Programmatically generate HTML regex from Python regex

Author: chriscarrollsmith

main.py

@@ -8,7 +8,15 @@
 from fastapi.exceptions import RequestValidationError, HTTPException, StarletteHTTPException
 from sqlmodel import Session
 from routers import authentication, organization, role, user
-from utils.auth import PASSWORD_PATTERN, get_user_with_relations, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError, AuthenticationError
+from utils.auth import (
+    HTML_PASSWORD_PATTERN,
+    get_user_with_relations,
+    get_optional_user,
+    NeedsNewTokens,
+    get_user_from_reset_token,
+    PasswordValidationError,
+    AuthenticationError
+)
 from utils.models import User
 from utils.db import get_session, set_up_db
 from utils.images import MAX_FILE_SIZE, MIN_DIMENSION, MAX_DIMENSION, ALLOWED_CONTENT_TYPES
@@ -175,7 +183,7 @@ async def read_register(
     if params["user"]:
         return RedirectResponse(url="/dashboard", status_code=302)
 
-    params["password_pattern"] = PASSWORD_PATTERN
+    params["password_pattern"] = HTML_PASSWORD_PATTERN
     return templates.TemplateResponse(params["request"], "authentication/register.html", params)
 
 
@@ -221,6 +229,7 @@ async def read_reset_password(
 
     params["email"] = email
     params["token"] = token
+    params["password_pattern"] = HTML_PASSWORD_PATTERN
 
     return templates.TemplateResponse(params["request"], "authentication/reset_password.html", params)
 

templates/authentication/register.html

@@ -25,7 +25,7 @@
         <div class="mb-3">
             <label for="password" class="form-label">Password</label>
             <input type="password" class="form-control" id="password" name="password" 
-                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/]).{8,}"
+                   pattern="{{ password_pattern }}"
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    placeholder="Enter your password" required
                    autocomplete="new-password">

templates/authentication/reset_password.html

@@ -17,7 +17,7 @@
         <div class="mb-3">
             <label for="new_password" class="form-label">New Password</label>
             <input type="password" class="form-control" id="new_password" name="new_password" 
-            pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~]{8,}" 
+                   pattern="{{ password_pattern }}" 
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    required autocomplete="new-password">
             <div class="invalid-feedback">

tests/test_auth.py

@@ -12,10 +12,20 @@
     get_password_hash,
     validate_token,
     generate_password_reset_url,
-    COMPILED_PASSWORD_PATTERN
+    COMPILED_PASSWORD_PATTERN,
+    convert_python_regex_to_html
 )
 
 
+def test_convert_python_regex_to_html():
+    PYTHON_SPECIAL_CHARS = r"(?=.*[\[\]\\@$!%*?&{}<>.,'#\-_=+\(\):;|~/\^])"
+    HTML_EQUIVALENT = r"(?=.*[\[\]\\@$!%*?&\{\}\<\>\.\,\\'#\-_=\+\(\):;\|~\/\^])"
+
+    PYTHON_SPECIAL_CHARS = convert_python_regex_to_html(PYTHON_SPECIAL_CHARS)
+
+    assert PYTHON_SPECIAL_CHARS == HTML_EQUIVALENT
+
+
 def test_password_hashing():
     password = "Test123!@#"
     hashed = get_password_hash(password)
@@ -104,11 +114,11 @@ def test_password_pattern():
     for element in required_elements:
         for c in required_elements[element]:
             password = c + "test"
-            for element in required_elements:
-                if element != element:
-                    password += random.choice(required_elements[element])
-        # Randomize the order of the characters in the string
-        password = ''.join(random.sample(password, len(password)))
+            for other_element in required_elements:
+                if other_element != element:
+                    password += random.choice(required_elements[other_element])
+            # Randomize the order of the characters in the string
+            password = ''.join(random.sample(password, len(password)))
         assert re.match(COMPILED_PASSWORD_PATTERN, password) is not None, f"Password {password} does not match the pattern"
 
     # Invalid password tests

utils/auth.py

@@ -34,21 +34,54 @@
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 30
 REFRESH_TOKEN_EXPIRE_DAYS = 30
-PASSWORD_PATTERN = (
-    r"(?=.*\d)"                   # At least one digit
-    r"(?=.*[a-z])"               # At least one lowercase letter
-    r"(?=.*[A-Z])"               # At least one uppercase letter
-    r"(?=.*[\\@$!%*?&{}<>.,'#\-_=+\(\)\[\]:;|~/\^])"  # At least one special character
-    r".{8,}"  # At least 8 characters long
-)
-HTML_PASSWORD_PATTERN = (
-    r"(?=.*\d)"                   # At least one digit
-    r"(?=.*[a-z])"               # At least one lowercase letter
-    r"(?=.*[A-Z])"               # At least one uppercase letter
-    r"(?=.*[\\@$!%*?&\{\}\<\>\.\,\\'#\-_=\+\(\)\[\]:;\|~\/])"  # At least one special character
+PASSWORD_PATTERN_COMPONENTS = [
+    r"(?=.*\d)",                   # At least one digit
+    r"(?=.*[a-z])",               # At least one lowercase letter
+    r"(?=.*[A-Z])",               # At least one uppercase letter
+    r"(?=.*[\[\]\\@$!%*?&{}<>.,'#\-_=+\(\):;|~/\^])",  # At least one special character
     r".{8,}"  # At least 8 characters long
+]
+COMPILED_PASSWORD_PATTERN = re.compile(r"".join(PASSWORD_PATTERN_COMPONENTS))
+
+
+def convert_python_regex_to_html(regex: str) -> str:
+    """
+    Replace each special character with its escaped version only when inside character classes.
+    Ensures that the single quote "'" is doubly escaped.
+    """
+    # Map each special char to its escaped form
+    special_map = {
+        '{': r'\{',
+        '}': r'\}',
+        '<': r'\<',
+        '>': r'\>',
+        '.': r'\.',
+        '+': r'\+',
+        '|': r'\|',
+        ',': r'\,',
+        "'": r"\\'",  # doubly escaped single quote
+        "/": r"\/",
+    }
+
+    # Regex to match the entire character class [ ... ]
+    pattern = r"\[((?:\\.|[^\]])*)\]"
+
+    def replacer(match: re.Match) -> str:
+        """
+        For the matched character class, replace all special characters inside it.
+        """
+        inside = match.group(1)  # the contents inside [ ... ]
+        for ch, escaped in special_map.items():
+            inside = inside.replace(ch, escaped)
+        return f"[{inside}]"
+
+    # Use re.sub with a function to ensure we only replace inside the character class
+    return re.sub(pattern, replacer, regex)
+
+
+HTML_PASSWORD_PATTERN = "".join(
+    convert_python_regex_to_html(component) for component in PASSWORD_PATTERN_COMPONENTS
 )
-COMPILED_PASSWORD_PATTERN = re.compile(HTML_PASSWORD_PATTERN)
 
 
 # --- Custom Exceptions ---