Merge pull request #12 from alphagov/blacklist_password

Blacklist password
2026-02-05 02:42:26 -05:00 · 2015-12-04 15:53:13 +00:00
parent 0c41605a2e 9d9b80bab7
commit abd344fc57
6 changed files with 48 additions and 2 deletions
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -2,6 +2,8 @@ from flask_wtf import Form
 from wtforms import StringField, PasswordField
 from wtforms.validators import DataRequired, Email, Length, Regexp

+from app.main.validators import Blacklist
+

 class LoginForm(Form):
    email_address = StringField('Email address', validators=[
@@ -32,4 +34,5 @@ class RegisterUserForm(Form):
                                            Regexp(regex=mobile_number, message='Please enter a +44 mobile number')])
    password = PasswordField('Create a password',
                             validators=[DataRequired(message='Please enter your password'),
-                                         Length(10, 255, message='Password must be at least 10 characters')])
+                                         Length(10, 255, message='Password must be at least 10 characters'),
+                                         Blacklist(message='That password is blacklisted, too common')])
--- a/app/main/validators.py
+++ b/app/main/validators.py
@@ -0,0 +1,12 @@
+from wtforms import ValidationError
+
+
+class Blacklist(object):
+    def __init__(self, message=None):
+        if not message:
+            message = 'Password is blacklisted.'
+        self.message = message
+
+    def __call__(self, form, field):
+        if field.data in ['password1234', 'passw0rd1234']:
+            raise ValidationError(self.message)
--- a/app/main/views/register.py
+++ b/app/main/views/register.py
@@ -1,6 +1,7 @@
 from datetime import datetime

 from flask import render_template, redirect, jsonify
+from flask_login import login_user

 from app.main import main
 from app.main.dao import users_dao
@@ -26,8 +27,9 @@ def process_register():
                    role_id=1)
        try:
            users_dao.insert_user(user)
+            login_user(user)
            return redirect('/two-factor')
        except Exception as e:
-            return jsonify(database_error='encountered database error'), 400
+            return jsonify(database_error=e.message), 400
    else:
        return jsonify(form.errors), 400