Don't allow blank passwords on the password change endpoint; closes #2750

2020-11-29 13:28:46 -08:00 · 2020-11-29 13:28:46 -08:00 · 7ebe04fb91
commit 7ebe04fb91
parent 16f49f8dc1
2 changed files with 26 additions and 4 deletions
--- a/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
+++ b/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
@ -2,7 +2,6 @@

 namespace Pterodactyl\Http\Requests\Api\Client\Account;

-use Pterodactyl\Models\User;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;

@ -32,8 +31,8 @@ class UpdatePasswordRequest extends ClientApiRequest
     */
    public function rules(): array
    {
-        $rules = User::getRulesForUpdate($this->user());
-
-        return ['password' => array_merge($rules['password'], ['confirmed'])];
+        return [
+            'password' => ['required', 'string', 'confirmed', 'min:8'],
+        ];
    }
 }
--- a/tests/Integration/Api/Client/AccountControllerTest.php
+++ b/tests/Integration/Api/Client/AccountControllerTest.php
@ -140,6 +140,29 @@ class AccountControllerTest extends ClientApiIntegrationTestCase
        $response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
    }

+    /**
+     * Test that a validation error is returned to the user if no password is provided or if
+     * the password is below the minimum password length.
+     */
+    public function testErrorIsReturnedForInvalidRequestData()
+    {
+        $user = factory(User::class)->create();
+
+        $this->actingAs($user)->putJson('/api/client/account/password', [
+            'current_password' => 'password',
+        ])
+            ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
+            ->assertJsonPath('errors.0.meta.rule', 'required');
+
+        $this->actingAs($user)->putJson('/api/client/account/password', [
+            'current_password' => 'password',
+            'password' => 'pass',
+            'password_confirmation' => 'pass',
+        ])
+            ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
+            ->assertJsonPath('errors.0.meta.rule', 'min');
+    }
+
    /**
     * Test that a validation error is returned if the password passed in the request
     * does not have a confirmation, or the confirmation is not the same as the password.