✨ Disallow using same password as user email

CHANGES.md

@@ -6,6 +6,7 @@
 
 ### :sparkles: New features
 
+- Disallow using same password as user email [Taiga #2454](https://tree.taiga.io/project/penpot/us/2454)
 - Add configurable nudge amount [Taiga #910](https://tree.taiga.io/project/penpot/us/910)
 - Add stroke properties for image shapes [Taiga #497](https://tree.taiga.io/project/penpot/us/497)
 - On user settings, hide the theme selector as long as we only have one theme [Taiga #2610](https://tree.taiga.io/project/penpot/us/2610)

backend/src/app/rpc/mutations/profile.clj

@@ -116,6 +116,12 @@
 
   (check-profile-existence! pool params)
 
+  (when (= (str/lower (:email params))
+           (str/lower (:password params)))
+    (ex/raise :type :validation
+              :code :email-as-password
+              :hint "you can't use your email as password"))
+
   (let [params (assoc params
                       :backend "penpot"
                       :iss :prepared-register
@@ -381,6 +387,11 @@
   (db/with-atomic [conn pool]
     (let [profile    (validate-password! conn params)
           session-id (:app.rpc/session-id params)]
+      (when (= (str/lower (:email profile))
+               (str/lower (:password params)))
+        (ex/raise :type :validation
+                  :code :email-as-password
+                  :hint "you can't use your email as password"))
       (update-profile-password! conn (assoc profile :password password))
       (invalidate-profile-session! conn (:id profile) session-id)
       nil)))

backend/test/app/services_profile_test.clj

@@ -240,6 +240,16 @@
       (t/is (nil? error))
       (t/is (string? (:token result))))))
 
+(t/deftest test-register-profile-with-email-as-password
+  (let [data  {::th/type :prepare-register-profile
+               :email "user@example.com"
+               :password "USER@example.com"}]
+
+    (let [{:keys [result error] :as out} (th/mutation! data)]
+      (t/is (th/ex-info? error))
+      (t/is (th/ex-of-type? error :validation))
+      (t/is (th/ex-of-code? error :email-as-password)))))
+
 (t/deftest test-email-change-request
   (with-mocks [email-send-mock {:target 'app.emails/send! :return nil}
                cfg-get-mock    {:target 'app.config/get
@@ -345,3 +355,39 @@
         (t/is (th/ex-of-code? error :email-has-permanent-bounces)))
 
       )))
+
+
+(t/deftest update-profile-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "123123"
+               :password "foobarfoobar"}
+        out   (th/mutation! data)]
+    (t/is (nil? (:error out)))
+    (t/is (nil? (:result out)))
+  ))
+
+
+(t/deftest update-profile-password-bad-old-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "badpassword"
+               :password "foobarfoobar"}
+        {:keys [result error] :as out} (th/mutation! data)]
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :validation))
+    (t/is (th/ex-of-code? error :old-password-not-match))))
+
+
+(t/deftest update-profile-password-email-as-password
+  (let [profile (th/create-profile* 1)
+        data  {::th/type :update-profile-password
+               :profile-id (:id profile)
+               :old-password "123123"
+               :password "profile1.test@nodomain.com"}
+        {:keys [result error] :as out} (th/mutation! data)]
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :validation))
+    (t/is (th/ex-of-code? error :email-as-password))))

frontend/src/app/main/ui/auth/register.cljs

@@ -61,6 +61,10 @@
     (swap! form assoc-in [:errors :email]
            {:message "errors.email-already-exists"})
     
+    :email-as-password
+    (swap! form assoc-in [:errors :password]
+           {:message "errors.email-as-password"})
+
     (st/emit! (dm/error (tr "errors.generic")))))
 
 (defn- handle-prepare-register-success

frontend/src/app/main/ui/settings/password.cljs

@@ -22,6 +22,9 @@
     :old-password-not-match
     (swap! form assoc-in [:errors :password-old]
            {:message (tr "errors.wrong-old-password")})
+    :email-as-password
+    (swap! form assoc-in [:errors :password-1]
+       {:message (tr "errors.email-as-password")})
 
     (let [msg (tr "generic.error")]
       (st/emit! (dm/error msg)))))

frontend/translations/en.po

@@ -607,6 +607,9 @@ msgstr "Your browser cannot do this operation"
 msgid "errors.email-already-exists"
 msgstr "Email already used"
 
+msgid "errors.email-as-password"
+msgstr "You can't use your email as password"
+
 #: src/app/main/ui/auth/verify_token.cljs
 msgid "errors.email-already-validated"
 msgstr "Email already validated."

frontend/translations/es.po

@@ -610,6 +610,9 @@ msgstr "Tu navegador no puede realizar esta operación"
 msgid "errors.email-already-exists"
 msgstr "Este correo ya está en uso"
 
+msgid "errors.email-as-password"
+msgstr "No puedes usar tu email como password"
+
 #: src/app/main/ui/auth/verify_token.cljs
 msgid "errors.email-already-validated"
 msgstr "Este correo ya está validado."