hardened password validation, added tests

2025-03-03 12:33:07 +01:00
parent f5df70fba8
commit 8ec9fb247f
8 changed files with 122 additions and 25 deletions
--- a/go-backend/internal/controllers/controllers_test.go
+++ b/go-backend/internal/controllers/controllers_test.go
@@ -276,7 +276,7 @@ func getBaseUser() models.User {
 		Membership:     models.Membership{SubscriptionModel: models.SubscriptionModel{Name: "Basic"}},
 		Licence:        nil,
 		ProfilePicture: "",
-		Password:       "password123",
+		Password:       "passw@#$#%$!-ord123",
 		Company:        "",
 		RoleID:         8,
 	}
--- a/go-backend/internal/controllers/user_Password.go
+++ b/go-backend/internal/controllers/user_Password.go
@@ -8,6 +8,8 @@ import (
 	"strconv"

 	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
 )

 func (uc *UserController) RequestPasswordChangeHandler(c *gin.Context) {
@@ -86,6 +88,14 @@ func (uc *UserController) ChangePassword(c *gin.Context) {
 	user.ID = verification.UserID
 	user.Password = input.Password

+	// Get Gin's binding validator engine with all registered validators
+	validate := binding.Validator.Engine().(*validator.Validate)
+
+	// Validate the populated user struct
+	if err := validate.Struct(user); err != nil {
+		utils.HandleValidationError(c, err)
+		return
+	}
 	_, err = uc.Service.UpdateUser(user)
 	if err != nil {
 		utils.HandleUserUpdateError(c, err)
--- a/go-backend/internal/controllers/user_controller_test.go
+++ b/go-backend/internal/controllers/user_controller_test.go
@@ -195,7 +195,7 @@ func testLoginHandler(t *testing.T) (string, http.Cookie) {
 				name: "Valid login",
 				input: `{
                    "email": "john.doe@example.com",
-                    "password": "password123"
+                    "password": "passw@#$#%$!-ord123"
                }`,
 				wantStatusCode: http.StatusOK,
 				wantToken:      true,
@@ -204,7 +204,7 @@ func testLoginHandler(t *testing.T) (string, http.Cookie) {
 				name: "Invalid email",
 				input: `{
                    "email": "nonexistent@example.com",
-                    "password": "password123"
+                    "password": "passw@#$#%$!-ord123"
                }`,
 				wantStatusCode: http.StatusNotFound,
 				wantToken:      false,
@@ -645,6 +645,23 @@ func testUpdateUser(t *testing.T, loginCookie http.Cookie, adminCookie http.Cook
 				{"field": "user.user", "key": "server.error.unauthorized"},
 			},
 		},
+		{
+			name: "Password Update low entropy should fail",
+			setupCookie: func(req *http.Request) {
+				req.AddCookie(&loginCookie)
+			},
+			updateFunc: func(u *models.User) {
+				u.FirstName = "John Updated"
+				u.LastName = "Doe Updated"
+				u.Phone = "01738484994"
+				u.Licence.Number = "B072RRE2I50"
+				u.Password = "newpassword"
+			},
+			expectedErrors: []map[string]string{
+				{"field": "server.validation.special server.validation.uppercase server.validation.numbers server.validation.longer", "key": "server.validation.insecure"},
+			},
+			expectedStatus: http.StatusBadRequest,
+		},
 		{
 			name: "Password Update",
 			setupCookie: func(req *http.Request) {
@@ -655,7 +672,7 @@ func testUpdateUser(t *testing.T, loginCookie http.Cookie, adminCookie http.Cook
 				u.LastName = "Doe Updated"
 				u.Phone = "01738484994"
 				u.Licence.Number = "B072RRE2I50"
-				u.Password = "NewPassword"
+				u.Password = "NewPa0293409@#-!ssword"
 			},
 			expectedReturn: func(u *models.User) {
 				u.Password = ""
@@ -1069,7 +1086,7 @@ func getTestUsers() []RegisterUserTest {
 			Assert:       false,
 			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
 				user.BankAccount.IBAN = ""
-				user.RoleID = 0
+				user.RoleID = 1
 				return user
 			})),
 		},
@@ -1078,9 +1095,33 @@ func getTestUsers() []RegisterUserTest {
 			WantResponse: http.StatusBadRequest,
 			WantDBData:   map[string]interface{}{"email": "john.doe@example.com"},
 			Assert:       false,
+			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
+				user.BankAccount.IBAN = "DE1234234123134"
+				user.RoleID = 1
+				return user
+			})),
+		},
+		{
+			Name:         "invalid IBAN should fail when supporter",
+			WantResponse: http.StatusBadRequest,
+			WantDBData:   map[string]interface{}{"email": "john.supporter@example.com"},
+			Assert:       false,
 			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
 				user.BankAccount.IBAN = "DE1234234123134"
 				user.RoleID = 0
+				user.Email = "john.supporter@example.com"
+				return user
+			})),
+		},
+		{
+			Name:         "empty IBAN should pass when supporter",
+			WantResponse: http.StatusCreated,
+			WantDBData:   map[string]interface{}{"email": "john.supporter@example.com"},
+			Assert:       true,
+			Input: GenerateInputJSON(customizeInput(func(user models.User) models.User {
+				user.BankAccount.IBAN = ""
+				user.RoleID = 0
+				user.Email = "john.supporter@example.com"
 				return user
 			})),
 		},