test: add logic for validation criteria of change passwords scidsg#635

Fail on: Emptry Password: Old, New Short Password <18: New (Form mismatch)* Long Password >128: New (Form mismatch)* Missing Lowercase, Uppercase, Number, Symbol: New (Form mismatch)* Equality: Old, New Pass Otherwise. *(Form mismatch): The old password form validator is not as strict as the new password form validator. Eventually this should likely be addressed with a milestone transition to equalize enforcement criteria.
rmlibre · Oct 3, 2024 · 9fbfd61 · 9fbfd61
1 parent 9641811
commit 9fbfd61
Showing 1 changed file with 32 additions and 18 deletions.
diff --git a/tests/test_settings.py b/tests/test_settings.py
@@ -60,28 +60,42 @@ def test_change_username(client: FlaskClient, user: User) -> None:
 
 @pytest.mark.usefixtures("_authenticated_user")
 def test_change_password(client: FlaskClient, user: User, user_password: str) -> None:
-    new_password = user_password + "xxx"
-
     assert len(original_password_hash := user.password_hash) > 32
     assert original_password_hash.startswith("$scrypt$")
     assert user_password not in original_password_hash
 
-    response = client.post(
-        url_for("settings.change_password"),
-        data={
-            "old_password": user_password,
-            "new_password": new_password,
-        },
-        follow_redirects=True,
-    )
-    assert response.status_code == 200
-    assert "Password successfully changed. Please log in again." in response.text
-    assert "/login" in response.request.url
-    assert len(new_password_hash := user.password_hash) > 32
-    assert new_password_hash.startswith("$scrypt$")
-    assert original_password_hash not in new_password_hash
-    assert user_password not in new_password_hash
-    assert new_password not in new_password_hash
+    for new_password in [user_password, "", "aB!!", "aB3!", (33 * "aB3!")[:129], 5 * "aB3!"]:
+        response = client.post(
+            url_for("settings.change_password"),
+            data={
+                "old_password": user_password,
+                "new_password": new_password,
+            },
+            follow_redirects=True,
+        )
+        if (
+            user_password != new_password
+            and 17 < len(user_password) < 129
+            and 17 < len(new_password) < 129
+        ):
+            assert response.status_code == 200
+            assert "Password successfully changed. Please log in again." in response.text
+            assert "/login" in response.request.url
+            assert len(new_password_hash := user.password_hash) > 32
+            assert new_password_hash.startswith("$scrypt$")
+            assert original_password_hash not in new_password_hash
+            assert user_password not in new_password_hash
+            assert new_password not in new_password_hash
+        elif user_password == new_password:
+            assert "Cannot choose a repeat password." in response.text
+            assert "/settings" in response.request.url
+            assert original_password_hash == user.password_hash
+        else:
+            assert "Invalid form data. Please try again." in response.text
+            assert "/settings" in response.request.url
+            assert original_password_hash == user.password_hash
+
+    assert original_password_hash != user.password_hash
 
     # TODO simulate a log out?