add better password complexity rules

wri · Sep 26, 2024 · eb0b69a · eb0b69a
1 parent 976afdf
commit eb0b69a
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 9 deletions.
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -67,8 +67,9 @@ class User < ApplicationRecord
   validates :email, uniqueness: true
   validates :name, presence: true
   validates :locale, inclusion: {in: I18n.available_locales.map(&:to_s), allow_blank: true}
-  validates :password, confirmation: true, length: {within: 8..128}, on: :create
-  validates :password_confirmation, presence: true, on: :create
+  # password length and confirmation validation is handled by Devise
+  validates :password, format: {with: /\A(?=.*[a-z])(?=.*[A-Z])(?=.*\d).+\z/, message: :password_complexity}, if: -> { password.present? }
+
   validates :user_permission, presence: true
   validates :operator, presence: true, if: -> { user_permission&.operator? }
   validates :observer, presence: true, if: -> { user_permission&.ngo? || user_permission&.ngo_manager? }

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -159,7 +159,7 @@
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 6..128
+  config.password_length = 10..128
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -1475,6 +1475,7 @@ en:
 
     errors:
       messages:
+        password_complexity: "must contain at least one uppercase letter, one lowercase letter, and one digit"
         qc_in_progress: "QC must be in progress"
         record_invalid: "Validation failed: %{errors}"
         restrict_dependent_destroy:

diff --git a/config/locales/fr.yml b/config/locales/fr.yml
@@ -1394,6 +1394,7 @@ fr:
           government: 'Gouvernement'
     errors:
       messages:
+        password_complexity: "doit contenir au moins une lettre majuscule, une lettre minuscule et un chiffre"
         qc_in_progress: "Le contrôle qualité doit être en cours"
         record_invalid: 'La validation a échoué : %{errors}'
         restrict_dependent_destroy:

diff --git a/db/seeds.rb b/db/seeds.rb
@@ -11,7 +11,7 @@
 
 $stdout.puts "Creating test users..."
 
-common_fields = {password: "password", password_confirmation: "password", locale: :en, last_name: "User"}
+common_fields = {password: "Supersecret1", password_confirmation: "Supersecret1", locale: :en, last_name: "User"}
 admin = User.create_with(**common_fields, first_name: "Admin").find_or_create_by!(email: "admin@example.com") do |user|
   user.build_user_permission(user_role: "admin")
 end

diff --git a/lib/tasks/db.rake b/lib/tasks/db.rake
@@ -53,7 +53,7 @@ namespace :db do
   desc "Prepare database for dev enviroment"
   task prepare_for_dev: :environment do
     ActiveRecord::Base.connection.reconnect! # make sure connection is open
-    puts "Changing all users passwords to secret"
-    User.update_all(encrypted_password: User.new(password: "secret").encrypted_password)
+    puts "Changing all users passwords to Supersecret1"
+    User.update_all(encrypted_password: User.new(password: "Supersecret1").encrypted_password)
   end
 end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
@@ -34,7 +34,7 @@
   factory :user do
     sequence(:email) { |n| "pepe#{n}@example.com" }
 
-    password { "password" }
+    password { "Supersecret1" }
     password_confirmation { |u| u.password }
     first_name { "Test" }
     last_name { "user" }

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -48,7 +48,6 @@
   describe "Validations" do
     # TODO: reenable later when validating first/last names
     #  it { is_expected.to validate_presence_of(:name) }
-    it { is_expected.to validate_presence_of(:password_confirmation) }
     it { is_expected.to validate_presence_of(:user_permission) }
 
     it { is_expected.to validate_uniqueness_of(:email).ignoring_case_sensitivity }
@@ -57,7 +56,28 @@
 
     it { is_expected.to validate_confirmation_of(:password) }
 
-    it { is_expected.to validate_length_of(:password).is_at_least(8).is_at_most(128).on(:create) }
+    it { is_expected.to validate_length_of(:password).is_at_least(10).is_at_most(128) }
+
+    it "is invalid when password does not contain lowercase letter" do
+      subject.password = "PASSWORD1234"
+      subject.password_confirmation = "PASSWORD1234"
+      expect(subject.valid?).to eq(false)
+      expect(subject.errors[:password]).to include("must contain at least one uppercase letter, one lowercase letter, and one digit")
+    end
+
+    it "is invalid when password does not contain uppercase letter" do
+      subject.password = "password1234"
+      subject.password_confirmation = "password1234"
+      expect(subject.valid?).to eq(false)
+      expect(subject.errors[:password]).to include("must contain at least one uppercase letter, one lowercase letter, and one digit")
+    end
+
+    it "is invalid when password does not contain digit" do
+      subject.password = "SuperPassword"
+      subject.password_confirmation = "SuperPassword"
+      expect(subject.valid?).to eq(false)
+      expect(subject.errors[:password]).to include("must contain at least one uppercase letter, one lowercase letter, and one digit")
+    end
 
     describe "user permissions" do
       let(:user) { build(:user, user_role: user_role) }