mirror of
https://github.com/overleaf/overleaf.git
synced 2024-09-16 02:52:31 -04:00
server side protect passwords which are too long
This commit is contained in:
parent
0d0f0e8604
commit
8a2b7d0461
2 changed files with 49 additions and 23 deletions
|
@ -30,7 +30,7 @@ module.exports = AuthenticationManager =
|
||||||
|
|
||||||
setUserPassword: (user_id, password, callback = (error) ->) ->
|
setUserPassword: (user_id, password, callback = (error) ->) ->
|
||||||
if Settings.passwordStrengthOptions?.length?.max? and Settings.passwordStrengthOptions?.length?.max < password.length
|
if Settings.passwordStrengthOptions?.length?.max? and Settings.passwordStrengthOptions?.length?.max < password.length
|
||||||
return error("password is too long")
|
return callback("password is too long")
|
||||||
|
|
||||||
bcrypt.genSalt BCRYPT_ROUNDS, (error, salt) ->
|
bcrypt.genSalt BCRYPT_ROUNDS, (error, salt) ->
|
||||||
return callback(error) if error?
|
return callback(error) if error?
|
||||||
|
|
|
@ -9,6 +9,7 @@ ObjectId = require("mongojs").ObjectId
|
||||||
|
|
||||||
describe "AuthenticationManager", ->
|
describe "AuthenticationManager", ->
|
||||||
beforeEach ->
|
beforeEach ->
|
||||||
|
@settings = { security: { bcryptRounds: 12 } }
|
||||||
@AuthenticationManager = SandboxedModule.require modulePath, requires:
|
@AuthenticationManager = SandboxedModule.require modulePath, requires:
|
||||||
"../../models/User": User: @User = {}
|
"../../models/User": User: @User = {}
|
||||||
"../../infrastructure/mongojs":
|
"../../infrastructure/mongojs":
|
||||||
|
@ -16,7 +17,7 @@ describe "AuthenticationManager", ->
|
||||||
users: {}
|
users: {}
|
||||||
ObjectId: ObjectId
|
ObjectId: ObjectId
|
||||||
"bcrypt": @bcrypt = {}
|
"bcrypt": @bcrypt = {}
|
||||||
"settings-sharelatex": { security: { bcryptRounds: 12 } }
|
"settings-sharelatex": @settings
|
||||||
@callback = sinon.stub()
|
@callback = sinon.stub()
|
||||||
|
|
||||||
describe "authenticate", ->
|
describe "authenticate", ->
|
||||||
|
@ -102,27 +103,52 @@ describe "AuthenticationManager", ->
|
||||||
@bcrypt.genSalt = sinon.stub().callsArgWith(1, null, @salt)
|
@bcrypt.genSalt = sinon.stub().callsArgWith(1, null, @salt)
|
||||||
@bcrypt.hash = sinon.stub().callsArgWith(2, null, @hashedPassword)
|
@bcrypt.hash = sinon.stub().callsArgWith(2, null, @hashedPassword)
|
||||||
@db.users.update = sinon.stub().callsArg(2)
|
@db.users.update = sinon.stub().callsArg(2)
|
||||||
@AuthenticationManager.setUserPassword(@user_id, @password, @callback)
|
|
||||||
|
|
||||||
it "should update the user's password in the database", ->
|
describe "too long", ->
|
||||||
@db.users.update
|
beforeEach ->
|
||||||
.calledWith({
|
@settings.passwordStrengthOptions =
|
||||||
_id: ObjectId(@user_id.toString())
|
length:
|
||||||
}, {
|
max:10
|
||||||
$set: {
|
@password = "dsdsadsadsadsadsadkjsadjsadjsadljs"
|
||||||
"hashedPassword": @hashedPassword
|
|
||||||
}
|
it "should return and error", (done)->
|
||||||
$unset: password: true
|
@AuthenticationManager.setUserPassword @user_id, @password, (err)->
|
||||||
})
|
expect(err).to.exist
|
||||||
.should.equal true
|
done()
|
||||||
|
|
||||||
|
|
||||||
|
it "should not start the bcrypt process", (done)->
|
||||||
|
@AuthenticationManager.setUserPassword @user_id, @password, (err)=>
|
||||||
|
@bcrypt.genSalt.called.should.equal false
|
||||||
|
@bcrypt.hash.called.should.equal false
|
||||||
|
done()
|
||||||
|
|
||||||
|
describe "successful set", ->
|
||||||
|
beforeEach ->
|
||||||
|
@AuthenticationManager.setUserPassword(@user_id, @password, @callback)
|
||||||
|
|
||||||
|
it "should update the user's password in the database", ->
|
||||||
|
@db.users.update
|
||||||
|
.calledWith({
|
||||||
|
_id: ObjectId(@user_id.toString())
|
||||||
|
}, {
|
||||||
|
$set: {
|
||||||
|
"hashedPassword": @hashedPassword
|
||||||
|
}
|
||||||
|
$unset: password: true
|
||||||
|
})
|
||||||
|
.should.equal true
|
||||||
|
|
||||||
|
it "should hash the password", ->
|
||||||
|
@bcrypt.genSalt
|
||||||
|
.calledWith(12)
|
||||||
|
.should.equal true
|
||||||
|
@bcrypt.hash
|
||||||
|
.calledWith(@password, @salt)
|
||||||
|
.should.equal true
|
||||||
|
|
||||||
|
it "should call the callback", ->
|
||||||
|
@callback.called.should.equal true
|
||||||
|
|
||||||
|
|
||||||
it "should hash the password", ->
|
|
||||||
@bcrypt.genSalt
|
|
||||||
.calledWith(12)
|
|
||||||
.should.equal true
|
|
||||||
@bcrypt.hash
|
|
||||||
.calledWith(@password, @salt)
|
|
||||||
.should.equal true
|
|
||||||
|
|
||||||
it "should call the callback", ->
|
|
||||||
@callback.called.should.equal true
|
|
||||||
|
|
Loading…
Reference in a new issue