From 87dc3b63440f49a5bdd6f49da86c7fee295ad748 Mon Sep 17 00:00:00 2001
From: yackob03 <jacob.moshenko@gmail.com>
Date: Fri, 27 Sep 2013 18:38:41 -0400
Subject: [PATCH] Add checks for username and passwords, move checks to model.

---
 data/model.py      | 11 +++++++++++
 endpoints/index.py |  8 ++------
 util/validation.py | 14 ++++++++++++++
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/data/model.py b/data/model.py
index 6566f7ad4..ec9d85bb8 100644
--- a/data/model.py
+++ b/data/model.py
@@ -3,6 +3,8 @@ import logging
 import dateutil.parser
 
 from database import *
+from util.validation import (validate_email, validate_username,
+                             validate_password)
 
 
 logger = logging.getLogger(__name__)
@@ -14,6 +16,15 @@ class DataModelException(Exception):
 
 def create_user(username, password, email):
   pw_hash = bcrypt.hashpw(password, bcrypt.gensalt())
+
+  if not validate_email(email):
+    raise DataModelException('Invalid email address: %s' % email)
+  if not validate_username(username):
+    raise DataModelException('Invalid username: %s' % username)
+  if not validate_password(password):
+    raise DataModelException('Invalid password, password must be at least ' +
+                             '8 characters and contain no whitespace.')
+
   try:
     new_user = User.create(username=username, password_hash=pw_hash,
                            email=email)
diff --git a/endpoints/index.py b/endpoints/index.py
index a8c62b5cd..8a02c70bd 100644
--- a/endpoints/index.py
+++ b/endpoints/index.py
@@ -11,7 +11,6 @@ from app import app
 from auth.auth import (process_auth, get_authenticated_user,
                        get_validated_token)
 from util.names import parse_namespace_repository, parse_repository_name
-from util.validation import validate_email
 from auth.permissions import (ModifyRepositoryPermission,
                               ReadRepositoryPermission, UserPermission)
 
@@ -47,11 +46,8 @@ def generate_headers(f):
 @app.route('/v1/users/', methods=['POST'])
 def create_user():
   user_data = request.get_json()
-  email = user_data['email'].strip()
-  if not validate_email(email):
-    return make_response('Invalid email address: %s' % email, 400)
-
-  model.create_user(user_data['username'], user_data['password'], email)
+  model.create_user(user_data['username'], user_data['password'],
+                    user_data['email'])
   return make_response('Created', 201)
 
 
diff --git a/util/validation.py b/util/validation.py
index 8ada4d0c1..9f5682677 100644
--- a/util/validation.py
+++ b/util/validation.py
@@ -1,7 +1,21 @@
 import re
+import urllib
 
 
 def validate_email(email_address):
   if re.match(r'[^@]+@[^@]+\.[^@]+', email_address):
     return True
   return False
+
+
+def validate_username(username):
+  # Minimum length of 2, maximum length of 255, no url unsafe characters
+  return (urllib.quote(username, safe='') == username and
+          len(username) > 1 and
+          len(username) < 256)
+
+def validate_password(password):
+  # No whitespace and minimum length of 8
+  if re.search(r'\s', password):
+    return False
+  return len(password) > 7