Merge pull request #276 from supertokens/passwordPlolicyOnUpdate

feat: optional password validation in updateEmailOrPassword

Author: rishabhpoddar

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.12.0] - 2023-05-03
+- added optional password policy check in `updateEmailOrPassword`
+
 ## [0.11.0] - 2023-04-28
 - Added missing arguments in `GetUsersNewestFirst` and `GetUsersOldestFirst`
 

recipe/dashboard/api/userdetails/userPut.go

@@ -74,7 +74,7 @@ func updateEmailForRecipeId(recipeId string, userId string, email string) (updat
 			}, nil
 		}
 
-		updateResponse, err := emailpassword.UpdateEmailOrPassword(userId, &email, nil)
+		updateResponse, err := emailpassword.UpdateEmailOrPassword(userId, &email, nil, nil)
 
 		if err != nil {
 			return updateEmailResponse{}, err
@@ -113,7 +113,7 @@ func updateEmailForRecipeId(recipeId string, userId string, email string) (updat
 			}, nil
 		}
 
-		updateResponse, err := thirdpartyemailpassword.UpdateEmailOrPassword(userId, &email, nil)
+		updateResponse, err := thirdpartyemailpassword.UpdateEmailOrPassword(userId, &email, nil, nil)
 
 		if err != nil {
 			return updateEmailResponse{}, err

recipe/emailpassword/authFlow_test.go

@@ -35,7 +35,7 @@ import (
 	"github.com/supertokens/supertokens-golang/test/unittesting"
 )
 
-//SigninFeature Tests
+// SigninFeature Tests
 func TestDisablingAPIDefaultSigninDoesNotWork(t *testing.T) {
 	configValue := supertokens.TypeInput{
 		Supertokens: &supertokens.ConnectionInfo{
@@ -1234,7 +1234,7 @@ func TestHandlePostSignInFunction(t *testing.T) {
 
 }
 
-//Signout Feature tests
+// Signout Feature tests
 func TestDefaultSignoutRouteRevokesSession(t *testing.T) {
 	customAntiCsrfVal := "VIA_TOKEN"
 	configValue := supertokens.TypeInput{
@@ -1474,7 +1474,7 @@ func TestSignoutAPIreturnsTryRefreshTokenAndSignoutShouldReturnOK(t *testing.T)
 	assert.Equal(t, "", cookieData2["refreshTokenDomain"])
 }
 
-//Signup Feature tests
+// Signup Feature tests
 func TestDisablingAPIDefaultSignUpDoesNotWork(t *testing.T) {
 	configValue := supertokens.TypeInput{
 		Supertokens: &supertokens.ConnectionInfo{

recipe/emailpassword/ep_userIdMapping_test.go

@@ -188,7 +188,7 @@ func TestCreateUserIdMappingUpdateEmailPassword(t *testing.T) {
 
 	newEmail := "email@example.com"
 	newPass := "newpass123"
-	updateResp, err := UpdateEmailOrPassword(externalUserId, &newEmail, &newPass)
+	updateResp, err := UpdateEmailOrPassword(externalUserId, &newEmail, &newPass, nil)
 	assert.NoError(t, err)
 	assert.NotNil(t, updateResp.OK)
 

recipe/emailpassword/epmodels/recipeInterface.go

@@ -24,7 +24,7 @@ type RecipeInterface struct {
 	GetUserByEmail           *func(email string, userContext supertokens.UserContext) (*User, error)
 	CreateResetPasswordToken *func(userID string, userContext supertokens.UserContext) (CreateResetPasswordTokenResponse, error)
 	ResetPasswordUsingToken  *func(token string, newPassword string, userContext supertokens.UserContext) (ResetPasswordUsingTokenResponse, error)
-	UpdateEmailOrPassword    *func(userId string, email *string, password *string, userContext supertokens.UserContext) (UpdateEmailOrPasswordResponse, error)
+	UpdateEmailOrPassword    *func(userId string, email *string, password *string, applyPasswordPolicy *bool, userContext supertokens.UserContext) (UpdateEmailOrPasswordResponse, error)
 }
 
