Merge pull request #258 from firezone/13/increase_password_strength_r…

…equirements Set password length requirements
firezone · Sep 28, 2021 · f7bcbe3 · f7bcbe3
2 parents f812b69 + 02b1778
commit f7bcbe3
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 6 deletions.
diff --git a/apps/fz_http/lib/fz_http/users/user.ex b/apps/fz_http/lib/fz_http/users/user.ex
@@ -1,8 +1,11 @@
 defmodule FzHttp.Users.User do
   @moduledoc """
-  Represents a User I guess
+  Represents a User.
   """
 
+  @min_password_length 8
+  @max_password_length 64
+
   use Ecto.Schema
   import Ecto.Changeset
   import FzHttp.Users.PasswordHelpers
@@ -39,6 +42,7 @@ defmodule FzHttp.Users.User do
     ])
     |> validate_required([:email, :password, :password_confirmation])
     |> validate_password_equality()
+    |> validate_length(:password, min: @min_password_length, max: @max_password_length)
     |> validate_format(:email, ~r/@/)
     |> unique_constraint(:email)
     |> put_password_hash()
@@ -89,6 +93,7 @@ defmodule FzHttp.Users.User do
     |> validate_required([:email, :password, :password_confirmation, :current_password])
     |> validate_format(:email, ~r/@/)
     |> verify_current_password(user)
+    |> validate_length(:password, min: @min_password_length, max: @max_password_length)
     |> validate_password_equality()
     |> put_password_hash()
     |> validate_required([:password_hash])

diff --git a/apps/fz_http/test/fz_http/sessions_test.exs b/apps/fz_http/test/fz_http/sessions_test.exs
@@ -36,7 +36,7 @@ defmodule FzHttp.SessionsTest do
   describe "create_session/2" do
     setup [:create_user]
 
-    @password_params %{password: "test"}
+    @password_params %{password: "testtest"}
     @invalid_params %{password: "invalid"}
 
     test "creates session (updates existing record)", %{user: user} do

diff --git a/apps/fz_http/test/fz_http/users_test.exs b/apps/fz_http/test/fz_http/users_test.exs
@@ -79,6 +79,34 @@ defmodule FzHttp.UsersTest do
       password: "password",
       password_confirmation: "different_password"
     ]
+    @too_short_password [
+      email: "valid@test",
+      password: "short11",
+      password_confirmation: "short11"
+    ]
+    @too_long_password [
+      email: "valid@test",
+      password: String.duplicate("a", 65),
+      password_confirmation: String.duplicate("a", 65)
+    ]
+
+    test "doesn't create user with password too short" do
+      assert {:error, changeset} = Users.create_user(@too_short_password)
+
+      assert changeset.errors[:password] == {
+               "should be at least %{count} character(s)",
+               [count: 8, validation: :length, kind: :min, type: :string]
+             }
+    end
+
+    test "doesn't create user with password too long" do
+      assert {:error, changeset} = Users.create_user(@too_long_password)
+
+      assert changeset.errors[:password] == {
+               "should be at most %{count} character(s)",
+               [count: 64, validation: :length, kind: :max, type: :string]
+             }
+    end
 
     test "creates user with valid map of attributes" do
       assert {:ok, _user} = Users.create_user(@valid_attrs_map)
@@ -112,7 +140,7 @@ defmodule FzHttp.UsersTest do
     @change_password_valid_params %{
       "password" => "new_password",
       "password_confirmation" => "new_password",
-      "current_password" => "test"
+      "current_password" => "testtest"
     }
     @change_password_invalid_params %{
       "password" => "new_password",

diff --git a/apps/fz_http/test/fz_http_web/controllers/session_controller_test.exs b/apps/fz_http/test/fz_http_web/controllers/session_controller_test.exs
@@ -38,7 +38,7 @@ defmodule FzHttpWeb.SessionControllerTest do
       params = %{
         "session" => %{
           "email" => user.email,
-          "password" => "test"
+          "password" => "testtest"
         }
       }
 

diff --git a/apps/fz_http/test/support/fixtures.ex b/apps/fz_http/test/support/fixtures.ex
@@ -11,7 +11,7 @@ defmodule FzHttp.Fixtures do
     case Repo.get_by(User, email: email) do
       nil ->
         {:ok, user} =
-          %{email: email, password: "test", password_confirmation: "test"}
+          %{email: email, password: "testtest", password_confirmation: "testtest"}
           |> Map.merge(attrs)
           |> Users.create_user()
 
@@ -58,7 +58,7 @@ defmodule FzHttp.Fixtures do
   def session(_attrs \\ %{}) do
     email = user().email
     record = Sessions.get_session!(email: email)
-    create_params = %{email: email, password: "test"}
+    create_params = %{email: email, password: "testtest"}
     {:ok, session} = Sessions.create_session(record, create_params)
     session
   end