closes #4041

9 years ago · 005db18120
parent 2ef42e79ec
commit 005db18120
6 changed files with 62 additions and 55 deletions
--- a/public/language/en_GB/error.json
+++ b/public/language/en_GB/error.json
@ -30,6 +30,7 @@

 	"username-too-short": "Username too short",
 	"username-too-long": "Username too long",
+	"password-too-long": "Password too long",

 	"user-banned": "User banned",
 	"user-too-new": "Sorry, you are required to wait %1 second(s) before making your first post",
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@ -216,14 +216,17 @@ function continueLogin(req, res, next) {
 }

 authenticationController.localLogin = function(req, username, password, next) {
-	if (!username || !password) {
-		return next(new Error('[[error:invalid-password]]'));
+	if (!username) {
+		return next(new Error('[[error:invalid-username]]'));
 	}

 	var userslug = utils.slugify(username);
 	var uid, userData = {};

 	async.waterfall([
+		function (next) {
+			user.isPasswordValid(password, next);
+		},
 		function (next) {
 			user.getUidByUserslug(userslug, next);
 		},
--- a/src/socket.io/user/profile.js
+++ b/src/socket.io/user/profile.js
@ -74,7 +74,7 @@ module.exports = function(SocketUser) {
 	}

 	SocketUser.changePassword = function(socket, data, callback) {
-		if (!data || !data.uid || data.newPassword.length < meta.config.minimumPasswordLength) {
+		if (!data || !data.uid) {
 			return callback(new Error('[[error:invalid-data]]'));
 		}
 		if (!socket.uid) {
--- a/src/user/create.js
+++ b/src/user/create.js
@ -185,6 +185,11 @@ module.exports = function(User) {
 		if (password.length < meta.config.minimumPasswordLength) {
 			return callback(new Error('[[user:change_password_error_length]]'));
 		}
+
+		if (password.length > 4096) {
+			return callback(new Error('[[error:password-too-long]]'));
+		}
+
 		callback();
 	};

--- a/src/user/password.js
+++ b/src/user/password.js
@ -1,5 +1,6 @@
 'use strict';

+var async = require('async');
 var nconf = require('nconf');

 var db = require('../database');
@ -16,13 +17,21 @@ module.exports = function(User) {
 	};

 	User.isPasswordCorrect = function(uid, password, callback) {
-		db.getObjectField('user:' + uid, 'password', function(err, hashedPassword) {
-			if (err || !hashedPassword) {
-				return callback(err);
+		password = password || '';
+		async.waterfall([
+			function (next) {
+				User.isPasswordValid(password, next);
+			},
+			function (next) {
+				db.getObjectField('user:' + uid, 'password', next);
+			},
+			function (hashedPassword, next) {
+				if (!hashedPassword) {
+					return callback();
 				}
-
-			Password.compare(password || '', hashedPassword, callback);
-		});
+				Password.compare(password, hashedPassword, next);
+			}
+		], callback);
 	};

 	User.hasPassword = function(uid, callback) {
--- a/src/user/profile.js
+++ b/src/user/profile.js
@ -1,17 +1,13 @@

 'use strict';

-var async = require('async'),
-	validator = require('validator'),
-	url = require('url'),
-	S = require('string'),
-
-	utils = require('../../public/src/utils'),
-	meta = require('../meta'),
-	events = require('../events'),
-	db = require('../database'),
-	Password = require('../password'),
-	plugins = require('../plugins');
+var async = require('async');
+var S = require('string');
+
+var utils = require('../../public/src/utils');
+var meta = require('../meta');
+var db = require('../database');
+var plugins = require('../plugins');

 module.exports = function(User) {

@ -246,39 +242,32 @@ module.exports = function(User) {
 			return callback(new Error('[[error:invalid-uid]]'));
 		}

-		function hashAndSetPassword(callback) {
-			User.hashPassword(data.newPassword, function(err, hash) {
-				if (err) {
-					return callback(err);
-				}
-
-				async.parallel([
-					async.apply(User.setUserField, data.uid, 'password', hash),
-					async.apply(User.reset.updateExpiry, data.uid)
-				], callback);
-			});
-		}
-
-		if (!utils.isPasswordValid(data.newPassword)) {
-			return callback(new Error('[[user:change_password_error]]'));
-		}
-
+		async.waterfall([
+			function (next) {
+				User.isPasswordValid(data.newPassword, next);
+			},
+			function (next) {
 				if (parseInt(uid, 10) !== parseInt(data.uid, 10)) {
-			User.isAdministrator(uid, function(err, isAdmin) {
-				if (err || !isAdmin) {
-					return callback(err || new Error('[[user:change_password_error_privileges'));
-				}
-
-				hashAndSetPassword(callback);
-			});
+					User.isAdministrator(uid, next);
 				} else {
-			User.isPasswordCorrect(uid, data.currentPassword, function(err, correct) {
-				if (err || !correct) {
-					return callback(err || new Error('[[user:change_password_error_wrong_current]]'));
+					User.isPasswordCorrect(uid, data.currentPassword, next);
+				}
+			},
+			function (isAdminOrPasswordMatch, next) {
+				if (!isAdminOrPasswordMatch) {
+					return next(new Error('[[error:change_password_error_wrong_current]]'));
 				}

-				hashAndSetPassword(callback);
+				User.hashPassword(data.newPassword, next);
+			},
+			function (hashedPassword, next) {
+				async.parallel([
+					async.apply(User.setUserField, data.uid, 'password', hashedPassword),
+					async.apply(User.reset.updateExpiry, data.uid)
+				], function(err) {
+					next(err);
 				});
 			}
+		], callback);
 	};
 };