From c3a881c4a6ba3e66ba93a139202dfc05fa47cc79 Mon Sep 17 00:00:00 2001
From: Sietse Snel <s.t.snel@uu.nl>
Date: Wed, 18 Oct 2023 16:38:09 +0200
Subject: [PATCH] YDA-5505: do not accept backslashes in passwords

These don't get passed correctly to the external-auth script on the
provider, and therefore cause authentication to fail.
---
 yoda_eus/password_complexity.py                   | 3 +++
 yoda_eus/templates/web/activate.html              | 4 ++++
 yoda_eus/templates/web/password-requirements.html | 2 +-
 yoda_eus/templates/web/reset-password.html        | 4 ++++
 yoda_eus/tests/test_integration.py                | 2 +-
 yoda_eus/tests/test_unit.py                       | 4 ++++
 6 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/yoda_eus/password_complexity.py b/yoda_eus/password_complexity.py
index db15905..2ab51b6 100644
--- a/yoda_eus/password_complexity.py
+++ b/yoda_eus/password_complexity.py
@@ -33,4 +33,7 @@ def check_password_complexity(password: str) -> List[str]:
     if not (any(c in string.punctuation for c in password)):
         errors.append("Password needs to contain at least one punctuation character ({})".format(string.punctuation))
 
+    if "\\" in password:
+        errors.append("Password must not contain backslashes.")
+
     return errors
diff --git a/yoda_eus/templates/web/activate.html b/yoda_eus/templates/web/activate.html
index d683cb2..feb6db2 100644
--- a/yoda_eus/templates/web/activate.html
+++ b/yoda_eus/templates/web/activate.html
@@ -111,6 +111,10 @@
      passwordErrors.innerHTML = 'The password needs to contain an uppercase letter, lowercase letter, number and punctuation character.';
      submitButton.disabled = true;
    }
+   else if ( password1Input.value.indexOf('\\') > -1 ) {
+     passwordErrors.innerHTML = 'The password contains a backslash.';
+     submitButton.disabled = true;
+   }
    else if ( password2Input.value.trim().length == 0 ) {
      passwordErrors.innerHTML = 'Please enter the password again.';
      submitButton.disabled = true;
diff --git a/yoda_eus/templates/web/password-requirements.html b/yoda_eus/templates/web/password-requirements.html
index aee37c9..96fdfb6 100644
--- a/yoda_eus/templates/web/password-requirements.html
+++ b/yoda_eus/templates/web/password-requirements.html
@@ -1,7 +1,7 @@
                 <p> Your password must meet the following requirements: </p>
                 <ul>
                     <li>It must be between 10 and 1000 characters in length
-                    <li>It must not contain diacritics such as é, ö, and ç
+                    <li>It must not contain diacritics such as é, ö, and ç, or backslashes (&bsol;)
                     <li>At least 1 capital letter A-Z 
                     <li>At least 1 lowercase letter a-z 
                     <li>At least 1 number 0-9 
diff --git a/yoda_eus/templates/web/reset-password.html b/yoda_eus/templates/web/reset-password.html
index 39062ae..ed85cea 100644
--- a/yoda_eus/templates/web/reset-password.html
+++ b/yoda_eus/templates/web/reset-password.html
@@ -101,6 +101,10 @@
      passwordErrors.innerHTML = 'The password needs to contain an uppercase letter, lowercase letter, number and punctuation character.';
      submitButton.disabled = true;
    }
+   else if ( password1Input.value.indexOf('\\') > -1) {
+     passwordErrors.innerHTML = 'The password contains a backslash.';
+     submitButton.disabled = true;
+   }
    else if ( password2Input.value.trim().length == 0 ) {
      passwordErrors.innerHTML = 'Please enter the password again.';
      submitButton.disabled = true;
diff --git a/yoda_eus/tests/test_integration.py b/yoda_eus/tests/test_integration.py
index 9c2ef6c..9f3a078 100644
--- a/yoda_eus/tests/test_integration.py
+++ b/yoda_eus/tests/test_integration.py
@@ -184,7 +184,7 @@ def test_activate_and_check_auth_interpunction1(self, test_client):
         self._test_activate_and_check_auth(test_client, "Test1!@#$%^&*()", "unactivateduser2", "goodhash2")
 
     def test_activate_and_check_auth_interpunction2(self, test_client):
-        self._test_activate_and_check_auth(test_client, "Test1_-+={}[]\\|", "unactivateduser3", "goodhash3")
+        self._test_activate_and_check_auth(test_client, "Test1_-+={}[]|", "unactivateduser3", "goodhash3")
 
     def test_activate_and_check_auth_interpunction3(self, test_client):
         self._test_activate_and_check_auth(test_client, "Test1;:\"',./<>?", "unactivateduser4", "goodhash4")
diff --git a/yoda_eus/tests/test_unit.py b/yoda_eus/tests/test_unit.py
index d8c85b9..a01a310 100644
--- a/yoda_eus/tests/test_unit.py
+++ b/yoda_eus/tests/test_unit.py
@@ -41,6 +41,10 @@ def test_password_validation_no_punctuation(self):
         result = check_password_complexity("Test123456789")
         assert result == ["Password needs to contain at least one punctuation character ({})".format(string.punctuation)]
 
+    def test_password_validation_backslash(self):
+        result = check_password_complexity("Test\\123456789!")
+        assert result == ["Password must not contain backslashes."]
+
     def test_password_validation_multiple(self):
         result = check_password_complexity("Test")
         assert len(result) == 3