From 51eae76dd663d23c1f4bb1e809e9c258e800cb73 Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Wed, 10 Jun 2020 14:29:35 +0100 Subject: Only show access tokens once, and store hashed. --- t/app/controller/auth.t | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 't/app/controller/auth.t') diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t index 24deb8cab..8b4b772fc 100644 --- a/t/app/controller/auth.t +++ b/t/app/controller/auth.t @@ -245,19 +245,20 @@ subtest "check logging in with token" => sub { my $user = FixMyStreet::DB->resultset('User')->find( { email => $test_email } ); # token needs to be 18 characters - $user->set_extra_metadata('access_token', '1234567890abcdefgh'); + my $u = FixMyStreet::DB->resultset("User")->new({ password => '1234567890abcdefgh' }); + $user->set_extra_metadata('access_token', $u->password); $user->update(); - $mech->add_header('Authorization', 'Bearer 1234567890abcdefgh'); + $mech->add_header('Authorization', 'Bearer ' . $user->id . '-1234567890abcdefgh'); $mech->logged_in_ok; $mech->delete_header('Authorization'); $mech->not_logged_in_ok; - $mech->get_ok('/auth/check_auth?access_token=1234567890abcdefgh'); + $mech->get_ok('/auth/check_auth?access_token=' . $user->id . '-1234567890abcdefgh'); - $mech->add_header('Authorization', 'Bearer 1234567890abcdefgh'); - $user->set_extra_metadata('access_token', 'XXXXXXXXXXXXXXXXXX'); + $mech->add_header('Authorization', 'Bearer ' . $user->id . '-1234567890abcdefgh'); + $user->set_extra_metadata('access_token', '$2a$08$HNslSx7Uic7q6Ti5WYT5JOT6npYPwrwLnDMJMJoD22LIqG5TfDIKf'); $user->update(); $mech->not_logged_in_ok; -- cgit v1.2.3 From 9a12c0dac0b7677938f33f5abb639a296adff9c5 Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Thu, 25 Jun 2020 16:23:33 +0100 Subject: Add option to check password on Have I Been Pwned. If switched on, sends first five letters of the SHA1 hash of the entered password to HIBP's API, which then returns all matching hashes in their database of breached passwords. If we find a match, tell the user they need to pick a different password. --- t/app/controller/auth.t | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 't/app/controller/auth.t') diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t index 8b4b772fc..0326bbacd 100644 --- a/t/app/controller/auth.t +++ b/t/app/controller/auth.t @@ -288,6 +288,23 @@ subtest 'check common password AJAX call' => sub { $mech->content_contains("true"); }; +subtest 'check hibp password call' => sub { + FixMyStreet::override_config { + CHECK_HAVEIBEENPWNED => 1, + }, sub { + my $lwp = Test::MockModule->new('LWP::Simple'); + # Switch mock round from live site, so we know we're not testing live site by mistake + $lwp->mock(get => sub($) { + return '9958D0F0EE6744E7CCAFC84515FCFAD7B1B:10' if $_[0] =~ /6EF4D$/; # squirblewirble + return ''; + }); + $mech->post_ok('/auth/common_password', { password_register => 'p@ssword2' }); + $mech->content_contains("true"); + $mech->post_ok('/auth/common_password', { password_register => 'squirblewirble' }); + $mech->content_contains("That password has appeared in a known"); + }; +}; + subtest 'test forgotten password page' => sub { $mech->get_ok('/auth/forgot'); $mech->content_contains('Forgot password'); -- cgit v1.2.3