Merge branch 'main' into ansible_install_phpsqlite

features/user.feature

@@ -23,8 +23,8 @@ Feature: User
     And I am on "/account"
     And I fill in the following:
       | password_change_password             | asdasd       |
-      | password_change_plainPassword_first  | P4ssW0rd!!!1 |
-      | password_change_plainPassword_second | P4ssW0rd!!!1 |
+      | password_change_newPassword_first    | P4ssW0rd!!!1 |
+      | password_change_newPassword_second   | P4ssW0rd!!!1 |
     And I press "Submit"
 
     Then I should be on "/account"

src/Controller/AccountController.php

@@ -19,8 +19,7 @@ public function __construct(
         private readonly PasswordUpdater        $passwordUpdater,
         private readonly MailCryptKeyHandler    $mailCryptKeyHandler,
         private readonly EntityManagerInterface $manager,
-    )
-    {
+    ) {
     }
 
     /**
@@ -48,7 +47,7 @@ public function account(Request $request): Response
             $passwordChangeForm->handleRequest($request);
 
             if ($passwordChangeForm->isSubmitted() && $passwordChangeForm->isValid()) {
-                $this->changePassword($request, $user, $passwordChange->getPlainPassword(), $passwordChange->password);
+                $this->changePassword($request, $user, $passwordChange);
             }
         }
 
@@ -67,13 +66,13 @@ public function account(Request $request): Response
     /**
      * @throws \Exception
      */
-    private function changePassword(Request $request, User $user, string $newPassword, string $oldPassword): void
+    private function changePassword(Request $request, User $user, PasswordChange $passwordChange): void
     {
-        $user->setPlainPassword($newPassword);
+        $user->setPlainPassword($passwordChange->getNewPassword());
         $this->passwordUpdater->updatePassword($user);
         // Reencrypt the MailCrypt key with new password
         if ($user->hasMailCryptSecretBox()) {
-            $this->mailCryptKeyHandler->update($user, $oldPassword);
+            $this->mailCryptKeyHandler->update($user, $passwordChange->getPassword());
         }
         $user->eraseCredentials();
 

src/Form/Model/PasswordChange.php

@@ -2,13 +2,37 @@
 
 namespace App\Form\Model;
 
-use App\Traits\PlainPasswordTrait;
-use App\Validator\Constraints\PasswordChangeConstraint;
+use App\Validator\Constraints\PasswordPolicy;
+use Symfony\Component\Validator\Constraints as Assert;
+use Symfony\Component\Security\Core\Validator\Constraints\UserPassword;
 
-#[PasswordChangeConstraint]
 class PasswordChange
 {
-    use PlainPasswordTrait;
+    #[UserPassword(message: 'form.wrong-password')]
+    private string $password;
 
-    public string $password;
+    #[PasswordPolicy]
+    #[Assert\NotCompromisedPassword(skipOnError: 'true')]
+    #[Assert\NotIdenticalTo(propertyPath: 'password', message: 'form.identical-passwords')]
+    private string $newPassword;
+
+    public function getPassword(): string
+    {
+        return $this->password;
+    }
+
+    public function setPassword(string $password): void
+    {
+        $this->password = $password;
+    }
+
+    public function getNewPassword(): string
+    {
+        return $this->newPassword;
+    }
+
+    public function setNewPassword(string $newPassword): void
+    {
+        $this->newPassword = $newPassword;
+    }
 }

src/Form/PasswordChangeType.php

@@ -18,7 +18,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
     {
         $builder
             ->add('password', PasswordType::class, ['label' => 'form.actual-password'])
-            ->add('plainPassword', RepeatedType::class, [
+            ->add('newPassword', RepeatedType::class, [
                 'type' => PasswordType::class,
                 'first_options' => ['label' => 'form.plain-password'],
                 'second_options' => ['label' => 'form.plain-password_confirmation'],

templates/Start/change_password.html.twig

@@ -12,12 +12,12 @@
 </div>
 
 <div class="form-group">
-    {{ form_label(password_form.plainPassword.first) }}
-    {{ form_errors(password_form.plainPassword.first) }}
-    {{ form_widget(password_form.plainPassword.first, {'attr': {'class': 'form-control' }}) }}
+    {{ form_label(password_form.newPassword.first) }}
+    {{ form_errors(password_form.newPassword.first) }}
+    {{ form_widget(password_form.newPassword.first, {'attr': {'class': 'form-control' }}) }}
 
