Don't allow blank passwords on the password change endpoint; closes #2750

This commit is contained in:
Dane Everitt 2020-11-29 13:28:46 -08:00
parent 16f49f8dc1
commit 7ebe04fb91
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 26 additions and 4 deletions

View file

@ -2,7 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Client\Account;
use Pterodactyl\Models\User;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;
@ -32,8 +31,8 @@ class UpdatePasswordRequest extends ClientApiRequest
*/
public function rules(): array
{
$rules = User::getRulesForUpdate($this->user());
return ['password' => array_merge($rules['password'], ['confirmed'])];
return [
'password' => ['required', 'string', 'confirmed', 'min:8'],
];
}
}

View file

@ -140,6 +140,29 @@ class AccountControllerTest extends ClientApiIntegrationTestCase
$response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
}
/**
* Test that a validation error is returned to the user if no password is provided or if
* the password is below the minimum password length.
*/
public function testErrorIsReturnedForInvalidRequestData()
{
$user = factory(User::class)->create();
$this->actingAs($user)->putJson('/api/client/account/password', [
'current_password' => 'password',
])
->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
->assertJsonPath('errors.0.meta.rule', 'required');
$this->actingAs($user)->putJson('/api/client/account/password', [
'current_password' => 'password',
'password' => 'pass',
'password_confirmation' => 'pass',
])
->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
->assertJsonPath('errors.0.meta.rule', 'min');
}
/**
* Test that a validation error is returned if the password passed in the request
* does not have a confirmation, or the confirmation is not the same as the password.