Added validation for signup and login screens

Closes #374
* Included node-validator as a package
* Implemented server side validation (the client side js is a mess, need a LOT of work)
* Validates email address both on signup and login screens, gives error message on malformed email addresses
* Requires at least 8 chars of password
* Tells user if password is too short
* Tells user if no such user on login
* Tells user if wrong password on login
* Tells user if server responds with a 404 (goes away, dies, etc)
* Added middleware between req and login / signup for validation
This commit is contained in:
Gabor Javorszky 2013-08-18 22:50:42 +01:00
parent 3b6b5a085d
commit be7ed2dfdc
6 changed files with 67 additions and 31 deletions

View File

@ -45,7 +45,8 @@
submitHandler: function (event) {
event.preventDefault();
var email = this.$el.find('.email').val(),
password = this.$el.find('.password').val();
password = this.$el.find('.password').val(),
self = this;
$.ajax({
url: '/ghost/login/',
@ -60,7 +61,7 @@
error: function (obj, string, status) {
Ghost.notifications.addItem({
type: 'error',
message: obj.responseText,
message: self.getRequestErrorMessage(obj),
status: 'passive'
});
}
@ -79,7 +80,8 @@
submitHandler: function (event) {
event.preventDefault();
var email = this.$el.find('.email').val(),
password = this.$el.find('.password').val();
password = this.$el.find('.password').val(),
self = this;
$.ajax({
url: '/ghost/signup/',
@ -92,10 +94,9 @@
window.location.href = msg.redirect;
},
error: function (obj, string, status) {
var msgobj = $.parseJSON(obj.responseText);
Ghost.notifications.addItem({
type: 'error',
message: msgobj.message,
message: self.getRequestErrorMessage(obj),
status: 'passive'
});
}

View File

@ -102,10 +102,11 @@
});
},
saveError: function () {
saveError: function (message) {
message = message || 'Something went wrong, not saved :(';
Ghost.notifications.addItem({
type: 'error',
message: 'Something went wrong, not saved :(',
message: message,
status: 'passive'
});
}
@ -208,8 +209,13 @@
newPassword = this.$('#user-password-new').val(),
ne2Password = this.$('#user-new-password-verification').val();
if (newPassword !== ne2Password || newPassword.length < 6 || oldPassword.length < 6) {
this.saveError();
if (newPassword !== ne2Password) {
this.saveError('The passwords do not match');
return;
}
if (newPassword.length < 8) {
this.saveError('The password is not long enough. Have at least 8 characters');
return;
}

View File

@ -97,7 +97,7 @@ adminControllers = {
req.session.user = user.id;
res.json(200, {redirect: req.query.r ? '/ghost/' + req.query.r : '/ghost/'});
}, function (error) {
res.send(401, error.message);
res.json(401, {error: error.message});
});
},
changepw: function (req, res) {
@ -124,22 +124,18 @@ adminControllers = {
var email = req.body.email,
password = req.body.password;
if (email !== '' && password.length > 5) {
api.users.add({
email_address: email,
password: password
}).then(function (user) {
// Automatically log the new user in, unless created by an existing account
if (req.session.user === undefined) {
req.session.user = user.id;
}
res.json(200, {redirect: '/ghost/'});
}, function (error) {
res.json(401, {message: error.message});
res.json(401, {error: error.message});
});
} else {
res.json(400, {message: 'The password is too short. Have at least 6 characters in there'});
}
},
'logout': function (req, res) {
delete req.session.user;

View File

@ -85,7 +85,7 @@ User = GhostBookshelf.Model.extend({
}).then(function (addedUserRole) {
// Return the added user as expected
return when.resolve(userData);
}, errors.logAndThrowError);
});
/**
* Temporarily replacing the function below with another one that checks
@ -118,7 +118,7 @@ User = GhostBookshelf.Model.extend({
return user;
}, errors.logAndThrowError);
}, function (error) {
return when.reject(new Error('Email address or password is incorrect'));
return when.reject(new Error('There is no user with that email address.'));
});
},

View File

@ -20,11 +20,16 @@ var express = require('express'),
filters = require('./core/server/filters'),
helpers = require('./core/server/helpers'),
packageInfo = require('./package.json'),
Validator = require('validator').Validator,
v = new Validator(),
// Variables
loading = when.defer(),
ghost = new Ghost();
v.error = function () {
return false;
};
// ##Custom Middleware
@ -45,6 +50,33 @@ function auth(req, res, next) {
next();
}
/**
* Validation middleware
* Checks on signup whether email is actually a valid email address
* and if password is at least 8 characters long
*
* To change validation rules, see https://github.com/chriso/node-validator
*
* @author javorszky
* @issue https://github.com/TryGhost/Ghost/issues/374
*/
function signupValidate(req, res, next) {
var email = req.body.email,
password = req.body.password;
if (!v.check(email).isEmail()) {
res.json(401, {error: "Please check your email address. It does not seem to be valid."});
return;
}
if (!v.check(password).len(8)) {
res.json(401, {error: 'Your password is not long enough. It must be at least 8 chars long.'});
return;
}
next();
}
// ## AuthApi Middleware
// Authenticate a request to the API by responding with a 401 and json error details
function authAPI(req, res, next) {
@ -185,8 +217,8 @@ when.all([ghost.init(), filters.loadCoreFilters(ghost), helpers.loadCoreHelpers(
ghost.app().get(/^\/logout\/?$/, admin.logout);
ghost.app().get('/ghost/login/', admin.login);
ghost.app().get('/ghost/signup/', admin.signup);
ghost.app().post('/ghost/login/', admin.auth);
ghost.app().post('/ghost/signup/', admin.doRegister);
ghost.app().post('/ghost/login/', signupValidate, admin.auth);
ghost.app().post('/ghost/signup/', signupValidate, admin.doRegister);
ghost.app().post('/ghost/changepw/', auth, admin.changepw);
ghost.app().get('/ghost/editor/:id', auth, admin.editor);
ghost.app().get('/ghost/editor', auth, admin.editor);

View File

@ -27,7 +27,8 @@
"colors": "0.6.1",
"semver": "2.1.0",
"fs-extra": "0.6.3",
"downsize": "0.0.2"
"downsize": "0.0.2",
"validator": "1.4.0"
},
"devDependencies": {
"grunt": "~0.4.1",