fix(changePassword): do not allow user to set email as wallet password

blockchain · Jan 25, 2016 · 52e6ca0 · 52e6ca0
1 parent 2545a18
commit 52e6ca0
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/app/partials/settings/change-password.jade b/app/partials/settings/change-password.jade
@@ -5,21 +5,42 @@
     .form-group(ng-class="{'has-error': passwordForm.currentPassword.$invalid && passwordForm.currentPassword.$touched && passwordForm.currentPassword.$dirty, 'has-success': passwordForm.currentPassword.$valid}")
       label.col-sm-4.control-label(translate="CURRENT_PASSWORD")
       .col-sm-8
-        input.form-control(type="password" name="currentPassword" ng-model="fields.currentPassword" is-valid="isCorrectMainPassword(fields.currentPassword)" required autofocus)
+        input.form-control(
+          type="password"
+          name="currentPassword"
+          ng-model="fields.currentPassword"
+          is-valid="isCorrectMainPassword(fields.currentPassword)"
+          required
+          autofocus)
         span.help-block(translate="INCORRECT" ng-show="passwordForm.currentPassword.$invalid && passwordForm.currentPassword.$touched && passwordForm.currentPassword.$dirty")
     .form-group(ng-class="{'has-error': passwordForm.password.$invalid && passwordForm.password.$touched && passwordForm.password.$dirty, 'has-success': passwordForm.password.$valid}")
       label.col-sm-4.control-label(translate="NEW_PASSWORD")
       .col-sm-8
-        input.form-control(type="password" name="password" ng-model="fields.password" ng-change="fields.confirmation = ''" min-entropy="25" ng-maxlength="255" is-valid="fields.password != uid" required)
+        input.form-control(
+          type="password"
+          name="password"
+          ng-model="fields.password"
+          ng-change="fields.confirmation = ''"
+          min-entropy="25"
+          ng-maxlength="255"
+          is-valid="fields.password != uid && !isUserEmail(fields.password)"
+          required)
         password-entropy(password="fields.password").help-block
         span(ng-show="passwordForm.password.$touched && passwordForm.password.$dirty")
           span.help-block(translate="TOO_WEAK" ng-show="passwordForm.password.$error.minEntropy && !passwordForm.password.$error.isValid")
           span.help-block(translate="TOO_LONG" ng-show="passwordForm.password.$error.maxlength")
-          span.help-block(translate="CANT_USE_GUID" ng-show="passwordForm.password.$error.isValid")
+          span.help-block(translate="CANT_USE_GUID" ng-show="passwordForm.password.$error.isValid && fields.password == uid")
+          span.help-block(translate="CANT_USE_EMAIL" ng-show="passwordForm.password.$error.isValid && isUserEmail(fields.password)")
     .form-group(ng-class="{'has-error': passwordForm.confirmation.$invalid && passwordForm.confirmation.$touched, 'has-success': passwordForm.confirmation.$valid}")
       label.col-sm-4.control-label(translate="CONFIRM_PASSWORD")
       .col-sm-8
-        input.form-control(on-enter="changePassword()" type="password" name="confirmation" ng-model="fields.confirmation" is-valid="fields.confirmation == fields.password" required)
+        input.form-control(
+          on-enter="changePassword()"
+          type="password"
+          name="confirmation"
+          ng-model="fields.confirmation"
+          is-valid="fields.confirmation == fields.password"
+          required)
         span.help-block(translate="NO_MATCH" ng-show="passwordForm.confirmation.$error.isValid && passwordForm.confirmation.$touched")
 .modal-footer.pal.flex-end
   .form-group.col-sm-8.has-error(ng-show="errors.unsuccessful")

diff --git a/assets/js/controllers/settings/changePassword.controller.js b/assets/js/controllers/settings/changePassword.controller.js
@@ -14,6 +14,12 @@ function ChangePasswordCtrl($scope, $log, Wallet, Alerts, $uibModalInstance, $tr
   $scope.errors = {};
   $scope.status = {};
 
+  $scope.isUserEmail = (candidate) => {
+    return ('string' === typeof candidate &&
+            candidate.length &&
+            candidate === Wallet.user.email);
+  };
+
   $scope.changePassword = () => {
     if (!$scope.passwordForm.$valid) return;
 

diff --git a/locales/en-human.json b/locales/en-human.json
@@ -97,6 +97,7 @@
   "TOO_SHORT" : "Too short",
   "NO_MATCH" : "Does not match",
   "CANT_USE_GUID" : "You cannot use a guid as your password",
+  "CANT_USE_EMAIL" : "You cannot use your email as your password",
   "ADD_PASSWORD_HINT" : "Create Password Hint",
   "PASSWORD_HINT" : "Password Hint",
   "PASSWORD_HINT_EXPLAIN" : "Your Blockchain Wallet never communicates your password to our servers. This means we have no idea what your password is and we cannot reset it if you forget it. Create a memorable password hint that we can send to your verified email address in case you forget your password.",