Skip to content
This repository has been archived by the owner on Oct 26, 2020. It is now read-only.

Require new passwords to meet security requirements. #20

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Require new passwords to meet security requirements. #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3f4ba82
Require new passwords to meet security requirements.
eldenseropian Apr 2, 2017
61a682d
Don't validate password if it's not required
eldenseropian Apr 2, 2017
6adb4bb
Prompt users to reset their password on login if their password does …
eldenseropian Apr 2, 2017
dc87d31
Redirect users with bad passwords to their password reset page, not t…
eldenseropian Apr 2, 2017
8f6b8c3
Don't use hard-coded routing
eldenseropian Apr 2, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions app/controllers/admin/users_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ def update
if @user.save
redirect_to edit_user_path(@user.id), :notice => "User has been updated"
else
redirect_to({:action => "show", :id => @user.id}, {:notice => "User could not be saved"})
redirect_to({:action => "show", :id => @user.id}, {:notice => "User could not be saved. Did you fulfill the password requirements?"})
end
end
end
end
end
9 changes: 8 additions & 1 deletion app/controllers/sessions_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
class SessionsController < ApplicationController
include UsersHelper

def new
logout
end
Expand All @@ -23,7 +25,12 @@ def create
url = session[:return_to] ? session[:return_to] : root_url
url = root_url if url.include?('/login')
session[:return_to] = nil
redirect_to dashboard_url, :notice => "Logged in!"

if secure_password?(params[:session][:password])
redirect_to dashboard_url, :notice => "Logged in!"
else
redirect_to set_password_url(:token => user.token), :notice => "Password does not meet our security requirements. Please use a password at least 8 characters long, including a number and a special character ($@%^!*). Help keep Trans Lifeline safe!"
end
else
flash.now.alert = "Invalid email or password"
# log failures so we can set up alerting on account hack attempts
Expand Down
7 changes: 7 additions & 0 deletions app/controllers/users_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
class UsersController < ApplicationController
include UsersHelper

before_filter :require_login, :except => [:set_password, :save_password, :apply, :apply_thanks, :create, :unsubscribe]
before_filter :require_admin, :only => [:index, :new, :destroy, :show, :approve]

Expand Down Expand Up @@ -38,6 +40,11 @@ def set_password
end

def save_password
if not secure_password?(params[:user].slice(:password)["password"])
redirect_to set_password_url(:token => params[:token]), :notice => "Password does not meet our security requirements. Please use a password at least 8 characters long, including a number and a special character ($@%^!*). Help keep Trans Lifeline safe!"
return
end

@user = User.find_by_token(params[:token])
if @user && @user.update_attributes(params[:user].slice(:password, :password_confirmation, :phone))
@user.reload
Expand Down
15 changes: 12 additions & 3 deletions app/helpers/users_helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,23 @@ def total_time_on_calls(user)
total_hours = (total_minutes / 60).to_s
left_over_minutes = (total_minutes % 60).to_s
if left_over_minutes.length == 1
left_over_minutes = "0" + left_over_minutes[0]
left_over_minutes = "0" + left_over_minutes[0]
end
formated_time = total_hours + ":" + left_over_minutes
formated_time = total_hours + ":" + left_over_minutes
return formated_time
else
return 0
end
end

end
def secure_password?(password)
special_characters = "@%!*\$\^"
password_length = 8

valid_length = password.length >= password_length
has_special_character = (/[#{special_characters}]+/ =~ password) != nil
has_number = (/[0-9]+/ =~ password) != nil

valid_length and has_special_character and has_number
end
end
1 change: 1 addition & 0 deletions app/models/user.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ class User < ActiveRecord::Base

validates_confirmation_of :password, :unless => :no_password_required
validates_presence_of :password, :unless => :no_password_required
validates :password, :secure_password => true, :unless => :no_password_required
validates_presence_of :name
validates_uniqueness_of :email, :scope => :deleted_at
validates_uniqueness_of :phone, :scope => :deleted_at, :unless => Proc.new {|u| u.phone.blank? }
Expand Down
9 changes: 9 additions & 0 deletions lib/secure_password_validator.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
class SecurePasswordValidator < ActiveModel::EachValidator
include UsersHelper

def validate_each(record, attribute, value)
if not secure_password?(value)
record.errors[attribute] << ("Password does not meet our security requirements. Please use a password at least 8 characters long, including a number and a special character ($@%^!*).")
end
end
end
20 changes: 20 additions & 0 deletions spec/helpers/users_helper_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
require 'rails_helper'

RSpec.describe UsersHelper, :type => :helper do
describe "secure_password?" do
it "should be true for secure passwords" do
expect(helper.secure_password?("password1!")).to eq(true)
end

it "should be false for insecure passwords" do
# Too short
expect(helper::secure_password?("pass1!")).to eq(false)

# Missing special character
expect(helper::secure_password?("password1")).to eq(false)

# Missing number
expect(helper::secure_password?("password!")).to eq(false)
end
end
end