-    {{ form_label(password_form.plainPassword.second) }}
-    {{ form_widget(password_form.plainPassword.second, {'attr': {'class': 'form-control' }}) }}
+    {{ form_label(password_form.newPassword.second) }}
+    {{ form_widget(password_form.newPassword.second, {'attr': {'class': 'form-control' }}) }}
 </div>
 
 <div class="form-group">

tests/Controller/AccountControllerTest.php

@@ -52,12 +52,54 @@ public function testChangePassword()
         $form = $crawler->selectButton('Submit')->form();
 
         $form['password_change[password]'] = 'password';
-        $form['password_change[plainPassword][first]'] = 'zr8cxfeeY9Qv5AR7tydM';
-        $form['password_change[plainPassword][second]'] = 'zr8cxfeeY9Qv5AR7tydM';
+        $form['password_change[newPassword][first]'] = 'zr8cxfeeY9Qv5AR7tydM';
+        $form['password_change[newPassword][second]'] = 'zr8cxfeeY9Qv5AR7tydM';
 
         $client->submit($form);
 
         $this->assertResponseIsSuccessful();
         $this->assertSelectorTextContains('div.alert-success', 'Your new password is now active!');
     }
+
+    public function testChangePasswordIdentical()
+    {
+        $client = static::createClient();
+        $user = $client->getContainer()->get('doctrine')->getRepository(User::class)->findOneBy(['email' => 'user@example.org']);
+
+        $client->loginUser($user);
+
+        $crawler = $client->request('GET', '/account');
+
+        $form = $crawler->selectButton('Submit')->form();
+
+        $form['password_change[password]'] = 'zr8cxfeeY9Qv5AR7tydM';
+        $form['password_change[newPassword][first]'] = 'zr8cxfeeY9Qv5AR7tydM';
+        $form['password_change[newPassword][second]'] = 'zr8cxfeeY9Qv5AR7tydM';
+
+        $client->submit($form);
+
+        $this->assertResponseIsSuccessful();
+        $this->assertSelectorTextContains('div.alert-danger', 'The new password is identical with the old one.');
+    }
+
+    public function testChangePasswordInsecure()
+    {
+        $client = static::createClient();
+        $user = $client->getContainer()->get('doctrine')->getRepository(User::class)->findOneBy(['email' => 'user@example.org']);
+
+        $client->loginUser($user);
+
+        $crawler = $client->request('GET', '/account');
+
+        $form = $crawler->selectButton('Submit')->form();
+
+        $form['password_change[password]'] = 'zr8cxfeeY9Qv5AR7tydM';
+        $form['password_change[newPassword][first]'] = 'password';
+        $form['password_change[newPassword][second]'] = 'password';
+
+        $client->submit($form);
+
+        $this->assertResponseIsSuccessful();
+        $this->assertSelectorTextContains('div.alert-danger', 'The password comply not with our security policy.');
+    }
 }

tests/Form/PasswordChangeTypeTest.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace App\Tests\Form;
+
+use App\Form\Model\PasswordChange;
+use App\Form\PasswordChangeType;
+use Symfony\Component\Form\Test\TypeTestCase;
+
+class PasswordChangeTypeTest extends TypeTestCase
+{
+
+    public function testSubmitValidData(): void
+    {
+        $password = 'password';
+        $newPassword = 'password';
+
+        $formData = [
+            'password' => $password,
+            'newPassword' => [
+                'first' => $newPassword,
+                'second' => $newPassword,
+            ],
+        ];
+
+        $model = new PasswordChange();
+        $form = $this->factory->create(PasswordChangeType::class, $model);
+
+        $expected = new PasswordChange();
+        $expected->setPassword($password);
+        $expected->setNewPassword($newPassword);
+
+        $form->submit($formData);
+
+        $this->assertTrue($form->isSynchronized());
+
+        $this->assertEquals($expected, $model);
+    }
+}