tqt/Ghost
2
1
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2023-12-13 21:00:40 +01:00
Code Issues 1 Releases Wiki Activity

Increase minimum password length to 10 characters (#9152)

Browse source 
refs #9150

- Sets password min length in validator to 10
- Updates tests
This commit is contained in:
Aileen Nowak 2017-10-18 23:45:41 +07:00 committed by Kevin Ansfield
parent fedd8780e7
commit 0ed92959c8
9 changed files with 43 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/server/models/user.js
View file

@ -28,7 +28,7 @@ var _ = require('lodash'),
Users;
function validatePasswordLength(password) {
return validator.isLength(password, 8);
return validator.isLength(password, 10);
}
/**
@ -151,7 +151,7 @@ User = ghostBookshelf.Model.extend({
this.set('password', String(this.get('password')));
if (!validatePasswordLength(this.get('password'))) {
return Promise.reject(new errors.ValidationError({message: i18n.t('errors.models.user.passwordDoesNotComplyLength')}));
return Promise.reject(new errors.ValidationError({message: i18n.t('errors.models.user.passwordDoesNotComplyLength', {minLength: 10})}));
}
// An import with importOptions supplied can prevent re-hashing a user password
@ -549,7 +549,7 @@ User = ghostBookshelf.Model.extend({
userData = this.filterData(data);
if (!validatePasswordLength(userData.password)) {
return Promise.reject(new errors.ValidationError({message: i18n.t('errors.models.user.passwordDoesNotComplyLength')}));
return Promise.reject(new errors.ValidationError({message: i18n.t('errors.models.user.passwordDoesNotComplyLength', {minLength: 10})}));
}
options = this.filterOptions(options, 'setup');

2
core/server/translations/en.json
View file

@ -228,7 +228,7 @@
"missingContext": "missing context",
"onlyOneRolePerUserSupported": "Only one role per user is supported at the moment.",
"methodDoesNotSupportOwnerRole": "This method does not support assigning the owner role",
"passwordDoesNotComplyLength": "Your password must be at least 8 characters long.",
"passwordDoesNotComplyLength": "Your password must be at least {minLength} characters long.",
"notEnoughPermission": "You do not have permission to perform this action",
"noUserWithEnteredEmailAddr": "There is no user with that email address.",
"userIsInactive": "The user with that email address is inactive.",

4
core/test/functional/routes/api/authentication_spec.js
View file

@ -231,8 +231,8 @@ describe('Authentication API', function () {
.send({
passwordreset: [{
token: token,
newPassword: 'abcdefgh',
ne2Password: 'abcdefgh'
newPassword: 'abcdefghij',
ne2Password: 'abcdefghij'
}]
})
.expect('Content-Type', /json/)

2
core/test/functional/routes/api/spam_prevention_spec.js
View file

@ -188,7 +188,7 @@ describe('Spam Prevention API', function () {
.send({
grant_type: 'password',
username: email,
password: 'Sl1m3rson',
password: 'Sl1m3rson99',
client_id: 'ghost-admin',
client_secret: 'not_available'
}).expect('Content-Type', /json/)

6
core/test/integration/api/api_authentication_spec.js
View file

@ -32,8 +32,8 @@ describe('Authentication API', function () {
testReset = {
passwordreset: [{
token: 'abc',
newPassword: 'abcdefgh',
ne2Password: 'abcdefgh'
newPassword: 'abcdefghij',
ne2Password: 'abcdefghij'
}]
};
@ -409,7 +409,7 @@ describe('Authentication API', function () {
var user = {
name: 'uninvited user',
email: 'notinvited@example.com',
password: '12345678',
password: '1234567890',
status: 'active'
},
options = {

26
core/test/integration/api/api_users_spec.js
View file

@ -1357,7 +1357,7 @@ describe('Users API', function () {
var payload = {
password: [{
user_id: userIdFor.owner,
oldPassword: 'Sl1m3rson',
oldPassword: 'Sl1m3rson99',
newPassword: 'newSl1m3rson',
ne2Password: 'newSl1m3rson'
}]
@ -1374,8 +1374,8 @@ describe('Users API', function () {
password: [{
user_id: userIdFor.owner,
oldPassword: 'wrong',
newPassword: 'Sl1m3rson',
ne2Password: 'Sl1m3rson'
newPassword: 'Sl1m3rson9',
ne2Password: 'Sl1m3rson9'
}]
};
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))
@ -1389,8 +1389,8 @@ describe('Users API', function () {
password: [{
user_id: userIdFor.owner,
oldPassword: '',
newPassword: 'Sl1m3rson1',
ne2Password: 'Sl1m3rson1'
newPassword: 'Sl1m3rson19',
ne2Password: 'Sl1m3rson19'
}]
};
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))
@ -1403,9 +1403,9 @@ describe('Users API', function () {
var payload = {
password: [{
user_id: userIdFor.owner,
oldPassword: 'Sl1m3rson',
newPassword: 'Sl1m3rson1',
ne2Password: 'Sl1m3rson2'
oldPassword: 'Sl1m3rson99',
newPassword: 'Sl1m3rson19',
ne2Password: 'Sl1m3rson29'
}]
};
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))
@ -1418,8 +1418,8 @@ describe('Users API', function () {
var payload = {
password: [{
user_id: userIdFor.editor,
newPassword: 'Sl1m3rson1',
ne2Password: 'Sl1m3rson2'
newPassword: 'Sl1m3rson19',
ne2Password: 'Sl1m3rson29'
}]
};
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))
@ -1428,12 +1428,12 @@ describe('Users API', function () {
}).catch(checkForErrorType('ValidationError', done));
});
it('Owner can\'t change editor password without short passwords', function (done) {
it('Owner can\'t change editor password with too short passwords', function (done) {
var payload = {
password: [{
user_id: userIdFor.editor,
newPassword: 'Sl',
ne2Password: 'Sl'
newPassword: 'only8car',
ne2Password: 'only8car'
}]
};
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))

