mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-05 09:50:34 +03:00
c8cbbc4eb6
refs #9150 - Moves the password length fn from `models/user` to `data/validation` where the other validator functions live. - Added password validation rules. Password rules added: - Disallow obviously bad passwords: '1234567890', 'qwertyuiop', 'asdfghjkl;' and 'asdfghjklm' for example - Disallow passwords that contain the words 'password' or 'ghost' - Disallow passwords that match the user's email address - Disallow passwords that match the blog domain or blog title - Disallow passwords that include 50% or more of the same characters: 'aaaaaaaaaa', '1111111111' and 'ababababab' for example. - Password validation returns an `Object` now, that includes an `isValid` and `message` property to differentiate between the two error messages (password too short or password insecure). - Use a catch predicate in `api/authentication` on `passwordReset`, so the correct `ValidationError` will be thrown during the password reset flow rather then an `UnauthorizedError`. - When in setup flow, the blog title is not available yet from `settingsCache`. We therefore supply it from the received form data in the user model `setup` method to have it accessible for the validation.
40 lines
1.7 KiB
JavaScript
40 lines
1.7 KiB
JavaScript
var should = require('should'),
|
|
|
|
validation = require('../../server/data/validation');
|
|
|
|
// Validate our customisations
|
|
describe('Validation', function () {
|
|
it('should export our required functions', function () {
|
|
should.exist(validation);
|
|
|
|
validation.should.have.properties(
|
|
['validate', 'validator', 'validateSchema', 'validateSettings']
|
|
);
|
|
|
|
validation.validate.should.be.a.Function();
|
|
validation.validatePassword.should.be.a.Function();
|
|
validation.validateSchema.should.be.a.Function();
|
|
validation.validateSettings.should.be.a.Function();
|
|
|
|
validation.validator.should.have.properties(['empty', 'notContains', 'isTimezone', 'isEmptyOrURL', 'isSlug']);
|
|
});
|
|
|
|
describe('Validator customisations', function () {
|
|
var validator = validation.validator;
|
|
|
|
it('isEmptyOrUrl filters javascript urls', function () {
|
|
/*jshint scripturl:true */
|
|
validator.isEmptyOrURL('javascript:alert(0)').should.be.false();
|
|
validator.isEmptyOrURL('http://example.com/lol/<script>lalala</script>/').should.be.false();
|
|
validator.isEmptyOrURL('http://example.com/lol?somequery=<script>lalala</script>').should.be.false();
|
|
/*jshint scripturl:false */
|
|
validator.isEmptyOrURL('').should.be.true();
|
|
validator.isEmptyOrURL('http://localhost:2368').should.be.true();
|
|
validator.isEmptyOrURL('http://example.com/test/').should.be.true();
|
|
validator.isEmptyOrURL('http://www.example.com/test/').should.be.true();
|
|
validator.isEmptyOrURL('http://example.com/foo?somequery=bar').should.be.true();
|
|
validator.isEmptyOrURL('example.com/test/').should.be.true();
|
|
});
|
|
});
|
|
});
|