From 72c358ee621cb62f91cb2a3602ba3e6e2a22e632 Mon Sep 17 00:00:00 2001
From: Filip Gralinski <filipg@amu.edu.pl>
Date: Sat, 18 Feb 2017 10:51:46 +0100
Subject: [PATCH] check whether the password is not weak when resetting a
 password

---
 Handler/AccountReset.hs | 22 +++++++++++++++-------
 Handler/Common.hs       | 10 ++++++++++
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/Handler/AccountReset.hs b/Handler/AccountReset.hs
index 1cd3f31..5daf5ee 100644
--- a/Handler/AccountReset.hs
+++ b/Handler/AccountReset.hs
@@ -8,7 +8,7 @@ import System.IO.Unsafe (unsafePerformIO)
 
 import Data.Time.Clock (addUTCTime)
 
-import Handler.Common (passwordConfirmField, updatePassword)
+import Handler.Common (passwordConfirmField, updatePassword, isPasswordAcceptable, tooWeakPasswordMessage)
 
 getCreateResetLinkR :: Handler Html
 getCreateResetLinkR = do
@@ -87,12 +87,8 @@ doResetPassword key _ Nothing = do
   setMessage $ toHtml ("Password not given or does not match! Make sure you entered the same password" :: Text)
   getResetPasswordR key
 
-doResetPassword _ (Just userId) (Just password) = do
-  updatePassword userId (Just password)
-  runDB $ update userId removeVerificationKeyStatement
-  defaultLayout $ do
-    setTitle "Reset password"
-    $(widgetFile "password-reset")
+doResetPassword key (Just userId) (Just password) = do
+  doResetPassword' (isPasswordAcceptable password) key userId password
 
 doResetPassword key Nothing _ = do
   runDB $ updateWhere [UserVerificationKey ==. Just key] removeVerificationKeyStatement
@@ -101,6 +97,18 @@ doResetPassword key Nothing _ = do
     setTitle "Reset password"
     $(widgetFile "password-reset-failed")
 
+doResetPassword' :: Bool -> Text -> Key User -> Text -> Handler Html
+doResetPassword' True _ userId password = do
+  updatePassword userId (Just password)
+  runDB $ update userId removeVerificationKeyStatement
+  defaultLayout $ do
+    setTitle "Reset password"
+    $(widgetFile "password-reset")
+
+doResetPassword' False key _ _ = do
+  tooWeakPasswordMessage
+  getResetPasswordR key
+
 removeVerificationKeyStatement :: [Update User]
 removeVerificationKeyStatement = [UserVerificationKey =. Nothing,                                                         UserKeyExpirationDate =. Nothing]
 
diff --git a/Handler/Common.hs b/Handler/Common.hs
index f76f3b9..afa7496 100644
--- a/Handler/Common.hs
+++ b/Handler/Common.hs
@@ -44,3 +44,13 @@ updatePassword userId (Just password) = do
   encodedPassword <- liftIO $ makePassword (encodeUtf8 password) defaultStrength
   runDB $ update userId [UserPassword =. Just (decodeUtf8 encodedPassword)]
   setMessage $ toHtml ("Password set!" :: Text)
+
+minPasswordLength :: Int
+minPasswordLength = 10
+
+isPasswordAcceptable :: Text -> Bool
+isPasswordAcceptable p = length p >= minPasswordLength
+
+tooWeakPasswordMessage :: Handler ()
+tooWeakPasswordMessage =
+  setMessage $ toHtml ("Password is too weak!!! A password needs to have at least " ++ (show minPasswordLength) ++ " characters")