From b550cdcf43765f7aeb23ed4831c1d4d6b7bb68de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Bajto=C5=A1?= Date: Mon, 27 Mar 2017 11:26:48 +0200 Subject: [PATCH] Check max password length in User.changePassword --- common/models/user.js | 6 ++++++ test/user.test.js | 21 ++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/common/models/user.js b/common/models/user.js index 42ede06e..1ea71476 100644 --- a/common/models/user.js +++ b/common/models/user.js @@ -421,6 +421,12 @@ module.exports = function(User) { return cb(err); } + try { + User.validatePassword(newPassword); + } catch (err) { + return cb(err); + } + const delta = {password: newPassword}; this.patchAttributes(delta, options, (err, updated) => cb(err)); }); diff --git a/test/user.test.js b/test/user.test.js index 5e94699b..48b51d7e 100644 --- a/test/user.test.js +++ b/test/user.test.js @@ -449,6 +449,25 @@ describe('User', function() { }); }); }); + + it('rejects changePassword when new password is longer than 72 chars', function() { + return User.create({email: 'test@example.com', password: pass72Char}) + .then(u => u.changePassword(pass72Char, pass73Char)) + .then( + success => { throw new Error('changePassword should have failed'); }, + err => { + expect(err.message).to.match(/Password too long/); + + // workaround for chai problem + // object tested must be an array, an object, or a string, + // but error given + const props = Object.assign({}, err); + expect(props).to.contain({ + code: 'PASSWORD_TOO_LONG', + statusCode: 422, + }); + }); + }); }); describe('Access-hook for queries with email NOT case-sensitive', function() { @@ -1339,7 +1358,7 @@ describe('User', function() { err => { // workaround for chai problem // object tested must be an array, an object, or a string, - // but error given + // but error given const props = Object.assign({}, err); expect(props).to.contain({ code: 'USER_NOT_FOUND',