 type SignUpResponse struct {
@@ -56,7 +56,12 @@ type ResetPasswordUsingTokenResponse struct {
 }
 
 type UpdateEmailOrPasswordResponse struct {
-	OK                      *struct{}
-	UnknownUserIdError      *struct{}
-	EmailAlreadyExistsError *struct{}
+	OK                          *struct{}
+	UnknownUserIdError          *struct{}
+	EmailAlreadyExistsError     *struct{}
+	PasswordPolicyViolatedError *PasswordPolicyViolatedError
+}
+
+type PasswordPolicyViolatedError struct {
+	FailureReason string
 }

recipe/emailpassword/main.go

@@ -74,12 +74,12 @@ func ResetPasswordUsingTokenWithContext(token string, newPassword string, userCo
 	return (*instance.RecipeImpl.ResetPasswordUsingToken)(token, newPassword, userContext)
 }
 
-func UpdateEmailOrPasswordWithContext(userId string, email *string, password *string, userContext supertokens.UserContext) (epmodels.UpdateEmailOrPasswordResponse, error) {
+func UpdateEmailOrPasswordWithContext(userId string, email *string, password *string, applyPasswordPolicy *bool, userContext supertokens.UserContext) (epmodels.UpdateEmailOrPasswordResponse, error) {
 	instance, err := GetRecipeInstanceOrThrowError()
 	if err != nil {
 		return epmodels.UpdateEmailOrPasswordResponse{}, nil
 	}
-	return (*instance.RecipeImpl.UpdateEmailOrPassword)(userId, email, password, userContext)
+	return (*instance.RecipeImpl.UpdateEmailOrPassword)(userId, email, password, applyPasswordPolicy, userContext)
 }
 
 func SendEmailWithContext(input emaildelivery.EmailType, userContext supertokens.UserContext) error {
@@ -114,8 +114,8 @@ func ResetPasswordUsingToken(token string, newPassword string) (epmodels.ResetPa
 	return ResetPasswordUsingTokenWithContext(token, newPassword, &map[string]interface{}{})
 }
 
-func UpdateEmailOrPassword(userId string, email *string, password *string) (epmodels.UpdateEmailOrPasswordResponse, error) {
-	return UpdateEmailOrPasswordWithContext(userId, email, password, &map[string]interface{}{})
+func UpdateEmailOrPassword(userId string, email *string, password *string, applyPasswordPolicy *bool) (epmodels.UpdateEmailOrPasswordResponse, error) {
+	return UpdateEmailOrPasswordWithContext(userId, email, password, applyPasswordPolicy, &map[string]interface{}{})
 }
 
 func SendEmail(input emaildelivery.EmailType) error {

recipe/emailpassword/recipe.go

@@ -53,7 +53,10 @@ func MakeRecipe(recipeId string, appInfo supertokens.NormalisedAppinfo, config *
 	verifiedConfig := validateAndNormaliseUserInput(r, appInfo, config)
 	r.Config = verifiedConfig
 	r.APIImpl = verifiedConfig.Override.APIs(api.MakeAPIImplementation())
-	r.RecipeImpl = verifiedConfig.Override.Functions(MakeRecipeImplementation(*querierInstance))
+	var getEmailPasswordConfig = func() epmodels.TypeNormalisedInput {
+		return verifiedConfig
+	}
+	r.RecipeImpl = verifiedConfig.Override.Functions(MakeRecipeImplementation(*querierInstance, getEmailPasswordConfig))
 
 	if emailDeliveryIngredient != nil {
 		r.EmailDelivery = *emailDeliveryIngredient

recipe/emailpassword/recipeImplementation.go

@@ -20,7 +20,7 @@ import (
 	"github.com/supertokens/supertokens-golang/supertokens"
 )
 
