From 7ebe04fb911b0c2db87f8adbb9e1179fcdd890b7 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sun, 29 Nov 2020 13:28:46 -0800
Subject: [PATCH] Don't allow blank passwords on the password change endpoint;
 closes #2750

---
 .../Client/Account/UpdatePasswordRequest.php  |  7 +++---
 .../Api/Client/AccountControllerTest.php      | 23 +++++++++++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php b/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
index f52b71297..3bbff3d48 100644
--- a/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
+++ b/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Account;
 
-use Pterodactyl\Models\User;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;
 
@@ -32,8 +31,8 @@ class UpdatePasswordRequest extends ClientApiRequest
      */
     public function rules(): array
     {
-        $rules = User::getRulesForUpdate($this->user());
-
-        return ['password' => array_merge($rules['password'], ['confirmed'])];
+        return [
+            'password' => ['required', 'string', 'confirmed', 'min:8'],
+        ];
     }
 }
diff --git a/tests/Integration/Api/Client/AccountControllerTest.php b/tests/Integration/Api/Client/AccountControllerTest.php
index 75b152090..6534bd508 100644
--- a/tests/Integration/Api/Client/AccountControllerTest.php
+++ b/tests/Integration/Api/Client/AccountControllerTest.php
@@ -140,6 +140,29 @@ class AccountControllerTest extends ClientApiIntegrationTestCase
         $response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
     }
 
+    /**
+     * Test that a validation error is returned to the user if no password is provided or if
+     * the password is below the minimum password length.
+     */
+    public function testErrorIsReturnedForInvalidRequestData()
+    {
+        $user = factory(User::class)->create();
+
+        $this->actingAs($user)->putJson('/api/client/account/password', [
+            'current_password' => 'password',
+        ])
+            ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
+            ->assertJsonPath('errors.0.meta.rule', 'required');
+
+        $this->actingAs($user)->putJson('/api/client/account/password', [
+            'current_password' => 'password',
+            'password' => 'pass',
+            'password_confirmation' => 'pass',
+        ])
+            ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
+            ->assertJsonPath('errors.0.meta.rule', 'min');
+    }
+
     /**
      * Test that a validation error is returned if the password passed in the request
      * does not have a confirmation, or the confirmation is not the same as the password.