Cognito - No password validation in admin_set_user_password/sign_up

[JorisLimousin]

Hi,

There is currently no password validation being performed on the admin_set_user_password function. (and I believe the same is applicable to change_password but I haven't tested it)

As you can see, the password being provided is simply just put into the variable without any checks happening: https://github.com/spulec/moto/blob/d03891e80577be85a49b61cfa686222516d753e9/moto/cognitoidp/models.py#L1786

Same for change_password here: https://github.com/spulec/moto/blob/d03891e80577be85a49b61cfa686222516d753e9/moto/cognitoidp/models.py#L1458

Passwords should be validated against the default Cognito requirements when it comes to minimum password length, (>5 characters) maximum password length (<99 characters), valid characters and against the password policy that has been configured on the user pool. (see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html)

If validations fail, it should raise either a ClientError exception with the code InvalidPasswordException, or a ParamValidationError exception. I'm not too sure I remember in which cases one is raised over the other though.

[bblommers]

Hi @JorisLimousin, will mark it as an enhancement to add validation here.

If this is something you'd like to add yourself, PR's are always welcome!

[RahiBhensdadia]

I find this interesting and I want to work on this. It would be great if I can get the approval from the owner.

[bblommers]

Any solution to this should add the same validation to the sign_up-method - see the linked issue where this feature is requested.

[aarushisoni]

hi i want to contribute to this issue

[aarushisoni]

import re
import boto3
from botocore.exceptions import ClientError

class InvalidPasswordException(Exception):
"Raised when the input value is less than 18"
pass

def admin_set_user_password(password):
tmp = password
lgt = len(tmp)
print(tmp)
try:
if(lgt > 5 and lgt <99):
flagl = True
else:
flagl = False
for i in tmp:
if i in "0123456789":
flagn = True
else:
flagn = False
sc = "^ $ * . [ ] { } ( ) ? ! @ # % & / \ , > < ' : ; | _ ~ ` = + -"
for i in tmp:
if i in sc:
flagsc = True
break
else:
flagsc = False

	for i in tmp:
		if(bool(re.match('[A-Z]', i))):
			flagu = True
			break
		else:
			flagu = False
			
	for i in tmp:
		if(bool(re.match('[a-z]', i))):
			flaglo = True
			break
		else:
			flaglo = False
	print(flagl,flagn,flagsc,flagu,flaglo)
	if(flagl and flagn and flagsc and flagu and flaglo):
		print("Password is valid")
	else:
		raise InvalidPasswordException
#except ClientError as e:
#	print("Exception occured",e)
except InvalidPasswordException:
	print("Invalid password")
except ClientError as e:
	print(e)

This is the code I drafted to check the validation of password, Let me know whether it is correct so that I can raise pr for this.

[bblommers]

Thanks @aarushisoni - the logic looks correct to me. I may have some suggestions to improve things, but I'll add them to the PR itself - that's easier to review.

[aarushisoni]

I worked very hard to solve this issue
Please let me raise the pr and also assign me this issue.

[bblommers]

You should be able to raise a PR from your own fork. See this GitHub help page on how to do this: https://docs.github.com/en/get-started/quickstart/contributing-to-projects

We have some tips on how to setup Moto: http://docs.getmoto.org/en/latest/docs/contributing/installation.html

And, while I'm sharing links to read: if running make init gives an error, this thread might help: #5547 (comment)

[aarushisoni]

I have raised this Validate Password function is added #5757. Please review it.

[aarushisoni]

i have updated changes in pr kindly review

[aarushisoni]

@bblommers could you please check my latest changes and let me know.

[aarushisoni]

@bblommers hi! Thank you for merging my pr. Can you please tell me by when the issue will be closed

[bblommers]

Done! Thanks again for contributing to Moto @aarushisoni