-func MakeRecipeImplementation(querier supertokens.Querier) epmodels.RecipeInterface {
+func MakeRecipeImplementation(querier supertokens.Querier, getEmailPasswordConfig func() epmodels.TypeNormalisedInput) epmodels.RecipeInterface {
 	signUp := func(email, password string, userContext supertokens.UserContext) (epmodels.SignUpResponse, error) {
 		response, err := querier.SendPostRequest("/recipe/signup", map[string]interface{}{
 			"email":    email,
@@ -158,14 +158,28 @@ func MakeRecipeImplementation(querier supertokens.Querier) epmodels.RecipeInterf
 		}
 	}
 
-	updateEmailOrPassword := func(userId string, email, password *string, userContext supertokens.UserContext) (epmodels.UpdateEmailOrPasswordResponse, error) {
+	updateEmailOrPassword := func(userId string, email, password *string, applyPasswordPolicy *bool, userContext supertokens.UserContext) (epmodels.UpdateEmailOrPasswordResponse, error) {
 		requestBody := map[string]interface{}{
 			"userId": userId,
 		}
 		if email != nil {
 			requestBody["email"] = email
 		}
 		if password != nil {
+			if applyPasswordPolicy == nil || *applyPasswordPolicy {
+				formFields := getEmailPasswordConfig().SignUpFeature.FormFields
+				for i := range formFields {
+					if formFields[i].ID == "password" {
+						err := formFields[i].Validate(*password)
+						if err != nil {
+							errResponse := epmodels.PasswordPolicyViolatedError{
+								FailureReason: *err,
+							}
+							return epmodels.UpdateEmailOrPasswordResponse{PasswordPolicyViolatedError: &errResponse}, nil
+						}
+					}
+				}
+			}
 			requestBody["password"] = password
 		}
 		response, err := querier.SendPutRequest("/recipe/user", requestBody)

recipe/emailpassword/updateEmailPass_test.go

@@ -98,10 +98,9 @@ func TestUpdateEmailPass(t *testing.T) {
 	}
 
 	email := "test2@gmail.com"
-	password := "testPass"
-
-	UpdateEmailOrPassword(data["user"].(map[string]interface{})["id"].(string), &email, &password)
+	password := "testPass1"
 
+	UpdateEmailOrPassword(data["user"].(map[string]interface{})["id"].(string), &email, &password, nil)
 	res1, err := unittesting.SignInRequest("testrandom@gmail.com", "validpass123", testServer.URL)
 
