From 785b0cdb71af58990eda1d412f467d59823db502 Mon Sep 17 00:00:00 2001
From: Sietse Snel <s.t.snel@uu.nl>
Date: Wed, 18 Oct 2023 16:38:09 +0200
Subject: [PATCH] YDA-5505: do not accept backslashes in passwords

These don't get passed correctly to the external-auth script on the
provider, and therefore cause authentication to fail.
---
 yoda_eus/password_complexity.py                   | 3 +++
 yoda_eus/templates/web/activate.html              | 4 ++++
 yoda_eus/templates/web/password-requirements.html | 2 +-
 yoda_eus/templates/web/reset-password.html        | 4 ++++
 yoda_eus/tests/test_unit.py                       | 4 ++++
 5 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/yoda_eus/password_complexity.py b/yoda_eus/password_complexity.py
index db15905..2ab51b6 100644
--- a/yoda_eus/password_complexity.py
+++ b/yoda_eus/password_complexity.py
@@ -33,4 +33,7 @@ def check_password_complexity(password: str) -> List[str]:
     if not (any(c in string.punctuation for c in password)):
         errors.append("Password needs to contain at least one punctuation character ({})".format(string.punctuation))
 
+    if "\\" in password:
+        errors.append("Password must not contain backslashes.")
+
     return errors
diff --git a/yoda_eus/templates/web/activate.html b/yoda_eus/templates/web/activate.html
index d683cb2..e096ee6 100644
--- a/yoda_eus/templates/web/activate.html
+++ b/yoda_eus/templates/web/activate.html
@@ -119,6 +119,10 @@
      passwordErrors.innerHTML = 'The passwords do not match.';
      submitButton.disabled = true;
    }
+   else if ( password.includes('\\') {
+     passwordErrors.innerHTML = 'The password contains a backslash.';
+     submitButton.disabled = true;
+   }
    else {
      passwordErrors.innerHTML = '';
      submitButton.disabled = false;
diff --git a/yoda_eus/templates/web/password-requirements.html b/yoda_eus/templates/web/password-requirements.html
index aee37c9..96fdfb6 100644
--- a/yoda_eus/templates/web/password-requirements.html
+++ b/yoda_eus/templates/web/password-requirements.html
@@ -1,7 +1,7 @@
                 <p> Your password must meet the following requirements: </p>
                 <ul>
                     <li>It must be between 10 and 1000 characters in length
-                    <li>It must not contain diacritics such as é, ö, and ç
+                    <li>It must not contain diacritics such as é, ö, and ç, or backslashes (&bsol;)
                     <li>At least 1 capital letter A-Z 
                     <li>At least 1 lowercase letter a-z 
                     <li>At least 1 number 0-9 
diff --git a/yoda_eus/templates/web/reset-password.html b/yoda_eus/templates/web/reset-password.html
index 39062ae..d840df7 100644
--- a/yoda_eus/templates/web/reset-password.html
+++ b/yoda_eus/templates/web/reset-password.html
@@ -109,6 +109,10 @@
      passwordErrors.innerHTML = 'The passwords do not match.';
      submitButton.disabled = true;
    }
+   else if ( password.includes('\\') {
+     passwordErrors.innerHTML = 'The password contains a backslash.';
+     submitButton.disabled = true;
+   }
    else {
      passwordErrors.innerHTML = '';
      submitButton.disabled = false;
diff --git a/yoda_eus/tests/test_unit.py b/yoda_eus/tests/test_unit.py
index d8c85b9..a01a310 100644
--- a/yoda_eus/tests/test_unit.py
+++ b/yoda_eus/tests/test_unit.py
@@ -41,6 +41,10 @@ def test_password_validation_no_punctuation(self):
         result = check_password_complexity("Test123456789")
         assert result == ["Password needs to contain at least one punctuation character ({})".format(string.punctuation)]
 
+    def test_password_validation_backslash(self):
+        result = check_password_complexity("Test\\123456789!")
+        assert result == ["Password must not contain backslashes."]
+
     def test_password_validation_multiple(self):
         result = check_password_complexity("Test")
         assert len(result) == 3