getmoto
Cognito - No password validation in admin_set_user_password/sign_up
Hi,
There is currently no password validation being performed on the admin_set_user_password function. (and I believe the same is applicable to change_password but I haven't tested it)
As you can see, the password being provided is simply just put into the variable without any checks happening: https://github.com/spulec/moto/blob/d03891e80577be85a49b61cfa686222516d753e9/moto/cognitoidp/models.py#L1786
Same for change_password here: https://github.com/spulec/moto/blob/d03891e80577be85a49b61cfa686222516d753e9/moto/cognitoidp/models.py#L1458
Passwords should be validated against the default Cognito requirements when it comes to minimum password length, (>5 characters) maximum password length (<99 characters), valid characters and against the password policy that has been configured on the user pool. (see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html)
If validations fail, it should raise either a ClientError exception with the code InvalidPasswordException, or a ParamValidationError exception. I'm not too sure I remember in which cases one is raised over the other though.
Hi @JorisLimousin, will mark it as an enhancement to add validation here.
If this is something you'd like to add yourself, PR's are always welcome!
I find this interesting and I want to work on this. It would be great if I can get the approval from the owner.
Any solution to this should add the same validation to the sign_up-method - see the linked issue where this feature is requested.
import re import boto3 from botocore.exceptions import ClientError
class InvalidPasswordException(Exception): "Raised when the input value is less than 18" pass
def admin_set_user_password(password): tmp = password lgt = len(tmp) print(tmp) try: if(lgt > 5 and lgt <99): flagl = True else: flagl = False for i in tmp: if i in "0123456789": flagn = True else: flagn = False sc = "^ $ * . [ ] { } ( ) ? ! @ # % & / \ , > < ' : ; | _ ~ ` = + -" for i in tmp: if i in sc: flagsc = True break else: flagsc = False
for i in tmp:
if(bool(re.match('[A-Z]', i))):
flagu = True
break
else:
flagu = False
for i in tmp:
if(bool(re.match('[a-z]', i))):
flaglo = True
break
else:
flaglo = False
print(flagl,flagn,flagsc,flagu,flaglo)
if(flagl and flagn and flagsc and flagu and flaglo):
print("Password is valid")
else:
raise InvalidPasswordException
#except ClientError as e:
# print("Exception occured",e)
except InvalidPasswordException:
print("Invalid password")
except ClientError as e:
print(e)
This is the code I drafted to check the validation of password, Let me know whether it is correct so that I can raise pr for this.
Thanks @aarushisoni - the logic looks correct to me. I may have some suggestions to improve things, but I'll add them to the PR itself - that's easier to review.
I worked very hard to solve this issue Please let me raise the pr and also assign me this issue.
You should be able to raise a PR from your own fork. See this GitHub help page on how to do this: https://docs.github.com/en/get-started/quickstart/contributing-to-projects
We have some tips on how to setup Moto: http://docs.getmoto.org/en/latest/docs/contributing/installation.html
And, while I'm sharing links to read: if running make init gives an error, this thread might help: https://github.com/spulec/moto/issues/5547#issuecomment-1344087843
I have raised this Validate Password function is added #5757. Please review it.
@bblommers hi! Thank you for merging my pr. Can you please tell me by when the issue will be closed