 	if err != nil {
@@ -140,6 +139,96 @@ func TestUpdateEmailPass(t *testing.T) {
 
 	assert.Equal(t, "OK", data2["status"])
 	assert.Equal(t, email, data2["user"].(map[string]interface{})["email"])
+
+	password = "test"
+	applyPasswordPolicy := true
+	res3, err := UpdateEmailOrPassword(data["user"].(map[string]interface{})["id"].(string), &email, &password, &applyPasswordPolicy)
+	assert.NotNil(t, res3.PasswordPolicyViolatedError)
+	assert.Equal(t, "Password must contain at least 8 characters, including a number", res3.PasswordPolicyViolatedError.FailureReason)
+}
+
+func TestUpdateEmailPassWithCustomValidator(t *testing.T) {
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			APIDomain:     "api.supertokens.io",
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(&epmodels.TypeInput{SignUpFeature: &epmodels.TypeInputSignUp{FormFields: []epmodels.TypeInputFormField{
+				{
+					ID: "password",
+					Validate: func(value interface{}) *string {
+						if len(value.(string)) > 5 {
+							return nil
+						}
+						err := "Password length must be more than 5 characters"
+						return &err
+					},
+				},
+			}}}),
+			session.Init(&sessmodels.TypeInput{
+				GetTokenTransferMethod: func(req *http.Request, forCreateNewSession bool, userContext supertokens.UserContext) sessmodels.TokenTransferMethod {
+					return sessmodels.CookieTransferMethod
+				},
+			}),
+		},
+	}
+
+	BeforeEach()
+	unittesting.StartUpST("localhost", "8080")
+	defer AfterEach()
+	err := supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+	querier, err := supertokens.GetNewQuerierInstanceOrThrowError("")
+	if err != nil {
+		t.Error(err.Error())
+	}
+	cdiVersion, err := querier.GetQuerierAPIVersion()
+	if err != nil {
+		t.Error(err.Error())
+	}
+	if unittesting.MaxVersion("2.7", cdiVersion) == "2.7" {
+		return
+	}
+	mux := http.NewServeMux()
+	testServer := httptest.NewServer(supertokens.Middleware(mux))
+	defer testServer.Close()
+
+	_, err = unittesting.SignupRequest("testrandom@gmail.com", "validpass123", testServer.URL)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	res, err := unittesting.SignInRequest("testrandom@gmail.com", "validpass123", testServer.URL)
+
+	if err != nil {
+		t.Error(err.Error())
+	}
+	dataInBytes, err := io.ReadAll(res.Body)
+	if err != nil {
+		t.Error(err.Error())
+	}
+	res.Body.Close()
+
+	var data map[string]interface{}
+	err = json.Unmarshal(dataInBytes, &data)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	email := "testrandom@gmail.com"
+	password := "test"
+
+	res1, err := UpdateEmailOrPassword(data["user"].(map[string]interface{})["id"].(string), &email, &password, nil)
+	assert.NotNil(t, res1.PasswordPolicyViolatedError)
+	assert.Equal(t, "Password length must be more than 5 characters", res1.PasswordPolicyViolatedError.FailureReason)
+
 }
 
 func TestAPICustomResponse(t *testing.T) {

recipe/thirdpartyemailpassword/main.go

@@ -91,12 +91,12 @@ func ResetPasswordUsingTokenWithContext(token, newPassword string, userContext s
 	return (*instance.RecipeImpl.ResetPasswordUsingToken)(token, newPassword, userContext)
 }
 
-func UpdateEmailOrPasswordWithContext(userId string, email *string, password *string, userContext supertokens.UserContext) (epmodels.UpdateEmailOrPasswordResponse, error) {
+func UpdateEmailOrPasswordWithContext(userId string, email *string, password *string, applyPasswordPolicy *bool, userContext supertokens.UserContext) (epmodels.UpdateEmailOrPasswordResponse, error) {
 	instance, err := GetRecipeInstanceOrThrowError()
 	if err != nil {
 		return epmodels.UpdateEmailOrPasswordResponse{}, err
 	}
-	return (*instance.RecipeImpl.UpdateEmailOrPassword)(userId, email, password, userContext)
+	return (*instance.RecipeImpl.UpdateEmailOrPassword)(userId, email, password, applyPasswordPolicy, userContext)
 }
 
 func SendEmailWithContext(input emaildelivery.EmailType, userContext supertokens.UserContext) error {
@@ -139,8 +139,8 @@ func ResetPasswordUsingToken(token, newPassword string) (epmodels.ResetPasswordU
 	return ResetPasswordUsingTokenWithContext(token, newPassword, &map[string]interface{}{})
 }
 
-func UpdateEmailOrPassword(userId string, email *string, password *string) (epmodels.UpdateEmailOrPasswordResponse, error) {
-	return UpdateEmailOrPasswordWithContext(userId, email, password, &map[string]interface{}{})
+func UpdateEmailOrPassword(userId string, email *string, password *string, applyPasswordPolicy *bool) (epmodels.UpdateEmailOrPasswordResponse, error) {
+	return UpdateEmailOrPasswordWithContext(userId, email, password, applyPasswordPolicy, &map[string]interface{}{})
 }
 
 func SendEmail(input emaildelivery.EmailType) error {