check whether the password is not weak when resetting a password

2017-02-18 10:51:46 +01:00 · 2017-02-18 10:51:46 +01:00 · 72c358ee62
parent 62fb3ce251
commit 72c358ee62
2 changed files with 25 additions and 7 deletions
--- a/Handler/AccountReset.hs
+++ b/Handler/AccountReset.hs
@ -8,7 +8,7 @@ import System.IO.Unsafe (unsafePerformIO)

 import Data.Time.Clock (addUTCTime)

-import Handler.Common (passwordConfirmField, updatePassword)
+import Handler.Common (passwordConfirmField, updatePassword, isPasswordAcceptable, tooWeakPasswordMessage)

 getCreateResetLinkR :: Handler Html
 getCreateResetLinkR = do
@ -87,12 +87,8 @@ doResetPassword key _ Nothing = do
  setMessage $ toHtml ("Password not given or does not match! Make sure you entered the same password" :: Text)
  getResetPasswordR key

-doResetPassword _ (Just userId) (Just password) = do
-  updatePassword userId (Just password)
-  runDB $ update userId removeVerificationKeyStatement
-  defaultLayout $ do
-    setTitle "Reset password"
-    $(widgetFile "password-reset")
+doResetPassword key (Just userId) (Just password) = do
+  doResetPassword' (isPasswordAcceptable password) key userId password

 doResetPassword key Nothing _ = do
  runDB $ updateWhere [UserVerificationKey ==. Just key] removeVerificationKeyStatement
@ -101,6 +97,18 @@ doResetPassword key Nothing _ = do
    setTitle "Reset password"
    $(widgetFile "password-reset-failed")

+doResetPassword' :: Bool -> Text -> Key User -> Text -> Handler Html
+doResetPassword' True _ userId password = do
+  updatePassword userId (Just password)
+  runDB $ update userId removeVerificationKeyStatement
+  defaultLayout $ do
+    setTitle "Reset password"
+    $(widgetFile "password-reset")
+
+doResetPassword' False key _ _ = do
+  tooWeakPasswordMessage
+  getResetPasswordR key
+
 removeVerificationKeyStatement :: [Update User]
 removeVerificationKeyStatement = [UserVerificationKey =. Nothing,                                                         UserKeyExpirationDate =. Nothing]

--- a/Handler/Common.hs
+++ b/Handler/Common.hs
@ -44,3 +44,13 @@ updatePassword userId (Just password) = do
  encodedPassword <- liftIO $ makePassword (encodeUtf8 password) defaultStrength
  runDB $ update userId [UserPassword =. Just (decodeUtf8 encodedPassword)]
  setMessage $ toHtml ("Password set!" :: Text)
+
+minPasswordLength :: Int
+minPasswordLength = 10
+
+isPasswordAcceptable :: Text -> Bool
+isPasswordAcceptable p = length p >= minPasswordLength
+
+tooWeakPasswordMessage :: Handler ()
+tooWeakPasswordMessage =
+  setMessage $ toHtml ("Password is too weak!!! A password needs to have at least " ++ (show minPasswordLength) ++ " characters")