✨ Disallow using same password as user email

2025-01-22 14:39:45 -05:00 · 2022-02-04 09:28:23 +01:00 · 2022-02-04 09:28:23 +01:00 · 7134bbf484
commit 7134bbf484
parent 86e4826e48
7 changed files with 71 additions and 0 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -6,6 +6,7 @@

 ### :sparkles: New features

+- Disallow using same password as user email [Taiga #2454](https://tree.taiga.io/project/penpot/us/2454)
 - Add configurable nudge amount [Taiga #910](https://tree.taiga.io/project/penpot/us/910)
 - Add stroke properties for image shapes [Taiga #497](https://tree.taiga.io/project/penpot/us/497)
 - On user settings, hide the theme selector as long as we only have one theme [Taiga #2610](https://tree.taiga.io/project/penpot/us/2610)
--- a/backend/src/app/rpc/mutations/profile.clj
+++ b/backend/src/app/rpc/mutations/profile.clj
@ -116,6 +116,12 @@

  (check-profile-existence! pool params)

+  (when (= (str/lower (:email params))
+           (str/lower (:password params)))
+    (ex/raise :type :validation
+              :code :email-as-password
+              :hint "you can't use your email as password"))
+
  (let [params (assoc params
                      :backend "penpot"
                      :iss :prepared-register
@ -381,6 +387,11 @@
  (db/with-atomic [conn pool]
    (let [profile    (validate-password! conn params)
          session-id (:app.rpc/session-id params)]
+      (when (= (str/lower (:email profile))
+               (str/lower (:password params)))
+        (ex/raise :type :validation
+                  :code :email-as-password
+                  :hint "you can't use your email as password"))
      (update-profile-password! conn (assoc profile :password password))
      (invalidate-profile-session! conn (:id profile) session-id)
      nil)))
--- a/backend/test/app/services_profile_test.clj
+++ b/backend/test/app/services_profile_test.clj
@ -240,6 +240,16 @@
      (t/is (nil? error))
      (t/is (string? (:token result))))))

+(t/deftest test-register-profile-with-email-as-password
+  (let [data  {::th/type :prepare-register-profile
+               :email "user@example.com"
+               :password "USER@example.com"}]
+
+    (let [{:keys [result error] :as out} (th/mutation! data)]
+      (t/is (th/ex-info? error))
+      (t/is (th/ex-of-type? error :validation))
+      (t/is (th/ex-of-code? error :email-as-password)))))
+
 (t/deftest test-email-change-request
  (with-mocks [email-send-mock {:target 'app.emails/send! :return nil}
               cfg-get-mock    {:target 'app.config/get
@ -345,3 +355,39 @@
        (t/is (th/ex-of-code? error :email-has-permanent-bounces)))

      )))
+
+
+(t/deftest update-profile-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "123123"
+               :password "foobarfoobar"}
+        out   (th/mutation! data)]
+    (t/is (nil? (:error out)))
+    (t/is (nil? (:result out)))
+  ))
+
+
+(t/deftest update-profile-password-bad-old-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "badpassword"
+               :password "foobarfoobar"}
+        {:keys [result error] :as out} (th/mutation! data)]
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :validation))
+    (t/is (th/ex-of-code? error :old-password-not-match))))
+
+
+(t/deftest update-profile-password-email-as-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "123123"
+               :password "profile1.test@nodomain.com"}
+        {:keys [result error] :as out} (th/mutation! data)]
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :validation))
+    (t/is (th/ex-of-code? error :email-as-password))))
--- a/frontend/src/app/main/ui/auth/register.cljs
+++ b/frontend/src/app/main/ui/auth/register.cljs
@ -60,6 +60,10 @@
    :email-already-exists
    (swap! form assoc-in [:errors :email]
           {:message "errors.email-already-exists"})
+    
+    :email-as-password
+    (swap! form assoc-in [:errors :password]
+           {:message "errors.email-as-password"})

    (st/emit! (dm/error (tr "errors.generic")))))

--- a/frontend/src/app/main/ui/settings/password.cljs
+++ b/frontend/src/app/main/ui/settings/password.cljs
@ -22,6 +22,9 @@
    :old-password-not-match
    (swap! form assoc-in [:errors :password-old]
           {:message (tr "errors.wrong-old-password")})
+    :email-as-password
+    (swap! form assoc-in [:errors :password-1]
+       {:message (tr "errors.email-as-password")})

    (let [msg (tr "generic.error")]
      (st/emit! (dm/error msg)))))
--- a/frontend/translations/en.po
+++ b/frontend/translations/en.po
@ -607,6 +607,9 @@ msgstr "Your browser cannot do this operation"
 msgid "errors.email-already-exists"
 msgstr "Email already used"

+msgid "errors.email-as-password"
+msgstr "You can't use your email as password"
+
 #: src/app/main/ui/auth/verify_token.cljs
 msgid "errors.email-already-validated"
 msgstr "Email already validated."
--- a/frontend/translations/es.po
+++ b/frontend/translations/es.po
@ -610,6 +610,9 @@ msgstr "Tu navegador no puede realizar esta operación"
 msgid "errors.email-already-exists"
 msgstr "Este correo ya está en uso"

+msgid "errors.email-as-password"
+msgstr "No puedes usar tu email como password"
+
 #: src/app/main/ui/auth/verify_token.cljs
 msgid "errors.email-already-validated"
 msgstr "Este correo ya está validado."