Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(users): add password validations #4555

Merged
merged 16 commits into from May 7, 2024
Merged

fix(users): add password validations #4555

merged 16 commits into from May 7, 2024

Conversation

Riddhiagrawal001
Copy link
Contributor

@Riddhiagrawal001 Riddhiagrawal001 commented May 6, 2024
edited

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

The mandatory condition for the password field was just not be empty . Following the PR, the password field will be subject to the following checks:
1.The password must be between 8 and 70 characters in length.
2.It must include at least one uppercase character.
3.It must include at least one lowercase character.
4.It must include at least one special character.
5.It must include at least one numeric character.
6.It must not contain whitespace.

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Closes #4412

How did you test it?

1.Signup API ( local testing)

curl --location 'http://localhost:8080/user/signup' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "email value",
    "password": "456667sdvh",
    "country": "IN"
}'

Failure case response

    "error": {
        "type": "invalid_request",
        "message": "Invalid Password",
        "code": "UR_09"
    }
}

2.Reset Password API (local testing)

curl --location 'http://localhost:8080/user/reset_password' \
--header 'Content-Type: application/json' \
--data '{
    "password": "456667sdvd",
    "token":"token from email after clicking Reset password in dashboard"
}'

Failure case response

{
    "error": {
        "type": "invalid_request",
        "message": "Invalid Password",
        "code": "UR_09"
    }
}

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@Riddhiagrawal001 Riddhiagrawal001 added S-waiting-on-review Status: This PR has been implemented and needs to be reviewed A-users Area: Users labels May 6, 2024
@Riddhiagrawal001 Riddhiagrawal001 self-assigned this May 6, 2024
@Riddhiagrawal001 Riddhiagrawal001 requested a review from a team as a code owner May 6, 2024 07:53
apoorvdixit88
apoorvdixit88 reviewed May 6, 2024
View reviewed changes
crates/router/src/utils/user/password.rs Outdated
let mut rng = rand::thread_rng();

let special_chars: Vec<char> = "!@#$%^&*()-_=+[]{}|;:,.<>?".chars().collect();
let specialchars: char = *special_chars.choose(&mut rng).unwrap_or(&'@');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

variable name special_char, its a single char

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to specialchars to special_char

crates/router/src/types/domain/user.rs Outdated
}
}

pub fn new_without_validation(password: Secret<String>) -> UserResult<Self> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may be new_password_without_validation,
we are not validating the password in merchant create request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're retrieving user details from the database to create a new merchant. It's possible that some old users didn't followed the password convention. Therefore, we've implemented a workaround specifically for this scenario to bypass validation.

apoorvdixit88
apoorvdixit88 reviewed May 6, 2024
View reviewed changes
Copy link
Contributor

@apoorvdixit88 apoorvdixit88 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The password must be between 8 and 50 characters in length
Please change description, as per code the maximum length allowed is 70

Also if possible swap description and motivation and context content.

apoorvdixit88
apoorvdixit88 previously approved these changes May 7, 2024
View reviewed changes
racnan
racnan requested changes May 7, 2024
View reviewed changes
crates/router/src/utils/user/password.rs Outdated
let mut rng = rand::thread_rng();

let special_chars: Vec<char> = "!@#$%^&*()-_=+[]{}|;:,.<>?".chars().collect();
let special_char: char = *special_chars.choose(&mut rng).unwrap_or(&'@');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

special_char can be a &char, lets not force it to be owned type.

Suggested change
let special_char: char = *special_chars.choose(&mut rng).unwrap_or(&'@');
let special_char = special_chars.choose(&mut rng).unwrap_or(&'@');

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed

crates/router/src/utils/user/password.rs Outdated
@@ -38,3 +39,20 @@ pub fn is_correct_password(
}
.change_context(UserErrors::InternalServerError)
}

pub fn get_temp_password() -> String {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets make return type as Secret<String>

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed

racnan
racnan previously approved these changes May 7, 2024
View reviewed changes
Copy link
Contributor

@racnan racnan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ThisIsMani
ThisIsMani previously approved these changes May 7, 2024
View reviewed changes
@likhinbopanna likhinbopanna removed the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label May 7, 2024
@likhinbopanna likhinbopanna added this pull request to the merge queue May 7, 2024
Merged via the queue into main with commit 25fe4de May 7, 2024
9 of 12 checks passed
@likhinbopanna likhinbopanna deleted the password-validation branch May 7, 2024 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apoorvdixit88 apoorvdixit88 apoorvdixit88 approved these changes

@ThisIsMani ThisIsMani ThisIsMani approved these changes

@racnan racnan racnan left review comments

Assignees

@Riddhiagrawal001 Riddhiagrawal001

Labels
A-users Area: Users
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BE Password specification
5 participants
@Riddhiagrawal001 @apoorvdixit88 @racnan @ThisIsMani @likhinbopanna