Skip to content

chore(auth): add password validation to dbAuth resetPassword handler #10734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jun 5, 2024
Merged

chore(auth): add password validation to dbAuth resetPassword handler #10734

merged 10 commits into from
Jun 5, 2024

Conversation

irg1008
Copy link
Contributor

@irg1008 irg1008 commented Jun 5, 2024

Related to #10724. This pull request adds password validation on resetPassword handler using the one from the signup handler.

This could affect some users that "expect" no validation from this handler and some new errors and failed tests may be raised for them, but I think this feature is primary concerning security and to mantain validation logic between handlers

@dthyresson
Copy link
Contributor

Hi @irg1008 thanks for this PR.

@cannikin do you think such validation should be default behavior - or if so, at least configurable?

@dac09 dac09 requested a review from cannikin June 5, 2024 15:50
@cannikin cannikin added bug/confirmed We have confirmed this is a bug release:fix This PR is a fix labels Jun 5, 2024
@cannikin cannikin added this to the next-release-patch milestone Jun 5, 2024
@cannikin
Copy link
Member

cannikin commented Jun 5, 2024

Thank you for the PR, I'm surprised no one has noticed until now!

I think this should be the default, and always enabled. I can't think of a realistic scenario where you have requirements for a password, but if you reset your password you should be able to do anything you want. I'd release this in the next patch. The fact that no one has noticed tells me they also won't know/care when we implement the correct behavior going forward.

@irg1008 Would you mind adding a changeset for this PR? Just run yarn changesets it'll create a new file with this PR's title/description so we can easily merge into the release notes.

cannikin
cannikin requested changes Jun 5, 2024
View reviewed changes
Copy link
Member

@cannikin cannikin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a quick test showing that if passwordValidation is not defined in this.options.signup that no error is thrown? Even if your password is just a single character.

@irg1008
Copy link
Contributor Author

irg1008 commented Jun 5, 2024

Okay that is done.

@irg1008
Copy link
Contributor Author

irg1008 commented Jun 5, 2024
edited
Loading

Okay I fixed some things and I think it's ready to go. If you need anything else please say so!

@cannikin cannikin added the fixture-ok Override the test project fixture check label Jun 5, 2024
@irg1008
Copy link
Contributor Author

irg1008 commented Jun 5, 2024

Sorry I though I fixed that error locally...

@cannikin
Copy link
Member

cannikin commented Jun 5, 2024

Hmm getting a couple of test failures in the dbAuth package...can you try running these locally and see if you get them as well @irg1008 ?

yarn build
cd packages/auth-providers/dbAuth/api
yarn test

At first glance they don't seem to be related to your PR, but I don't get the failures in main. And these two do seem to be reset password related, saying that the resetToken is invalid...

@irg1008
Copy link
Contributor Author

irg1008 commented Jun 5, 2024
edited
Loading

Okay fixed 100% (99.999%). Sorry for all the fuss

Built and tested locally

@irg1008
Copy link
Contributor Author

irg1008 commented Jun 5, 2024

A little side note. Would be possible to test in redwood using vitetest instead of jest (it's so much faster)

@Josh-Walker-GM
Copy link
Contributor

Josh-Walker-GM commented Jun 5, 2024
edited
Loading

We'll likely have this released in v.7.7.0 on Tuesday.

I think this package uses vitest already? We've been converting our own packages over from jest to vitest. For redwood projects themselves we do plan to transition from jest to vitest too. That work is probably at least a month or two down the line at the moment - we haven't prioritised or scheduled that work yet.

@Josh-Walker-GM Josh-Walker-GM requested a review from cannikin June 5, 2024 20:56
@cannikin cannikin merged commit 4833794 into redwoodjs:main Jun 5, 2024
47 checks passed
@thedavidprice thedavidprice added the contributor-pr Use to automatically add PRs to the "Contributor PRs" Project Board label Jun 5, 2024
@Josh-Walker-GM Josh-Walker-GM mentioned this pull request Jun 6, 2024
Closed
1 task
Josh-Walker-GM pushed a commit that referenced this pull request Jun 6, 2024
@irg1008 @cannikin @Josh-Walker-GM
chore(auth): add password validation to dbAuth resetPassword handler (#…
6692d38 
…10734)

Related to #10724. This pull request adds password validation on
resetPassword handler using the one from the signup handler.

This could affect some users that "expect" no validation from this
handler and some new errors and failed tests may be raised for them, but
I think this feature is primary concerning security and to mantain
validation logic between handlers

---------

Co-authored-by: Rob Cameron <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cannikin cannikin cannikin approved these changes

Assignees
No one assigned
Labels
bug/confirmed We have confirmed this is a bug contributor-pr Use to automatically add PRs to the "Contributor PRs" Project Board fixture-ok Override the test project fixture check release:fix This PR is a fix
Projects
None yet
Milestone
v7.7.0
Development

Successfully merging this pull request may close these issues.
5 participants
@irg1008 @dthyresson @cannikin @Josh-Walker-GM @thedavidprice