Check max password length in User.changePassword

2017-03-27 11:26:48 +02:00 · 2017-03-27 11:26:48 +02:00 · b550cdcf43
parent 048110ee01
commit b550cdcf43
2 changed files with 26 additions and 1 deletions
--- a/common/models/user.js
+++ b/common/models/user.js
@ -421,6 +421,12 @@ module.exports = function(User) {
        return cb(err);
      }

+      try {
+        User.validatePassword(newPassword);
+      } catch (err) {
+        return cb(err);
+      }
+
      const delta = {password: newPassword};
      this.patchAttributes(delta, options, (err, updated) => cb(err));
    });
--- a/test/user.test.js
+++ b/test/user.test.js
@ -449,6 +449,25 @@ describe('User', function() {
        });
      });
    });
+
+    it('rejects changePassword when new password is longer than 72 chars', function() {
+      return User.create({email: 'test@example.com', password: pass72Char})
+        .then(u => u.changePassword(pass72Char, pass73Char))
+        .then(
+          success => { throw new Error('changePassword should have failed'); },
+          err => {
+            expect(err.message).to.match(/Password too long/);
+
+            // workaround for chai problem
+            //   object tested must be an array, an object, or a string,
+            //   but error given
+            const props = Object.assign({}, err);
+            expect(props).to.contain({
+              code: 'PASSWORD_TOO_LONG',
+              statusCode: 422,
+            });
+          });
+    });
  });

  describe('Access-hook for queries with email NOT case-sensitive', function() {
@ -1339,7 +1358,7 @@ describe('User', function() {
        err => {
          // workaround for chai problem
          //   object tested must be an array, an object, or a string,
-          //    but error given
+          //   but error given
          const props = Object.assign({}, err);
          expect(props).to.contain({
            code: 'USER_NOT_FOUND',