janl commented on a change in pull request #3483:
URL: https://github.com/apache/couchdb/pull/3483#discussion_r606804968
##########
File path: src/couch/src/couch_users_db.erl
##########
@@ -86,7 +90,63 @@ save_doc(#doc{body={Body}} = Doc) ->
Doc#doc{body={Body4}};
{_ClearPassword, Scheme} ->
couch_log:error("[couch_httpd_auth] password_scheme value of '~p' is
invalid.", [Scheme]),
- throw({forbidden, "Server cannot hash passwords at this time."})
+ throw({forbidden, ?PASSWORD_SERVER_ERROR})
+ end.
+
+% Validate if a new password matches all RegExp in the password_reqexp setting.
+% Throws if not.
+validate_password(ClearPassword) ->
+ case config:get("couch_httpd_auth", "password_reqexp", "") of
+ "" ->
+ ok;
+ "[]" ->
+ ok;
+ ValidateConfig ->
+ case couch_util:parse_term(ValidateConfig) of
+ {ok, RegExpList} when is_list(RegExpList) ->
+ % Check the password on every RegExp.
+ Loop = fun(RegExp) ->
+ check_password_with_regexp(ClearPassword, RegExp)
+ end,
+ lists:foreach(Loop, RegExpList),
+ ok;
+ {ok, NonListValue} ->
+ couch_log:error(
+ "[couch_httpd_auth] password_reqexp value of '~p' is invalid.",
+ [NonListValue]
+ ),
+ throw({forbidden, ?PASSWORD_SERVER_ERROR});
Review comment:
403 for “we can’t hash any PW because we are misconfigured” is fine
because we used that before, although a 5xx code might be more appropriate, but
no need to change all that now.
400 for “your password is bad” is ok too. Sadly, there is no 4xx for “you
failed whatever custom validation I have going on here”, only ones specific to
other HTTP behaviour like `Accept` or `Expect` headers,
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
