->post_ok('/auth/common_password', { password_register => 'squirblewirble' }); + $mech->content_contains("true"); +}; diff --git a/t/app/controller/auth_profile.t b/t/app/controller/auth_profile.t index 6040406ef..de2ad6534 100644 --- a/t/app/controller/auth_profile.t +++ b/t/app/controller/auth_profile.t @@ -8,7 +8,7 @@ LWP::Protocol::PSGI->register($twilio->to_psgi_app, host => 'api.twilio.com'); my $test_email = 'test@example.com'; my $test_email2 = 'test@example.net'; -my $test_password = 'foobar'; +my $test_password = 'foobar123'; END { done_testing(); @@ -147,6 +147,20 @@ subtest "Test change password page with current password" => sub { ok $user->password, "user now has a password"; }; +subtest 'check password length/common' => sub { + $mech->get_ok('/auth/change_password'); + $mech->submit_form_ok({ + form_name => 'change_password', + fields => { current_password => $test_password, new_password => 'short', confirm => 'short' }, + }); + $mech->content_contains("Please make sure your password is at least"); + $mech->submit_form_ok({ + form_name => 'change_password', + fields => { current_password => $test_password, new_password => 'common', confirm => 'common' }, + }); + $mech->content_contains("Please choose a less commonly-used password"); +}; + subtest "Test change email page" => sub { $mech->create_problems_for_body(1, 2514, 'Title1', { user => FixMyStreet::DB->resultset('User')->find( { email => $test_email } ) } ); diff --git a/templates/web/base/auth/change_password.html b/templates/web/base/auth/change_password.html index bf361ff2d..7a38e0134 100644 --- a/templates/web/base/auth/change_password.html +++ b/templates/web/base/auth/change_password.html @@ -21,7 +21,9 @@ INCLUDE 'header.html', title = title bodyclass = bclass <input type="hidden" name="token" value="[% csrf_token %]"> <fieldset> - [% IF password_error; + [% IF password_error == 'failed' %] + <div class="form-error">[% field_errors.password_register %]</div> + [% ELSIF password_error; errors = { missing => loc('Please enter a password'), diff --git a/templates/web/base/auth/general.html b/templates/web/base/auth/general.html index 8fc5578c1..1e44bb68e 100644 --- a/templates/web/base/auth/general.html +++ b/templates/web/base/auth/general.html @@ -60,7 +60,9 @@ [% INCLUDE form_sign_in_yes %] <input type="hidden" name="oauth_need_email" value="1"> [% ELSE %] + [% IF NOT field_errors.password_register %] [% INCLUDE form_sign_in_yes %] + [% END %] [% INCLUDE form_sign_in_no %] [% END %] </div> @@ -114,14 +116,22 @@ <input class="form-control" type="text" name="name" value="" placeholder="[% loc('Your name') %]"> <label for="password_register">[% loc('Password (optional)') %]</label> + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="general-notes"> <p>[% loc('Providing a name and password is optional, but doing so will allow you to more easily report problems, leave updates and manage your reports.') %]</p> </div> <div class="form-txt-submit-box"> - <input class="form-control" type="password" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input class="form-control js-password-validate" type="password" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn" type="submit" name="sign_in_by_code" value="[% loc('Sign in') %]"> </div> + + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> [% END %] diff --git a/templates/web/base/js/translation_strings.html b/templates/web/base/js/translation_strings.html index ed95335a6..a2e3c16c5 100644 --- a/templates/web/base/js/translation_strings.html +++ b/templates/web/base/js/translation_strings.html @@ -1,4 +1,7 @@ [% FILTER collapse %] +var fixmystreet = fixmystreet || {}; +fixmystreet.password_minimum_length = [% c.cobrand.password_minimum_length %]; + translation_strings = { update: '[% loc('Please enter a message') | replace("'", "\\'") %]', title: '[% loc('Please enter a subject') | replace("'", "\\'") %]', @@ -19,6 +22,9 @@ password_sign_in: { required: '[% loc('Please enter a password') | replace("'", "\\'") %]' }, + password_register: { + short: '[% tprintf(loc('Please make sure your password is at least %d characters long'), c.cobrand.password_minimum_length) | replace("'", "\\'") %]', + }, phone: { required: '[% loc('Please enter your phone number') | replace("'", "\\'") %]' }, diff --git a/templates/web/base/report/new/form_user_loggedout_by_email.html b/templates/web/base/report/new/form_user_loggedout_by_email.html index e9519f573..975dbe704 100644 --- a/templates/web/base/report/new/form_user_loggedout_by_email.html +++ b/templates/web/base/report/new/form_user_loggedout_by_email.html @@ -36,13 +36,20 @@ </div> <label class="form-focus-hidden" for="password_register">[% loc('Password (optional)') %]</label> - + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="general-notes form-focus-hidden"> <p>[% loc('Providing a password is optional, but doing so will allow you to more easily report problems, leave updates and manage your reports.') %]</p> </div> <div class="form-txt-submit-box form-focus-hidden"> - <input class="form-control" type="password" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input class="form-control js-password-validate" type="password" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn js-submit_register" type="submit" name="submit_register" value="[% loc('Submit') %]"> </div> + + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> diff --git a/templates/web/base/report/update/form_user_loggedout_by_email.html b/templates/web/base/report/update/form_user_loggedout_by_email.html index 7d10fe391..d038cdb23 100644 --- a/templates/web/base/report/update/form_user_loggedout_by_email.html +++ b/templates/web/base/report/update/form_user_loggedout_by_email.html @@ -8,14 +8,21 @@ [% INCLUDE 'report/update/form_name.html' %] <label for="password_register">[% loc('Password (optional)') %]</label> + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="general-notes"> <p>[% loc('Providing a password is optional, but doing so will allow you to more easily report problems, leave updates and manage your reports.') %]</p> </div> <div class="form-txt-submit-box"> - <input type="password" class="form-control" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input type="password" class="form-control js-password-validate" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn js-submit_register" type="submit" name="submit_register" value="[% loc('Post') %]"> </div> + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> diff --git a/templates/web/bromley/report/new/form_user.html b/templates/web/bromley/report/new/form_user.html index e6749f5ab..cce985c95 100644 --- a/templates/web/bromley/report/new/form_user.html +++ b/templates/web/bromley/report/new/form_user.html @@ -91,15 +91,23 @@ </div> <label class="form-focus-hidden" for="password_register">[% loc('Password (optional)') %]</label> + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="general-notes form-focus-hidden"> <p>[% loc('Providing a password is optional, but doing so will allow you to more easily report future problems, leave updates and manage your reports.') %]</p> </div> <div class="form-txt-submit-box form-focus-hidden"> - <input class="form-control" type="password" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input class="form-control js-password-validate" type="password" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn js-submit_register" type="submit" name="submit_register" value="[% loc('Submit') %]"> </div> + + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> <div id="form_sign_in_yes" class="form-box"> diff --git a/templates/web/bromley/report/update-form.html b/templates/web/bromley/report/update-form.html index 45d7aed5e..9778a0db3 100644 --- a/templates/web/bromley/report/update-form.html +++ b/templates/web/bromley/report/update-form.html @@ -98,15 +98,23 @@ [% INCLUDE 'report/update/form_name.html' %] <label for="password_register">[% loc('Password (optional)') %]</label> + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="general-notes"> <p>[% loc('Providing a password is optional, but doing so will allow you to more easily report problems, leave updates and manage your reports.') %]</p> </div> <div class="form-txt-submit-box"> - <input type="password" class="form-control" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input type="password" class="form-control js-password-validate" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn