admin/turf_saas
1
0
Fork 0
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity

HRT-63 — Blacklist + validation complexité mots de passe #7

Closed
admin wants to merge 0 commits from feature/HRT-63-password-blacklist-complexity into master
pull from: feature/HRT-63-password-blacklist-complexity
merge into: admin:master
Conversation 0 Commits - Files Changed -
admin commented 2026-04-27 15:03:45 +02:00
Owner
Copy Link

Contexte

Fix sécurité [HRT-56] — Le endpoint /api/v1/auth/register acceptait des mots de passe triviaux (password, 12345678).

Changements

saas_auth.py

  • Ajout constante WEAK_PASSWORDS (50+ mots de passe communs)
  • Ajout fonction validate_password_strength(password) : vérifie longueur min 8, blacklist, présence ≥1 chiffre, présence ≥1 lettre
  • /register : remplace len(password) < 8 par appel validate_password_strength()
  • /change-password : idem

tests/security/test_security.py

  • Ajout classe TestWeakPasswordRejection : 10 cas paramétrés mots faibles → 400, mot de passe fort Tr0ub4d@ur! → 201, sans chiffre → 400, sans lettre → 400

Vérifications

  • Syntaxe Python OK (ast.parse)
  • Service NON redémarré — attente validation CTO

Ticket: HRT-63

## Contexte Fix sécurité [HRT-56] — Le endpoint `/api/v1/auth/register` acceptait des mots de passe triviaux (`password`, `12345678`). ## Changements ### `saas_auth.py` - Ajout constante `WEAK_PASSWORDS` (50+ mots de passe communs) - Ajout fonction `validate_password_strength(password)` : vérifie longueur min 8, blacklist, présence ≥1 chiffre, présence ≥1 lettre - `/register` : remplace `len(password) < 8` par appel `validate_password_strength()` - `/change-password` : idem ### `tests/security/test_security.py` - Ajout classe `TestWeakPasswordRejection` : 10 cas paramétrés mots faibles → 400, mot de passe fort `Tr0ub4d@ur!` → 201, sans chiffre → 400, sans lettre → 400 ## Vérifications - Syntaxe Python OK (`ast.parse`) - Service NON redémarré — attente validation CTO Ticket: HRT-63
admin added 1 commit 2026-04-27 15:03:45 +02:00
feat(security): blacklist + password strength validation — fix weak passwords HRT-63 8c5fdf1e9c 
- Add WEAK_PASSWORDS set (50+ common passwords) in saas_auth.py
- Add validate_password_strength() function: checks min length, blacklist, digits, letters
- Replace raw len() checks in /register and /change-password with validate_password_strength()
- Add TestWeakPasswordRejection class in test_security.py: parametrized weak pwd test, strong pwd 201 test, no-digit, no-letter tests

Co-Authored-By: Paperclip <noreply@paperclip.ing>
admin added 2 commits 2026-04-27 15:54:02 +02:00
fix(billing): JWT token incompatibility — use saas_auth require_auth + fix table names HRT-54 d39c7d3319 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(tests): replace abc12345 by abc1234 in TestWeakPasswordRejection e517741c97 
abc12345 n'est pas dans WEAK_PASSWORDS de saas_auth.py et satisfait
les règles de complexité → test échouait (attendait 400, obtenait 201).
abc1234 est explicitement dans la blacklist (ligne 84 de saas_auth.py).

Correction demandée par CTO en review PR #7 (HRT-63).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
admin closed this pull request 2026-04-27 16:18:04 +02:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
admin
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: admin/turf_saas#7
Delete Branch "feature/HRT-63-password-blacklist-complexity"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?