enforce new passwords (not current one again) on pwd reset links

apache · Jan 2, 2025 · fc9d528 · fc9d528
1 parent e50160c
commit fc9d528
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
@@ -167,7 +167,7 @@ def create_account(self, **kw):
         c.form = F.registration_form
         return dict()
 
-    def _validate_hash(self, hash):
+    def _validate_hash(self, hash) -> M.User:
         login_url = config.get('auth.login_url', '/auth/')
         if not hash:
             redirect(login_url)
@@ -206,7 +206,12 @@ def set_new_password(self, hash=None, pw=None, pw2=None):
         if not provider.forgotten_password_process:
             raise wexc.HTTPNotFound()
         user = self._validate_hash(hash)
-        enforce_hibp_password_check(provider, pw, f'/auth/forgotten_password/{hash}')
+        restart_url = f'/auth/forgotten_password/{hash}'
+        enforce_hibp_password_check(provider, pw, restart_url)
+
+        if provider._validate_password(user, pw):
+            flash('Your old and new password should not be the same', 'error')
+            redirect(restart_url)
 
         user.set_password(pw)
         user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')  # Clear password reset token

diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
@@ -1743,6 +1743,17 @@ def test_password_reset(self, gen_message_id, sendsimplemail):
         assert 'New Password:' in r
         assert 'New Password (again):' in r
         form = r.forms[0]
+        form['pw'] = form['pw2'] = 'foo'  # old password
+        with h.push_config(config, **{'auth.min_password_len': 3}):
+            r = form.submit()
+        print(r)
+        if r.status == 200:
+            assert [] == r.html.findAll(attrs={'class': 'fielderror'})
+        assert 'Your old and new password should not be the same' in self.webflash(r)
+        r = r.follow()
+
+        # fill it out correctly
+        form = r.forms[0]
         form['pw'] = form['pw2'] = new_password = '154321'
         with td.audits(r'Password changed \(through recovery process\)', user=True):
             # escape parentheses, so they would not be treated as regex group