js-submit_register" type="submit" name="submit_register" value="[% loc('Post') %]"> </div> + + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> <div id="form_sign_in_yes" class="form-box"> <h5>Confirm my report with my FixMyStreet password</h5> diff --git a/templates/web/fixamingata/report/new/form_user_loggedout.html b/templates/web/fixamingata/report/new/form_user_loggedout.html index a324bbeb4..bbb9864a3 100644 --- a/templates/web/fixamingata/report/new/form_user_loggedout.html +++ b/templates/web/fixamingata/report/new/form_user_loggedout.html @@ -34,16 +34,25 @@ </div> <label for="password_register">[% loc('Password (optional)') %]</label> + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="general-notes form-focus-hidden"> <p>[% loc('Providing a password is optional, but doing so will allow you to more easily report problems, leave updates and manage your reports.') %]</p> </div> <div class="form-txt-submit-box"> - <input type="password" class="form-control" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input type="password" class="form-control js-password-validate" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn js-submit_register" type="submit" name="submit_register" value="[% loc('Submit') %]"> </div> + + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> + <div id="form_sign_in_yes" class="form-box"> <h5>Jag har ett lösenord sedan tidigare:</h5> diff --git a/templates/web/zurich/auth/general.html b/templates/web/zurich/auth/general.html index 899f0ca71..555a72374 100644 --- a/templates/web/zurich/auth/general.html +++ b/templates/web/zurich/auth/general.html @@ -1,16 +1,6 @@ [% INCLUDE 'header.html', title = loc('Sign in or create an account') %] -[% IF username_error; - - # other keys include fqdn, mxcheck if you'd like to write a custom error message - - errors = { - missing_email = loc('Please enter your email'), - other_email = loc('Please check your email address is correct') - }; - - loc_username_error = errors.$username_error || errors.other_email; -END %] +[% loc_username_error = INCLUDE 'auth/_username_error.html' default='email' %] <form action="/auth" method="post" name="general_auth_login" class="validate"> <fieldset> @@ -61,11 +51,18 @@ END %] <input type="text" class="required" name="name" value="" placeholder="[% loc('Your name') %]"> <label for="password_register">[% loc('Password (optional)') %]</label> + [% IF field_errors.password_register %] + <p class='form-error'>[% field_errors.password_register %]</p> + [% END %] <div class="form-txt-submit-box"> - <input type="password" class="required" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> + <input type="password" class="required js-password-validate" name="password_register" id="password_register" value="" placeholder="[% loc('Enter a password') %]"> <input class="green-btn" type="submit" name="sign_in_by_code" value="Registrieren"> </div> + <div class="general-notes"> + <p>[% tprintf(loc('Your password should include %d or more characters.'), c.cobrand.password_minimum_length) %]</p> + </div> + </div> </fieldset> </form> diff --git a/web/cobrands/fixmystreet/fixmystreet.js b/web/cobrands/fixmystreet/fixmystreet.js index a3ac5b71a..0aa01e483 100644 --- a/web/cobrands/fixmystreet/fixmystreet.js +++ b/web/cobrands/fixmystreet/fixmystreet.js @@ -285,6 +285,9 @@ $.extend(fixmystreet.set_up, { if (jQuery.validator) { jQuery.validator.addMethod('validCategory', function(value, element) { return this.optional(element) || value != '-- Pick a category --'; }, translation_strings.category ); + jQuery.validator.addMethod('js-password-validate', function(value, element) { + return !value || value.length >= fixmystreet.password_minimum_length; + }, translation_strings.password_register.short); } var submitted = false; diff --git a/web/js/validation_rules.js b/web/js/validation_rules.js index 5295a53ca..e6d745336 100644 --- a/web/js/validation_rules.js +++ b/web/js/validation_rules.js @@ -1,5 +1,11 @@ validation_rules = { title: { required: true }, detail: { required: true }, - update: { required: true } + update: { required: true }, + password_register: { + remote: { + url: '/auth/common_password', + type: 'post' + } + } }; |