test(shared): narrow PasswordCheckResult before reading reason

CI typecheck failed because the discriminated union returned by checkPasswordPolicy only exposes `reason` on the `{ ok: false }` branch. Guard each `.reason` assertion with `if (!result.ok)` so the test file typechecks under exactOptionalPropertyTypes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
security: reject common/weak passwords on every set-password path (#31 )
2026-04-18 14:53:30 +02:00 · 2026-04-18 14:09:38 +02:00 · 2026-04-18 14:09:10 +02:00
2 changed files with 12 additions and 12 deletions
@@ -137,7 +137,7 @@ describe("readWorksheetMatrix", () => {
    await expect(readWorksheetMatrix(workbookPath, "Sheet1")).rejects.toThrow(
      `exceeds the ${MAX_DISPO_WORKBOOK_ROWS} row import limit`,
    );
-  }, 30000);
+  }, 60000);

  it("rejects worksheets that exceed the column limit", async () => {
    const directory = await makeTempDirectory();
@@ -149,7 +149,7 @@ describe("readWorksheetMatrix", () => {
    await expect(readWorksheetMatrix(workbookPath, "Sheet1")).rejects.toThrow(
      `exceeds the ${MAX_DISPO_WORKBOOK_COLUMNS} column import limit`,
    );
-  }, 30000);
+  }, 60000);

  describe("DISPO_IMPORT_DIR allowlist", () => {
    it("rejects absolute paths that escape the configured import dir", async () => {
@@ -6,13 +6,13 @@ describe("checkPasswordPolicy", () => {
    it("rejects passwords shorter than 12 chars", () => {
      const result = checkPasswordPolicy("short1!");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/at least 12/i);
+      if (!result.ok) expect(result.reason).toMatch(/at least 12/i);
    });

    it("rejects passwords longer than 128 chars", () => {
      const result = checkPasswordPolicy("A".repeat(129));
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/no more than 128/i);
+      if (!result.ok) expect(result.reason).toMatch(/no more than 128/i);
    });

    it("accepts passwords at the lower bound that pass other checks", () => {
@@ -25,25 +25,25 @@ describe("checkPasswordPolicy", () => {
    it("rejects single char repeated", () => {
      const result = checkPasswordPolicy("aaaaaaaaaaaa");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/single character/i);
+      if (!result.ok) expect(result.reason).toMatch(/single character/i);
    });

    it("rejects short patterns repeated", () => {
      const result = checkPasswordPolicy("abcabcabcabc");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/short pattern/i);
+      if (!result.ok) expect(result.reason).toMatch(/short pattern/i);
    });

    it("rejects '1212121212121212' (2-char pattern repeated)", () => {
      const result = checkPasswordPolicy("1212121212121212");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/short pattern/i);
+      if (!result.ok) expect(result.reason).toMatch(/short pattern/i);
    });

    it("rejects keyboard sequences like 'abcdefghijkl'", () => {
      const result = checkPasswordPolicy("abcdefghijkl");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/sequence/i);
+      if (!result.ok) expect(result.reason).toMatch(/sequence/i);
    });

    it("rejects numeric runs like '1234567890ab'", () => {
@@ -57,13 +57,13 @@ describe("checkPasswordPolicy", () => {
    it("rejects 'PasswordPassword' (case-insensitive)", () => {
      const result = checkPasswordPolicy("PasswordPassword");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/commonly used/i);
+      if (!result.ok) expect(result.reason).toMatch(/commonly used/i);
    });

    it("rejects 'Welcome2026!' seasonal password", () => {
      const result = checkPasswordPolicy("Welcome2026!");
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/commonly used/i);
+      if (!result.ok) expect(result.reason).toMatch(/commonly used/i);
    });

    it("rejects 'Summer2025!' regardless of case", () => {
@@ -78,7 +78,7 @@ describe("checkPasswordPolicy", () => {
        email: "hartmut@example.com",
      });
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/email or name/i);
+      if (!result.ok) expect(result.reason).toMatch(/email or name/i);
    });

    it("rejects passwords containing the user name", () => {
@@ -86,7 +86,7 @@ describe("checkPasswordPolicy", () => {
        name: "Hartmut Noerenberg",
      });
      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/email or name/i);
+      if (!result.ok) expect(result.reason).toMatch(/email or name/i);
    });

    it("ignores short email locals to avoid false positives", () => {
Author	SHA1	Message	Date
Hartmut	cfce1f2a15	test(shared): narrow PasswordCheckResult before reading reason CI / Architecture Guardrails (pull_request) Successful in 6m11s Details CI / Assistant Split Regression (pull_request) Successful in 7m19s Details CI / Lint (pull_request) Successful in 7m59s Details CI / Typecheck (pull_request) Successful in 9m28s Details CI / Build (pull_request) Successful in 6m53s Details CI / E2E Tests (pull_request) Successful in 6m7s Details CI / Fresh-Linux Docker Deploy (pull_request) Successful in 6m52s Details CI / Release Images (pull_request) Has been skipped Details CI / Unit Tests (pull_request) Successful in 8m30s Details CI typecheck failed because the discriminated union returned by checkPasswordPolicy only exposes `reason` on the `{ ok: false }` branch. Guard each `.reason` assertion with `if (!result.ok)` so the test file typechecks under exactOptionalPropertyTypes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-18 14:53:30 +02:00
Hartmut	e01074926e	security: reject common/weak passwords on every set-password path (#31 ) CI / Architecture Guardrails (pull_request) Successful in 6m31s Details CI / Typecheck (pull_request) Failing after 6m9s Details CI / Build (pull_request) Has been skipped Details CI / E2E Tests (pull_request) Has been skipped Details CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped Details CI / Assistant Split Regression (pull_request) Successful in 7m23s Details CI / Lint (pull_request) Successful in 6m54s Details CI / Unit Tests (pull_request) Successful in 9m28s Details CI / Release Images (pull_request) Has been skipped Details Adds a synchronous policy check that blocks (1) the curated >=12-char common-password list (rockyou top, predictable seasonal, admin defaults), (2) trivial patterns (single-char repeat, short-pattern repeat, keyboard or numeric sequences), and (3) passwords containing the user's email local-part or any name component. Wired into all five password-mutation sites: first-admin setup, admin createUser/setUserPassword, invite acceptance, and password-reset. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-18 14:09:38 +02:00
Hartmut	d9a7ec0338	test(application): bump exceljs row/column-limit test timeouts to 60s CI / Architecture Guardrails (push) Successful in 2m39s Details CI / Lint (push) Successful in 7m11s Details CI / Assistant Split Regression (push) Successful in 8m57s Details CI / Typecheck (push) Successful in 12m1s Details CI / Unit Tests (push) Successful in 10m18s Details CI / Build (push) Successful in 9m29s Details CI / E2E Tests (push) Successful in 5m52s Details CI / Fresh-Linux Docker Deploy (push) Successful in 6m54s Details CI / Release Images (push) Successful in 4m39s Details Nightly Security / Dependency Audit (push) Failing after 1m44s Details Run #115 on main timed out after 30s on the Gitea runner under concurrent-job load (writing 10001 rows via ExcelJS addRow + writeFile is CPU-bound and CI contention pushed it past the previous threshold). Locally these tests complete in ~1s, so doubling the budget removes the flake without masking real regressions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-18 14:09:10 +02:00