From 7134bbf484d827116a5a9d25dded0e82388beb60 Mon Sep 17 00:00:00 2001
From: Pablo Alba <pablo.alba@kaleidos.net>
Date: Fri, 4 Feb 2022 09:28:23 +0100
Subject: [PATCH] :sparkles: Disallow using same password as user email

---
 CHANGES.md                                    |  1 +
 backend/src/app/rpc/mutations/profile.clj     | 11 +++++
 backend/test/app/services_profile_test.clj    | 46 +++++++++++++++++++
 frontend/src/app/main/ui/auth/register.cljs   |  4 ++
 .../src/app/main/ui/settings/password.cljs    |  3 ++
 frontend/translations/en.po                   |  3 ++
 frontend/translations/es.po                   |  3 ++
 7 files changed, 71 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index da63fa5a07..3f386a80f4 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -6,6 +6,7 @@
 
 ### :sparkles: New features
 
+- Disallow using same password as user email [Taiga #2454](https://tree.taiga.io/project/penpot/us/2454)
 - Add configurable nudge amount [Taiga #910](https://tree.taiga.io/project/penpot/us/910)
 - Add stroke properties for image shapes [Taiga #497](https://tree.taiga.io/project/penpot/us/497)
 - On user settings, hide the theme selector as long as we only have one theme [Taiga #2610](https://tree.taiga.io/project/penpot/us/2610)
diff --git a/backend/src/app/rpc/mutations/profile.clj b/backend/src/app/rpc/mutations/profile.clj
index ab1a5a405f..d100f0ff8d 100644
--- a/backend/src/app/rpc/mutations/profile.clj
+++ b/backend/src/app/rpc/mutations/profile.clj
@@ -116,6 +116,12 @@
 
   (check-profile-existence! pool params)
 
+  (when (= (str/lower (:email params))
+           (str/lower (:password params)))
+    (ex/raise :type :validation
+              :code :email-as-password
+              :hint "you can't use your email as password"))
+
   (let [params (assoc params
                       :backend "penpot"
                       :iss :prepared-register
@@ -381,6 +387,11 @@
   (db/with-atomic [conn pool]
     (let [profile    (validate-password! conn params)
           session-id (:app.rpc/session-id params)]
+      (when (= (str/lower (:email profile))
+               (str/lower (:password params)))
+        (ex/raise :type :validation
+                  :code :email-as-password
+                  :hint "you can't use your email as password"))
       (update-profile-password! conn (assoc profile :password password))
       (invalidate-profile-session! conn (:id profile) session-id)
       nil)))
diff --git a/backend/test/app/services_profile_test.clj b/backend/test/app/services_profile_test.clj
index ba82c0f0e8..78c423872c 100644
--- a/backend/test/app/services_profile_test.clj
+++ b/backend/test/app/services_profile_test.clj
@@ -240,6 +240,16 @@
       (t/is (nil? error))
       (t/is (string? (:token result))))))
 
+(t/deftest test-register-profile-with-email-as-password
+  (let [data  {::th/type :prepare-register-profile
+               :email "user@example.com"
+               :password "USER@example.com"}]
+
+    (let [{:keys [result error] :as out} (th/mutation! data)]
+      (t/is (th/ex-info? error))
+      (t/is (th/ex-of-type? error :validation))
+      (t/is (th/ex-of-code? error :email-as-password)))))
+
 (t/deftest test-email-change-request
   (with-mocks [email-send-mock {:target 'app.emails/send! :return nil}
                cfg-get-mock    {:target 'app.config/get
@@ -345,3 +355,39 @@
         (t/is (th/ex-of-code? error :email-has-permanent-bounces)))
 
       )))
+
+
+(t/deftest update-profile-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "123123"
+               :password "foobarfoobar"}
+        out   (th/mutation! data)]
+    (t/is (nil? (:error out)))
+    (t/is (nil? (:result out)))
+  ))
+
+
+(t/deftest update-profile-password-bad-old-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "badpassword"
+               :password "foobarfoobar"}
+        {:keys [result error] :as out} (th/mutation! data)]
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :validation))
+    (t/is (th/ex-of-code? error :old-password-not-match))))
+
+
+(t/deftest update-profile-password-email-as-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "123123"
+               :password "profile1.test@nodomain.com"}
+        {:keys [result error] :as out} (th/mutation! data)]
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :validation))
+    (t/is (th/ex-of-code? error :email-as-password))))
diff --git a/frontend/src/app/main/ui/auth/register.cljs b/frontend/src/app/main/ui/auth/register.cljs
index 91e5dcb4fb..c9a2d89a81 100644
--- a/frontend/src/app/main/ui/auth/register.cljs
+++ b/frontend/src/app/main/ui/auth/register.cljs
@@ -60,6 +60,10 @@
     :email-already-exists
     (swap! form assoc-in [:errors :email]
            {:message "errors.email-already-exists"})
+    
+    :email-as-password
+    (swap! form assoc-in [:errors :password]
+           {:message "errors.email-as-password"})
 
     (st/emit! (dm/error (tr "errors.generic")))))
 
diff --git a/frontend/src/app/main/ui/settings/password.cljs b/frontend/src/app/main/ui/settings/password.cljs
index 278eca9a41..225af7fc17 100644
--- a/frontend/src/app/main/ui/settings/password.cljs
+++ b/frontend/src/app/main/ui/settings/password.cljs
@@ -22,6 +22,9 @@
     :old-password-not-match
     (swap! form assoc-in [:errors :password-old]
            {:message (tr "errors.wrong-old-password")})
+    :email-as-password
+    (swap! form assoc-in [:errors :password-1]
+       {:message (tr "errors.email-as-password")})
 
     (let [msg (tr "generic.error")]
       (st/emit! (dm/error msg)))))
diff --git a/frontend/translations/en.po b/frontend/translations/en.po
index 4cd2704dc9..d25325f57f 100644
--- a/frontend/translations/en.po
+++ b/frontend/translations/en.po
@@ -607,6 +607,9 @@ msgstr "Your browser cannot do this operation"
 msgid "errors.email-already-exists"
 msgstr "Email already used"
 
+msgid "errors.email-as-password"
+msgstr "You can't use your email as password"
+
 #: src/app/main/ui/auth/verify_token.cljs
 msgid "errors.email-already-validated"
 msgstr "Email already validated."
diff --git a/frontend/translations/es.po b/frontend/translations/es.po
index 76bac95871..ca65a37fc0 100644
--- a/frontend/translations/es.po
+++ b/frontend/translations/es.po
@@ -610,6 +610,9 @@ msgstr "Tu navegador no puede realizar esta operación"
 msgid "errors.email-already-exists"
 msgstr "Este correo ya está en uso"
 
+msgid "errors.email-as-password"
+msgstr "No puedes usar tu email como password"
+
 #: src/app/main/ui/auth/verify_token.cljs
 msgid "errors.email-already-validated"
 msgstr "Este correo ya está validado."