Merge pull request #830 from codydaig/bug/password

[fix] Was storing a 6 char password in plain text [fixes #829]
meanjs · Aug 21, 2015 · 7b880e9 · 7b880e9
2 parents 9450c82 + 5c287f5
commit 7b880e9
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/modules/users/server/models/user.server.model.js b/modules/users/server/models/user.server.model.js
@@ -107,7 +107,7 @@ var UserSchema = new Schema({
  * Hook a pre save method to hash the password
  */
 UserSchema.pre('save', function (next) {
-  if (this.password && this.isModified('password') && this.password.length > 6) {
+  if (this.password && this.isModified('password') && this.password.length >= 6) {
     this.salt = crypto.randomBytes(16).toString('base64');
     this.password = this.hashPassword(this.password);
   }

diff --git a/modules/users/tests/server/user.server.model.tests.js b/modules/users/tests/server/user.server.model.tests.js
@@ -155,6 +155,33 @@ describe('User Model Unit Tests:', function () {
 
   });
 
+  it('should not save the password in plain text', function (done) {
+    var _user = new User(user);
+    var passwordBeforeSave = _user.password;
+    _user.save(function (err) {
+      should.not.exist(err);
+      _user.password.should.not.equal(passwordBeforeSave);
+      _user.remove(function(err) {
+        should.not.exist(err);
+        done();
+      });
+    });
+  });
+
+  it('should not save the password in plain text (6 char password)', function (done) {
+    var _user = new User(user);
+    _user.password = '123456';
+    var passwordBeforeSave = _user.password;
+    _user.save(function (err) {
+      should.not.exist(err);
+      _user.password.should.not.equal(passwordBeforeSave);
+      _user.remove(function(err) {
+        should.not.exist(err);
+        done();
+      });
+    });
+  });
+
   describe("User E-mail Validation Tests", function() {
     it('should not allow invalid email address - "123"', function (done) {
       var _user = new User(user);