Partial refactor of password pattern handling

Author: chriscarrollsmith

main.py

@@ -8,8 +8,8 @@
 from fastapi.exceptions import RequestValidationError, HTTPException, StarletteHTTPException
 from sqlmodel import Session
 from routers import authentication, organization, role, user
-from utils.auth import get_user_with_relations, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError, AuthenticationError
-from utils.models import User, Organization
+from utils.auth import PASSWORD_PATTERN, get_user_with_relations, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError, AuthenticationError
+from utils.models import User
 from utils.db import get_session, set_up_db
 from utils.images import MAX_FILE_SIZE, MIN_DIMENSION, MAX_DIMENSION, ALLOWED_CONTENT_TYPES
 
@@ -174,6 +174,8 @@ async def read_register(
 ):
     if params["user"]:
         return RedirectResponse(url="/dashboard", status_code=302)
+
+    params["password_pattern"] = PASSWORD_PATTERN
     return templates.TemplateResponse(params["request"], "authentication/register.html", params)
 
 

templates/authentication/register.html

@@ -25,7 +25,7 @@
         <div class="mb-3">
             <label for="password" class="form-label">Password</label>
             <input type="password" class="form-control" id="password" name="password" 
-                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/]{8,}"
+                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/]).{8,}"
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    placeholder="Enter your password" required
                    autocomplete="new-password">

tests/test_auth.py

@@ -12,7 +12,7 @@
     get_password_hash,
     validate_token,
     generate_password_reset_url,
-    PASSWORD_PATTERN
+    COMPILED_PASSWORD_PATTERN
 )
 
 
@@ -99,43 +99,40 @@ def test_password_pattern():
         "lowercase": lowercase_letters,
         "digit": digits
     }
-    required_length = 8
-
-    # Randomized valid password tests
-    for _ in range(50):
-        password = ""
-        for element in required_elements:
-            n = random.randint(required_length // len(required_elements), required_length)
-            password += ''.join(
-                random.choice(required_elements[element])
-                for _ in range(n)
-            )
+
+    # Valid password tests
+    for element in required_elements:
+        for c in required_elements[element]:
+            password = c + "test"
+            for element in required_elements:
+                if element != element:
+                    password += random.choice(required_elements[element])
         # Randomize the order of the characters in the string
         password = ''.join(random.sample(password, len(password)))
-        assert re.match(PASSWORD_PATTERN, password) is not None
+        assert re.match(COMPILED_PASSWORD_PATTERN, password) is not None, f"Password {password} does not match the pattern"
 
     # Invalid password tests
 
     # Empty password
     password = ""
-    assert re.match(PASSWORD_PATTERN, password) is None
+    assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
 
     # Too short
     password = "aA1!aA1"
-    assert re.match(PASSWORD_PATTERN, password) is None
+    assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
 
     # No uppercase letter
     password = "a1!" * 3
-    assert re.match(PASSWORD_PATTERN, password) is None
+    assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
 
     # No lowercase letter
     password = "A1!" * 3
-    assert re.match(PASSWORD_PATTERN, password) is None
+    assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
 
     # No digit
     password = "aA!" * 3
-    assert re.match(PASSWORD_PATTERN, password) is None
+    assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
 
     # No special character
     password = "aA1" * 3
-    assert re.match(PASSWORD_PATTERN, password) is None
+    assert re.match(COMPILED_PASSWORD_PATTERN, password) is None

utils/auth.py

@@ -34,13 +34,21 @@
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 30
 REFRESH_TOKEN_EXPIRE_DAYS = 30
-PASSWORD_PATTERN = re.compile(
-    r"(?=.*?\d)"                   # At least one digit
-    r"(?=.*?[a-z])"               # At least one lowercase letter
-    r"(?=.*?[A-Z])"               # At least one uppercase letter
-    r"(?=.*?[@$!%*?&{}<>.,\\'#\-_=+\(\)\[\]:;|~/\^])"  # At least one special character
+PASSWORD_PATTERN = (
+    r"(?=.*\d)"                   # At least one digit
+    r"(?=.*[a-z])"               # At least one lowercase letter
+    r"(?=.*[A-Z])"               # At least one uppercase letter
+    r"(?=.*[\\@$!%*?&{}<>.,'#\-_=+\(\)\[\]:;|~/\^])"  # At least one special character
     r".{8,}"  # At least 8 characters long
 )
+HTML_PASSWORD_PATTERN = (
+    r"(?=.*\d)"                   # At least one digit
+    r"(?=.*[a-z])"               # At least one lowercase letter
+    r"(?=.*[A-Z])"               # At least one uppercase letter
+    r"(?=.*[\\@$!%*?&\{\}\<\>\.\,\\'#\-_=\+\(\)\[\]:;\|~\/])"  # At least one special character
+    r".{8,}"  # At least 8 characters long
+)
+COMPILED_PASSWORD_PATTERN = re.compile(HTML_PASSWORD_PATTERN)
 
 
 # --- Custom Exceptions ---
@@ -112,7 +120,7 @@ def validate_password_strength(v: str) -> str:
         - At least 8 characters long
         """
         logger.debug(f"Validating password for {field_name}")
-        if not PASSWORD_PATTERN.match(v):
+        if not COMPILED_PASSWORD_PATTERN.match(v):
             logger.debug(f"Password for {field_name} does not satisfy the security policy")
             raise PasswordValidationError(
                 field=field_name,