Fix password field things (#5884)

keystonejs · Jun 9, 2021 · 2e3a1ec · 2e3a1ec · vercel · Jun 9, 2021
1 parent cf8825b
commit 2e3a1ec
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 2 deletions.
diff --git a/docs/pages/apis/fields.mdx b/docs/pages/apis/fields.mdx
@@ -296,6 +296,7 @@ Options:
 
 - `isRequired` (default: `false`): If `true` then this field can never be set to `null`.
 - `minLength` (default: `8`): The minimum length password accepted.
+- `rejectCommon` (default: `false`): Rejects passwords from a list of commonly used passwords.
 - `bcrypt` (default: `require('bcryptjs')`): A module which implements the same interface as the [`bcryptjs`](https://www.npmjs.com/package/bcryptjs) package, such as the native [`bcrypt`](https://www.npmjs.com/package/bcrypt) package.
   This module will be used for all encryption routines in the `password` field.
 
@@ -310,6 +311,7 @@ export default config({
         fieldName: password({
           isRequired: true,
           minLength: 10,
+          rejectCommon: true,
           bcrypt: require('bcrypt'),
         }),
         /* ... */

diff --git a/packages-next/fields/src/types/password/index.ts b/packages-next/fields/src/types/password/index.ts
@@ -7,6 +7,8 @@ import {
   schema,
 } from '@keystone-next/types';
 import bcryptjs from 'bcryptjs';
+// @ts-ignore
+import dumbPasswords from 'dumb-passwords';
 import { resolveView } from '../../resolve-view';
 
 type PasswordFieldConfig<TGeneratedListTypes extends BaseGeneratedListTypes> =
@@ -19,6 +21,7 @@ type PasswordFieldConfig<TGeneratedListTypes extends BaseGeneratedListTypes> =
      * @default 10
      */
     workFactor?: number;
+    rejectCommon?: boolean;
     bcrypt?: Pick<typeof import('bcryptjs'), 'compare' | 'compareSync' | 'hash' | 'hashSync'>;
     defaultValue?: FieldDefaultValue<string, TGeneratedListTypes>;
     isRequired?: boolean;
@@ -38,6 +41,7 @@ export const password =
     bcrypt = bcryptjs,
     minLength = 8,
     workFactor = 10,
+    rejectCommon = false,
     isRequired,
     defaultValue,
     ...config
@@ -58,7 +62,18 @@ export const password =
         return null;
       }
       if (typeof val === 'string') {
-        return bcrypt.hash(val, 10);
+        if (rejectCommon && dumbPasswords.check(val)) {
+          throw new Error(
+            `[password:rejectCommon:${meta.listKey}:${meta.fieldKey}] Common and frequently-used passwords are not allowed.`
+          );
+        }
+        if (val.length < minLength) {
+          throw new Error(
+            `[password:minLength:${meta.listKey}:${meta.fieldKey}] Value must be at least ${minLength} characters long.`
+          );
+        }
+
+        return bcrypt.hash(val, workFactor);
       }
       return val;
     }

diff --git a/packages-next/fields/src/types/password/tests/test-fixtures.ts b/packages-next/fields/src/types/password/tests/test-fixtures.ts
@@ -11,7 +11,11 @@ export const subfieldName = 'isSet';
 export const skipCreateTest = true;
 export const skipUpdateTest = true;
 
-export const getTestFields = () => ({ name: text(), password: password({ minLength: 4 }) });
+export const getTestFields = () => ({
+  name: text(),
+  password: password({ minLength: 4 }),
+  passwordRejectCommon: password({ rejectCommon: true }),
+});
 
 export const initItems = () => {
   return [
@@ -36,3 +40,36 @@ export const storedValues = () => [
 ];
 
 export const supportedFilters = () => ['isSet'];
+
+export const crudTests = (keystoneTestWrapper: any) => {
+  test(
+    'setting a password below the minLength fails',
+    keystoneTestWrapper(async ({ context }: { context: any }) => {
+      await expect(
+        context.lists.Test.createOne({
+          data: { password: '123' },
+        })
+      ).rejects.toMatchInlineSnapshot(
+        `[GraphQLError: [password:minLength:Test:password] Value must be at least 4 characters long.]`
+      );
+    })
+  );
+  test(
+    'setting a common password fails',
+    keystoneTestWrapper(async ({ context }: { context: any }) => {
+      await expect(
+        context.lists.Test.createOne({
+          data: { passwordRejectCommon: 'password' },
+          query: ``,
+        })
+      ).rejects.toMatchInlineSnapshot(
+        `[GraphQLError: [password:rejectCommon:Test:passwordRejectCommon] Common and frequently-used passwords are not allowed.]`
+      );
+      const data = await context.lists.Test.createOne({
+        data: { passwordRejectCommon: 'sdfinwedvhweqfoiuwdfnvjiewrijnf' },
+        query: `passwordRejectCommon {isSet}`,
+      });
+      expect(data.passwordRejectCommon.isSet).toBe(true);
+    })
+  );
+};