Don't allow blank passwords on the password change endpoint; closes #2750
This commit is contained in:
parent
16f49f8dc1
commit
7ebe04fb91
2 changed files with 26 additions and 4 deletions
|
@ -2,7 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Client\Account;
|
||||
|
||||
use Pterodactyl\Models\User;
|
||||
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
|
||||
use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;
|
||||
|
||||
|
@ -32,8 +31,8 @@ class UpdatePasswordRequest extends ClientApiRequest
|
|||
*/
|
||||
public function rules(): array
|
||||
{
|
||||
$rules = User::getRulesForUpdate($this->user());
|
||||
|
||||
return ['password' => array_merge($rules['password'], ['confirmed'])];
|
||||
return [
|
||||
'password' => ['required', 'string', 'confirmed', 'min:8'],
|
||||
];
|
||||
}
|
||||
}
|
||||
|
|
|
@ -140,6 +140,29 @@ class AccountControllerTest extends ClientApiIntegrationTestCase
|
|||
$response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
|
||||
}
|
||||
|
||||
/**
|
||||
* Test that a validation error is returned to the user if no password is provided or if
|
||||
* the password is below the minimum password length.
|
||||
*/
|
||||
public function testErrorIsReturnedForInvalidRequestData()
|
||||
{
|
||||
$user = factory(User::class)->create();
|
||||
|
||||
$this->actingAs($user)->putJson('/api/client/account/password', [
|
||||
'current_password' => 'password',
|
||||
])
|
||||
->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
|
||||
->assertJsonPath('errors.0.meta.rule', 'required');
|
||||
|
||||
$this->actingAs($user)->putJson('/api/client/account/password', [
|
||||
'current_password' => 'password',
|
||||
'password' => 'pass',
|
||||
'password_confirmation' => 'pass',
|
||||
])
|
||||
->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
|
||||
->assertJsonPath('errors.0.meta.rule', 'min');
|
||||
}
|
||||
|
||||
/**
|
||||
* Test that a validation error is returned if the password passed in the request
|
||||
* does not have a confirmation, or the confirmation is not the same as the password.
|
||||
|
|
Loading…
Reference in a new issue