3scale
diff --git a/‎.gitleaks.toml‎
Lines changed: 8 additions & 0 deletions b/‎.gitleaks.toml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎features/buyers/accounts/new.feature‎
Lines changed: 4 additions & 3 deletions b/‎features/buyers/accounts/new.feature‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎features/developer_portal/access_code.feature‎
Lines changed: 1 addition & 1 deletion b/‎features/developer_portal/access_code.feature‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎features/developer_portal/admin/account/personal_details.feature‎
Lines changed: 1 addition & 1 deletion b/‎features/developer_portal/admin/account/personal_details.feature‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎features/developer_portal/buyer_password_reset.feature‎
Lines changed: 6 additions & 6 deletions b/‎features/developer_portal/buyer_password_reset.feature‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎features/master/applications/keys.feature‎
Lines changed: 2 additions & 2 deletions b/‎features/master/applications/keys.feature‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎features/old/accounts/accounts.feature‎
Lines changed: 1 addition & 1 deletion b/‎features/old/accounts/accounts.feature‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎features/old/accounts/password_change.feature‎
Lines changed: 3 additions & 3 deletions b/‎features/old/accounts/password_change.feature‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎features/old/accounts/personal_details.feature‎
Lines changed: 17 additions & 8 deletions b/‎features/old/accounts/personal_details.feature‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎features/old/authentication/internal.feature‎
Lines changed: 8 additions & 8 deletions b/‎features/old/authentication/internal.feature‎
Lines changed: 8 additions & 8 deletions
@@ -0,0 +1,8 @@
+[allowlist]
+description = "Global Allowlist"
+
+# Ignore based on any subset of the file path
+paths = [
+    '''test/unit/authentication/by_password_test.rb''',
+    '''test/integration/admin/api/buyers_users_controller_test.rb'''
+]
@@ -35,9 +35,9 @@ Feature: Audience > Accounts > New
   Scenario: Fields validation
     Given they go to the new buyer account page
     When the form is submitted with:
-      | Username | u        |
-      | Email    | invalid  |
-      | Password | p        |
+      | Username | u                  |
+      | Email    | invalid            |
+      | Password | superSecret1234#   |
       | Organization/Group Name | Org |
     Then field "Username" has inline error "is too short"
     And field "Email" has inline error "should look like an email address"
@@ -63,6 +63,7 @@ Feature: Audience > Accounts > New
       | Organization/Group Name | Alice's Web Widget |
       | Country                 | Spain              |
       | Fields with choices     | option1            |
+      | Password                | superSecret1234#   |
 
     Then the current page is the buyer account page for "Alice's Web Widget"
     And the inverted table has the following rows within the account details card:
 
@@ -49,7 +49,7 @@ Feature: Access code
   @javascript
   Scenario: Navigate from admin portal when access code is set
     Given the provider logs in
-    And they follow "Developer Portal"
+    And they follow any "Developer Portal"
     When they follow "Visit Portal"
     Then the current domain in a new window should be foo.3scale.localhost
     And they should not see field "Access code"
 
@@ -62,7 +62,7 @@ Feature: Dev Portal Buyer Personal Details
       | User extra read only |
       | User extra hidden    |
 
-    And fill in "Current Password" with "supersecret"
+    And fill in "Current Password" with "superSecret1234#"
     And they press "Update Personal Details"
     Then they should see error in fields:
       | errors              |
 
@@ -35,14 +35,14 @@ Feature: Buyer password reset
       And they press "Send instructions"
       Then they should see "A password reset link will be sent to zed@3scale.localhost if a user exists with this email"
       When they follow the link found in the password reset email send to "zed@3scale.localhost"
-      And they fill in "Password" with "monkey"
-      And they fill in "Password confirmation" with "monkey"
+      And they fill in "Password" with "superSecret1234#"
+      And they fill in "Password confirmation" with "superSecret1234#"
       And they press "Change Password"
       Then they should see "The password has been changed"
 
       When they go to the login page
       And they fill in "Username" with "zed@3scale.localhost"
-      And they fill in "Password" with "monkey"
+      And they fill in "Password" with "superSecret1234#"
       And they press "Sign in"
       Then they should be logged in as "zed"
 
@@ -59,11 +59,11 @@ Feature: Buyer password reset
       And they fill in "Email" with "zed@3scale.localhost"
       And they press "Send instructions"
       And they follow the link found in the password reset email send to "zed@3scale.localhost"
-      And they fill in "Password" with "monkey"
-      And they fill in "Password confirmation" with "donkey"
+      And they fill in "Password" with "new_password_123"
+      And they fill in "Password confirmation" with "123_new_password"
       And they press "Change Password"
       Then they should see the password confirmation error
-      And the password of user "zed" should not be "monkey"
+      And the password of user "zed" should not be "new_password_123"
 
     Scenario: Blank passwords
       When they follow "Forgot password?"
 
