hardened password validation, added tests

go-backend/internal/controllers/controllers_test.go

@@ -276,7 +276,7 @@ func getBaseUser() models.User {
 		Membership:     models.Membership{SubscriptionModel: models.SubscriptionModel{Name: "Basic"}},
 		Licence:        nil,
 		ProfilePicture: "",
-		Password:       "password123",
+		Password:       "passw@#$#%$!-ord123",
 		Company:        "",
 		RoleID:         8,
 	}

go-backend/internal/controllers/user_Password.go

@@ -8,6 +8,8 @@ import (
 	"strconv"
 
 	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
 )
 
 func (uc *UserController) RequestPasswordChangeHandler(c *gin.Context) {
@@ -86,6 +88,14 @@ func (uc *UserController) ChangePassword(c *gin.Context) {
 	user.ID = verification.UserID
 	user.Password = input.Password
 
+	// Get Gin's binding validator engine with all registered validators
+	validate := binding.Validator.Engine().(*validator.Validate)
+
+	// Validate the populated user struct
+	if err := validate.Struct(user); err != nil {
+		utils.HandleValidationError(c, err)
+		return
+	}
 	_, err = uc.Service.UpdateUser(user)
 	if err != nil {
 		utils.HandleUserUpdateError(c, err)

go-backend/internal/controllers/user_controller_test.go

@@ -195,7 +195,7 @@ func testLoginHandler(t *testing.T) (string, http.Cookie) {
 				name: "Valid login",
 				input: `{
                     "email": "john.doe@example.com",
-                    "password": "password123"
+                    "password": "passw@#$#%$!-ord123"
                 }`,
 				wantStatusCode: http.StatusOK,
 				wantToken:      true,
@@ -204,7 +204,7 @@ func testLoginHandler(t *testing.T) (string, http.Cookie) {
 				name: "Invalid email",
 				input: `{
                     "email": "nonexistent@example.com",
-                    "password": "password123"
+                    "password": "passw@#$#%$!-ord123"
                 }`,
 				wantStatusCode: http.StatusNotFound,
 				wantToken:      false,
@@ -645,6 +645,23 @@ func testUpdateUser(t *testing.T, loginCookie http.Cookie, adminCookie http.Cook
 				{"field": "user.user", "key": "server.error.unauthorized"},
 			},
 		},
+		{
+			name: "Password Update low entropy should fail",
+			setupCookie: func(req *http.Request) {
+				req.AddCookie(&loginCookie)
+			},
+			updateFunc: func(u *models.User) {
+				u.FirstName = "John Updated"
+				u.LastName = "Doe Updated"
+				u.Phone = "01738484994"
+				u.Licence.Number = "B072RRE2I50"
+				u.Password = "newpassword"
+			},
+			expectedErrors: []map[string]string{
+				{"field": "server.validation.special server.validation.uppercase server.validation.numbers server.validation.longer", "key": "server.validation.insecure"},
+			},
+			expectedStatus: http.StatusBadRequest,
+		},
 		{
 			name: "Password Update",
 			setupCookie: func(req *http.Request) {
@@ -655,7 +672,7 @@ func testUpdateUser(t *testing.T, loginCookie http.Cookie, adminCookie http.Cook
 				u.LastName = "Doe Updated"
 				u.Phone = "01738484994"
 				u.Licence.Number = "B072RRE2I50"
-				u.Password = "NewPassword"
+				u.Password = "NewPa0293409@#-!ssword"
 			},
 			expectedReturn: func(u *models.User) {
 				u.Password = ""
@@ -1069,7 +1086,7 @@ func getTestUsers() []RegisterUserTest {
 			Assert:       false,
 			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
 				user.BankAccount.IBAN = ""
-				user.RoleID = 0
+				user.RoleID = 1
 				return user
 			})),
 		},
@@ -1078,9 +1095,33 @@ func getTestUsers() []RegisterUserTest {
 			WantResponse: http.StatusBadRequest,
 			WantDBData:   map[string]interface{}{"email": "john.doe@example.com"},
 			Assert:       false,
+			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
+				user.BankAccount.IBAN = "DE1234234123134"
+				user.RoleID = 1
+				return user
+			})),
+		},
+		{
+			Name:         "invalid IBAN should fail when supporter",
+			WantResponse: http.StatusBadRequest,
+			WantDBData:   map[string]interface{}{"email": "john.supporter@example.com"},
+			Assert:       false,
 			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
 				user.BankAccount.IBAN = "DE1234234123134"
 				user.RoleID = 0
+				user.Email = "john.supporter@example.com"
+				return user
+			})),
+		},
+		{
+			Name:         "empty IBAN should pass when supporter",
+			WantResponse: http.StatusCreated,
+			WantDBData:   map[string]interface{}{"email": "john.supporter@example.com"},
+			Assert:       true,
+			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
+				user.BankAccount.IBAN = ""
+				user.RoleID = 0
+				user.Email = "john.supporter@example.com"
 				return user
 			})),
 		},

