From c7bac9e62391869f077f83ced0023fa219b053db Mon Sep 17 00:00:00 2001
From: realaravinth <realaravinth@batsense.net>
Date: Sun, 2 May 2021 10:32:22 +0530
Subject: [PATCH] server-side password validation

---
 src/api/v1/auth.rs               | 11 +++++------
 src/api/v1/tests/auth.rs         | 19 ++++++++++++++++++-
 src/errors.rs                    |  5 ++++-
 src/tests/mod.rs                 |  1 +
 templates/auth/register/index.ts |  1 +
 templates/index.ts               |  2 +-
 6 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/src/api/v1/auth.rs b/src/api/v1/auth.rs
index d70d9fa9..817cfd91 100644
--- a/src/api/v1/auth.rs
+++ b/src/api/v1/auth.rs
@@ -31,6 +31,7 @@ use crate::Data;
 pub struct Register {
     pub username: String,
     pub password: String,
+    pub confirm_password: String,
     pub email: Option<String>,
 }
 
@@ -53,14 +54,12 @@ pub async fn signup(
     if !crate::SETTINGS.server.allow_registration {
         Err(ServiceError::ClosedForRegistration)?
     }
+
+    if &payload.password != &payload.confirm_password {
+        return Err(ServiceError::PasswordsDontMatch);
+    }
     let username = data.creds.username(&payload.username)?;
     let hash = data.creds.password(&payload.password)?;
-    //    let payload = payload.into_inner();
-    //    let email = payload.email.clone();
-    //    if payload.email.is_some() {
-    //        let email = email.clone().unwrap();
-    //        data.creds.email(Some(&email))?;
-    //    }
 
     if let Some(email) = &payload.email {
         data.creds.email(&email)?;
diff --git a/src/api/v1/tests/auth.rs b/src/api/v1/tests/auth.rs
index 90bff751..ef83cae9 100644
--- a/src/api/v1/tests/auth.rs
+++ b/src/api/v1/tests/auth.rs
@@ -43,6 +43,7 @@ async fn auth_works() {
     let msg = Register {
         username: NAME.into(),
         password: PASSWORD.into(),
+        confirm_password: PASSWORD.into(),
         email: None,
     };
     let resp = test::call_service(&mut app, post_request!(&msg, SIGNUP).to_request()).await;
@@ -80,6 +81,7 @@ async fn auth_works() {
     let msg = Register {
         username: NAME.into(),
         password: PASSWORD.into(),
+        confirm_password: PASSWORD.into(),
         email: Some(EMAIL.into()),
     };
     bad_post_req_test(
@@ -136,12 +138,13 @@ async fn auth_works() {
 }
 
 #[actix_rt::test]
-async fn email_udpate_and_del_userworks() {
+async fn email_udpate_password_validation_del_userworks() {
     const NAME: &str = "testuser2";
     const PASSWORD: &str = "longpassword2";
     const EMAIL: &str = "testuser1@a.com2";
     const DEL_URL: &str = "/api/v1/account/delete";
     const EMAIL_UPDATE: &str = "/api/v1/account/email/";
+    const SIGNUP: &str = "/api/v1/signup";
 
     {
         let data = Data::new().await;
@@ -178,6 +181,20 @@ async fn email_udpate_and_del_userworks() {
     .await;
 
     assert_eq!(delete_user_resp.status(), StatusCode::OK);
+
+    // checking to see if server-side password validation (password == password_config)
+    // works
+    let register_msg = Register {
+        username: NAME.into(),
+        password: PASSWORD.into(),
+        confirm_password: NAME.into(),
+        email: None,
+    };
+    let resp =
+        test::call_service(&mut app, post_request!(&register_msg, SIGNUP).to_request()).await;
+    assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
+    let txt: ErrorToResponse = test::read_body_json(resp).await;
+    assert_eq!(txt.error, format!("{}", ServiceError::PasswordsDontMatch));
 }
 
 #[actix_rt::test]
diff --git a/src/errors.rs b/src/errors.rs
index ca961d84..499f57e5 100644
--- a/src/errors.rs
+++ b/src/errors.rs
@@ -70,6 +70,8 @@ pub enum ServiceError {
     PasswordTooShort,
     #[display(fmt = "Username too long")]
     PasswordTooLong,
+    #[display(fmt = "Passwords don't match")]
+    PasswordsDontMatch,
 
     /// when the a username is already taken
     #[display(fmt = "Username not available")]
@@ -121,6 +123,7 @@ impl ResponseError for ServiceError {
 
             ServiceError::PasswordTooShort => StatusCode::BAD_REQUEST,
             ServiceError::PasswordTooLong => StatusCode::BAD_REQUEST,
+            ServiceError::PasswordsDontMatch => StatusCode::BAD_REQUEST,
 
             ServiceError::UsernameTaken => StatusCode::BAD_REQUEST,
             ServiceError::EmailTaken => StatusCode::BAD_REQUEST,
@@ -164,8 +167,8 @@ impl From<ParseError> for ServiceError {
     }
 }
 
+#[cfg(not(tarpaulin_include))]
 impl From<CaptchaError> for ServiceError {
-    #[cfg(not(tarpaulin_include))]
     fn from(e: CaptchaError) -> ServiceError {
         ServiceError::CaptchaError(e)
     }
diff --git a/src/tests/mod.rs b/src/tests/mod.rs
index c13175c4..a30e4984 100644
--- a/src/tests/mod.rs
+++ b/src/tests/mod.rs
@@ -76,6 +76,7 @@ pub async fn register<'a>(name: &'a str, email: &str, password: &str) {
     let msg = Register {
         username: name.into(),
         password: password.into(),
+        confirm_password: password.into(),
         email: Some(email.into()),
     };
     let resp =
diff --git a/templates/auth/register/index.ts b/templates/auth/register/index.ts
index 390681ea..f3e8f69a 100644
--- a/templates/auth/register/index.ts
+++ b/templates/auth/register/index.ts
@@ -64,6 +64,7 @@ const registerUser = async (e: Event) => {
   let payload = {
     username,
     password,
+    confirm_password: passwordCheck,
     email,
   };
 
diff --git a/templates/index.ts b/templates/index.ts
index c8f87889..76cecef9 100644
--- a/templates/index.ts
+++ b/templates/index.ts
@@ -21,7 +21,7 @@ import * as login from './auth/login';
 import * as register from './auth/register';
 import * as panel from './panel/index';
 import * as addSiteKey from './panel/add-site-key/';
-//import './auth/forms.scss';
+import './auth/forms.scss';
 import './panel/main.scss';
 import VIEWS from './views/v1/routes';