@@ -14,7 +14,7 @@ Feature: Application Keys management
     Given they are reviewing the provider's application details
     When follow "Regenerate"
     And confirm the dialog
-    And fill in "Current password" with "supersecret"
+    And fill in "Current password" with "superSecret1234#"
     And press "Confirm Password"
     And should see "You are now in super-user mode! Retry the action, please"
     And follow "Regenerate"
@@ -24,7 +24,7 @@ Feature: Application Keys management
   Scenario: Set a custom app key
     Given they are reviewing the provider's application details
     When follow "Set a custom User Key" within the API Credentials card
-    And fill in "Current password" with "supersecret"
+    And fill in "Current password" with "superSecret1234#"
     And press "Confirm Password"
     And fill in "User key" with "new-valid-key"
     And press "Save"
 
@@ -70,7 +70,7 @@ Feature: Account management
     And I navigate to the Account Settings
     And I go to the provider personal details page
     When I fill in "Email" with "invalid"
-     And I fill in "Current password" with "supersecret"
+     And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     Then I should see "should look like an email address"
 
 
@@ -7,13 +7,13 @@ Feature: Password change
   Scenario: Provider password change
     Given a provider is logged in
     And I go to the provider personal details page
-    And I fill in "New password" with "monkey"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "New password" with "new_password_123"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     And I log out
     And I go to the provider login page
     And I should see "Log in to your account"
     And I fill in "Email or Username" with "foo.3scale.localhost"
-    And I fill in "Password" with "monkey"
+    And I fill in "Password" with "new_password_123"
     And I press "Sign in"
     Then I should be logged in as "foo.3scale.localhost"
@@ -12,7 +12,7 @@ Feature: Personal Details
     When I navigate to the Account Settings
     And I go to the provider personal details page
     And I fill in "Email" with "john.doe@foo.3scale.localhost"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     Then I should see "User was successfully updated"
     And I should be on the provider personal details page
@@ -23,15 +23,15 @@ Feature: Personal Details
     And I follow "foo.3scale.localhost"
     Then I should be on the provider personal details page
     When I fill in "Email" with "john.doe@foo.3scale.localhost"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     Then I should be on the provider users page
     When I follow "foo.3scale.localhost" within the table
     And I fill in "Email" with ""
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     And I fill in "Email" with "john.doe@foo.3scale.localhost"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     Then I should be on the provider users page
     And I should see the flash message "User was successfully updated"
@@ -40,7 +40,7 @@ Feature: Personal Details
     When I navigate to the Account Settings
     And I go to the provider personal details page
     And I fill in "Username" with "u"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     Then field "Username" has inline error "is too short (minimum is 3 characters)"
 
@@ -74,17 +74,26 @@ Feature: Personal Details
       | User extra required |
     When I fill in "First name" with "dude"
     And I fill in "User extra required" with "whatever"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
     Then I should see "User was successfully updated"
     Then the "First name" field should contain "dude"
     And the "User extra required" field should contain "whatever"
 
   Scenario: Update own password when the user was signed up with password
+    Given the user was signed up with password
+    When I navigate to the Account Settings
+    And I go to the provider personal details page
+    And I fill in "New password" with "superSecret1234!"
+    And I fill in "Current password" with "superSecret1234#"
+    And I press "Update Details"
+    Then I should see "User was successfully updated"
+
+  Scenario: Update own password to a weak password
     Given the user was signed up with password
     When I navigate to the Account Settings
     And I go to the provider personal details page
     And I fill in "New password" with "hi"
-    And I fill in "Current password" with "supersecret"
+    And I fill in "Current password" with "superSecret1234#"
     And I press "Update Details"
-    Then field "New password" has inline error "is too short (minimum is 6 characters)"
+    Then I should see the error that the password is too weak
@@ -20,7 +20,7 @@ Feature: Internal authentication
     And I go to the provider login page
     Then I should feel secure
     When I fill in "Username" with "foo.3scale.localhost"
-    And I fill in "Password" with "supersecret"
+    And I fill in "Password" with "superSecret1234#"
     And I press "Sign in"
     Then I should be logged in as "foo.3scale.localhost"
     And I should be on the provider dashboard
@@ -32,19 +32,19 @@ Feature: Internal authentication
   @javascript
   Scenario: Redirects and keeps full url
     # legal terms's  url url has query_string
-    Given the admin of account "foo.3scale.localhost" has password "foobar"
+    Given the admin of account "foo.3scale.localhost" has password "superSecret1234#"
     When current domain is the admin domain of provider "foo.3scale.localhost"
       And I go to the legal terms settings page
     And I fill in "Username" with "foo.3scale.localhost"
-    And I fill in "Password" with "foobar"
+    And I fill in "Password" with "superSecret1234#"
     And I press "Sign in"
     Then I should have the following query string:
     | system_name | signup_licence|
 
 
   @javascript
   Scenario: Failed attempt to sign in as provider with invalid password
-    Given the admin of account "foo.3scale.localhost" has password "foobar"
+    Given the admin of account "foo.3scale.localhost" has password "superSecret1234#"
     When current domain is the admin domain of provider "foo.3scale.localhost"
     And I go to the provider login page
     And I fill in "Username" with "foo.3scale.localhost"
@@ -67,17 +67,17 @@ Feature: Internal authentication
     When the current domain is foo.3scale.localhost
     And I go to the login page
     And I fill in "Username" with "alice"
-    And I fill in "Password" with "supersecret"
+    And I fill in "Password" with "superSecret1234#"
     And I press "Sign in"
     Then I should be logged in as "alice"
 
   @wip @3D
   Scenario: Successful sign in as master account admin
-   Given the master account admin has username "admin" and password "supermonkey"
+   Given the master account admin has username "admin" and password "superSecret1234#"
     When current domain is the admin domain of provider "foo.3scale.localhost"
     And I go to the provider login page
     And I fill in "Username" with "admin"
-    And I fill in "Password" with "supermonkey"
+    And I fill in "Password" with "superSecret1234#"
     And I press "Sign in"
     Then I should be logged in as "admin"
     And I should be on the provider dashboard
@@ -89,7 +89,7 @@ Feature: Internal authentication
     When current domain is the admin domain of provider "foo.3scale.localhost"
     And I go to the provider login page
     And I fill in "Username" with "foo.3scale.localhost"
-    And I fill in "Password" with "supersecret"
+    And I fill in "Password" with "superSecret1234#"
     And I press "Sign in"
     Then user "foo.3scale.localhost" should have last login on 8th October 2010 at 11:10 from 100.101.102.103