go-backend/internal/validation/user_validation.go

@@ -5,27 +5,27 @@ import (
 	"GoMembership/internal/models"
 	"GoMembership/internal/repositories"
 	"GoMembership/pkg/logger"
+	"strings"
 	"time"
 
 	"github.com/go-playground/validator/v10"
+	passwordvalidator "github.com/wagslane/go-password-validator"
 )
 
-func validateUser(sl validator.StructLevel) {
+var passwordErrorTranslations = map[string]string{
+	"insecure password, try ":           "",
+	"or using a longer password":        "server.validation.longer",
+	"including more special characters": "server.validation.special",
+	"using lowercase letters":           "server.validation.lowercase",
+	"using uppercase letters":           "server.validation.uppercase",
+	"using numbers":                     "server.validation.numbers",
+}
+
+func ValidateUser(sl validator.StructLevel) {
 	user := sl.Current().Interface().(models.User)
 
 	isSuper := user.RoleID >= constants.Roles.Admin
-
-	if user.RoleID > constants.Roles.Member && user.Password == "" {
-		passwordExists, err := repositories.PasswordExists(&user.ID)
-		if err != nil || !passwordExists {
-			logger.Error.Printf("Error checking password exists for user %v: %v", user.Email, err)
-			sl.ReportError(user.Password, "Password", "password", "required", "")
-		}
-	}
-	// Validate User > 18 years old
-	if user.RoleID > constants.Roles.Supporter && user.DateOfBirth.After(time.Now().AddDate(-18, 0, 0)) {
-		sl.ReportError(user.DateOfBirth, "user.user", "user.dateofbirth", "age", "")
-	}
+	isSupporter := user.RoleID == constants.Roles.Supporter
 	// validate subscriptionModel
 	if user.Membership.SubscriptionModel.Name == "" {
 		sl.ReportError(user.Membership.SubscriptionModel.Name, "subscription.name", "name", "required", "")
@@ -38,12 +38,41 @@ func validateUser(sl validator.StructLevel) {
 			user.Membership.SubscriptionModel = *selectedModel
 		}
 	}
+	if isSupporter {
+		if user.BankAccount.IBAN != "" {
+			validateBankAccount(sl)
+		}
+		return
+	}
 
-	validateMembership(sl)
-	if !isSuper {
-		validateBankAccount(sl)
-		if user.Licence != nil && user.RoleID > constants.Roles.Supporter {
-			validateDriverslicence(sl)
+	if user.Password != "" {
+		if err := passwordvalidator.Validate(user.Password, 60); err != nil {
+			sl.ReportError(user.Password, translatePasswordError(err), "password", "insecure", "")
 		}
 	}
+	// Validate User > 18 years old
+	if user.DateOfBirth.After(time.Now().AddDate(-18, 0, 0)) {
+		sl.ReportError(user.DateOfBirth, "user.user", "user.dateofbirth", "age", "")
+	}
+	validateMembership(sl)
+
+	if isSuper {
+		return
+	}
+
+	validateBankAccount(sl)
+	if user.Licence != nil {
+		validateDriverslicence(sl)
+	}
+}
+
+func translatePasswordError(err error) string {
+	errMsg := err.Error()
+	// Translate each part of the error message
+	translatedMsg := errMsg
+	for eng, translated := range passwordErrorTranslations {
+		translatedMsg = strings.Replace(translatedMsg, eng, translated, -1)
+	}
+
+	return strings.Replace(translatedMsg, ",", "", -1)
 }