Add passwordSettings validation (#136)

* add password Settings validation

* fix test failing because of pass validation

---------

Co-authored-by: eglehelms <e.helms@cognigy.com>

lib/routes/api/password-settings.js

@@ -15,6 +15,9 @@ const validate = (obj) => {
 router.post('/', async(req, res) => {
   const logger = req.app.locals.logger;
   try {
+    if (!req.user.hasAdminAuth) {
+      return res.sendStatus(403);
+    }
     validate(req.body);
     const [existing] = (await PasswordSettings.retrieve() || []);
     if (existing) {

lib/routes/api/users.js

@@ -4,6 +4,7 @@ const request = require('request');
 const {DbErrorBadRequest} = require('../../utils/errors');
 const {generateHashedPassword, verifyPassword} = require('../../utils/password-utils');
 const {promisePool} = require('../../db');
+const {validatePasswordSettings} = require('./utils');
 const {decrypt} = require('../../utils/encrypt-decrypt');
 const sysError = require('../error');
 const retrieveMyDetails = `SELECT * 
@@ -74,9 +75,16 @@ const validateRequest = async(user_sid, req) => {
     }
   }
 
+  if (initial_password) {
+    await validatePasswordSettings(initial_password);
+  }
+
   if ((old_password && !new_password) || (new_password && !old_password)) {
     throw new DbErrorBadRequest('new_password and old_password both required');
   }
+  if (new_password) {
+    await validatePasswordSettings(new_password);
+  }
   if (new_password && name) throw new DbErrorBadRequest('can not change name and password simultaneously');
   if (new_password && user.provider !== 'local') {
     throw new DbErrorBadRequest('can not change password when using oauth2');
@@ -393,6 +401,9 @@ router.post('/', async(req, res) => {
   delete payload.initial_password;
 
   try {
+    if (req.body.initial_password) {
+      await validatePasswordSettings(req.body.initial_password);
+    }
     const email = allUsers.find((e) => e.email === payload.email);
     const name = allUsers.find((e) => e.name === payload.name);
 

lib/routes/api/utils.js

@@ -4,6 +4,7 @@ const Account = require('../../models/account');
 const {promisePool} = require('../../db');
 const {cancelSubscription, detachPaymentMethod} = require('../../utils/stripe-utils');
 const freePlans = require('../../utils/free_plans');
+const { DbErrorBadRequest} = require('../../utils/errors');
 const insertAccountSubscriptionSql = `INSERT INTO account_subscriptions 
 (account_subscription_sid, account_sid) 
 values (?, ?)`;
@@ -274,6 +275,31 @@ const disableSubspace = async(opts) => {
   return;
 };
 
+const validatePasswordSettings = async(password) => {
+  const sql = 'SELECT * from password_settings';
+  const [rows] = await promisePool.execute(sql);
+  const specialChars = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+/;
+  const numbers = /[0-9]+/;
+  if (rows.length === 0) {
+    if (password.length < 8 || password.length > 20) {
+      throw new DbErrorBadRequest('password length must be between 8 and 20');
+    }
+  } else {
+    if (rows[0].min_password_length && password.length < rows[0].min_password_length) {
+      throw new DbErrorBadRequest(`password must be at least ${rows[0].min_password_length} characters long`);
+    }
+
+    if (rows[0].require_digit === 1 && !numbers.test(password)) {
+      throw new DbErrorBadRequest('password must contain at least one digit');
+    }
+
+    if (rows[0].require_special_character === 1 && !specialChars.test(password)) {
+      throw new DbErrorBadRequest('password must contain at least one special character');
+    }
+  }
+  return;
+};
+
 module.exports = {
   setupFreeTrial,
   createTestCdrs,
@@ -284,5 +310,6 @@ module.exports = {
   hasServiceProviderPermissions,
   checkLimits,
   enableSubspace,
-  disableSubspace
+  disableSubspace,
+  validatePasswordSettings
 };

test/users.js

@@ -23,7 +23,7 @@ test('add an admin user', (t) => {
 
 test('user tests', async(t) => {
   const app = require('../app');
-  const password = await generateHashedPassword('abcd1234-');
+  const password = 'abcde12345-';
   try {
     let result;