30
core/test/integration/model/model_users_spec.js
View file

@ -123,7 +123,7 @@ describe('User Model', function run() {
// avoid side-effects!
userData = _.cloneDeep(userData);
userData.password = 12345678;
userData.password = 1234567890;
// mocha supports promises
return UserModel.add(userData, context).then(function (createdUser) {
@ -549,22 +549,8 @@ describe('User Model', function run() {
describe('error', function () {
it('wrong old password', function (done) {
UserModel.changePassword({
newPassword: '12345678',
ne2Password: '12345678',
oldPassword: '123456789',
user_id: testUtils.DataGenerator.Content.users[0].id
}, testUtils.context.owner).then(function () {
done(new Error('expected error!'));
}).catch(function (err) {
(err instanceof errors.ValidationError).should.eql(true);
done();
});
});
it('wrong old password', function (done) {
UserModel.changePassword({
newPassword: '12345678',
ne2Password: '12345678',
newPassword: '1234567890',
ne2Password: '1234567890',
oldPassword: '123456789',
user_id: testUtils.DataGenerator.Content.users[0].id
}, testUtils.context.owner).then(function () {
@ -579,12 +565,12 @@ describe('User Model', function run() {
describe('success', function () {
it('can change password', function (done) {
UserModel.changePassword({
newPassword: '12345678',
ne2Password: '12345678',
oldPassword: 'Sl1m3rson',
newPassword: '1234567890',
ne2Password: '1234567890',
oldPassword: 'Sl1m3rson99',
user_id: testUtils.DataGenerator.Content.users[0].id
}, testUtils.context.owner).then(function (user) {
user.get('password').should.not.eql('12345678');
user.get('password').should.not.eql('1234567890');
done();
}).catch(done);
});
@ -598,7 +584,7 @@ describe('User Model', function run() {
var userData = {
name: 'Max Mustermann',
email: 'test@ghost.org',
password: '12345678'
password: '1234567890'
};
UserModel.setup(userData, {id: 1})

22
core/test/utils/fixtures/data-generator.js
View file

@ -120,7 +120,7 @@ DataGenerator.Content = {
}
],
// Password = Sl1m3rson
// Password = Sl1m3rson99
users: [
{
// owner (owner is still id 1 because of permissions)
@ -128,7 +128,7 @@ DataGenerator.Content = {
name: 'Joe Bloggs',
slug: 'joe-bloggs',
email: 'jbloggs@example.com',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
},
{
// admin
@ -136,7 +136,7 @@ DataGenerator.Content = {
name: 'Smith Wellingsworth',
slug: 'smith-wellingsworth',
email: 'swellingsworth@example.com',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
},
{
// editor
@ -144,7 +144,7 @@ DataGenerator.Content = {
name: 'Jimothy Bogendath',
slug: 'jimothy-bogendath',
email: 'jbOgendAth@example.com',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
},
{
// author
@ -152,7 +152,7 @@ DataGenerator.Content = {
name: 'Slimer McEctoplasm',
slug: 'slimer-mcectoplasm',
email: 'smcectoplasm@example.com',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
},
{
// editor 2
@ -160,7 +160,7 @@ DataGenerator.Content = {
name: 'Ivan Email',
slug: 'ivan-email',
email: 'info1@ghost.org',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
},
{
// author 2
@ -168,7 +168,7 @@ DataGenerator.Content = {
name: 'Author2',
slug: 'a-2',
email: 'info2@ghost.org',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
},
{
// admin 2
@ -176,7 +176,7 @@ DataGenerator.Content = {
name: 'admin2',
slug: 'ad-2',
email: 'info3@ghost.org',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
}
],
@ -419,7 +419,7 @@ DataGenerator.forKnex = (function () {
name: 'name',
slug: 'slug_' + Date.now(),
status: 'active',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6',
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS',
created_by: DataGenerator.Content.users[0].id,
created_at: new Date()
});
@ -449,7 +449,7 @@ DataGenerator.forKnex = (function () {
name: 'Joe Bloggs',
slug: 'joe-blogs',
email: 'joe_' + uniqueInteger + '@example.com',
password: '$2a$10$.pZeeBE0gHXd0PTnbT/ph.GEKgd0Wd3q2pWna3ynTGBkPKnGIKZL6'
password: '$2b$10$ujPIlqjTsYwfc2/zrqZXZ.yd7cQQm2iOkAFenTAJfveKkc23nwdeS'
});
}
@ -675,7 +675,7 @@ DataGenerator.forModel = (function () {
user = _.pick(user, 'name', 'email');
return _.defaults({
password: 'Sl1m3rson'
password: 'Sl1m3rson99'
}, user);
});

2
core/test/utils/index.js
View file

@ -706,7 +706,7 @@ login = function login(request) {
.send({
grant_type: 'password',
username: request.user.email,
password: 'Sl1m3rson',
password: 'Sl1m3rson99',
client_id: 'ghost-admin',
client_secret: 'not_available'
}).then(function then(res) {