codeant-ai-for-open-source[bot] commented on code in PR #39469: URL: https://github.com/apache/superset/pull/39469#discussion_r3442975514
########## superset-frontend/src/utils/generateAuthDbPassword.ts: ########## @@ -0,0 +1,263 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +import { t } from '@apache-superset/core/translation'; +/** + * Client-side generator aligned with default ``AUTH_DB_CONFIG`` / Python + * ``superset.utils.auth_db_password`` (minimum length, character classes, common list). + * Keep ``AUTH_DB_COMMON_PASSWORDS`` in sync with ``_COMMON_PASSWORDS`` in that module. + */ +export const AUTH_DB_PASSWORD_MIN_LENGTH = 12; +export interface AuthDbPasswordPolicy { + password_min_length: number; + password_require_uppercase: boolean; + password_require_lowercase: boolean; + password_require_digit: boolean; + password_require_special: boolean; + password_common_list_check: boolean; +} + +export const AUTH_DB_DEFAULT_PASSWORD_POLICY: AuthDbPasswordPolicy = { + password_min_length: AUTH_DB_PASSWORD_MIN_LENGTH, + password_require_uppercase: true, + password_require_lowercase: true, + password_require_digit: true, + password_require_special: true, + password_common_list_check: true, +}; + +/** Lowercased entries; keep in sync with ``_COMMON_PASSWORDS`` in auth_db_password.py */ +const AUTH_DB_COMMON_PASSWORDS = new Set( + [ + 'password', + 'password1', + 'password123', + '123456', + '12345678', + '123456789', + 'qwerty', + 'abc123', + 'monkey', + 'letmein', + 'trustno1', + 'dragon', + 'baseball', + 'iloveyou', + 'master', + 'sunshine', + 'ashley', + 'bailey', + 'shadow', + 'superman', + 'qazwsx', + 'michael', + 'football', + 'welcome', + 'jesus', + 'ninja', + 'mustang', + 'password1!', + 'admin', + 'admin123', + 'root', + 'toor', + 'guest', + 'p@ssw0rd', + 'Passw0rd', + 'Password1', + 'Password123', + 'Welcome1', + 'Qwerty123', + ].map(s => s.toLowerCase()), +); + +const UPPER = 'ABCDEFGHJKLMNPQRSTUVWXYZ'; +const LOWER = 'abcdefghijkmnopqrstuvwxyz'; +const DIGIT = '23456789'; +const SPECIAL = '!@#$%^&*-_=+'; +const ALPHANUM = UPPER + LOWER + DIGIT; + +export interface AuthDbPasswordPolicyChecks { + minLength: boolean; + uppercase: boolean; + lowercase: boolean; + digit: boolean; + special: boolean; + commonPassword: boolean; +} + +function getCodePointLength(text: string): number { + return Array.from(text).length; +} + +function secureRandomInt(maxExclusive: number): number { + if (maxExclusive <= 0) { + throw new Error('secureRandomInt: maxExclusive must be positive'); + } + const maxUint32 = 0xffffffff; + const limit = maxUint32 - (maxUint32 % maxExclusive); + const buf = new Uint32Array(1); + let value: number; + do { + crypto.getRandomValues(buf); + value = buf[0]!; + } while (value >= limit); + return value % maxExclusive; +} + +function pick(pool: string): string { + return pool[secureRandomInt(pool.length)]!; +} + +function shuffleInPlace(chars: string[]): void { + for (let i = chars.length - 1; i > 0; i -= 1) { + const j = secureRandomInt(i + 1); + const t = chars[i]!; + chars[i] = chars[j]!; + chars[j] = t; + } +} + +function getRequiredCharacterPools( + policy: AuthDbPasswordPolicy, +): string[] { + const pools: string[] = []; + if (policy.password_require_uppercase) { + pools.push(UPPER); + } + if (policy.password_require_lowercase) { + pools.push(LOWER); + } + if (policy.password_require_digit) { + pools.push(DIGIT); + } + if (policy.password_require_special) { + pools.push(SPECIAL); + } + return pools; +} + +function getGenerationPool(policy: AuthDbPasswordPolicy): string { + let pool = ''; + if (policy.password_require_uppercase) { + pool += UPPER; + } + if (policy.password_require_lowercase) { + pool += LOWER; + } + if (policy.password_require_digit) { + pool += DIGIT; + } + if (policy.password_require_special) { + pool += SPECIAL; + } + return pool || ALPHANUM + SPECIAL; +} + +function satisfiesAuthDbPasswordPolicy( + password: string, + policy: AuthDbPasswordPolicy, +): boolean { + const checks = getAuthDbPasswordPolicyChecks(password, policy); + return Object.values(checks).every(Boolean); +} + +/** True when the string satisfies default AUTH_DB rules (mirrors backend checks). */ +export function satisfiesDefaultAuthDbPasswordPolicy(password: string): boolean { + return satisfiesAuthDbPasswordPolicy(password, AUTH_DB_DEFAULT_PASSWORD_POLICY); +} + +/** Returns rule-by-rule checks for default AUTH_DB password policy. */ +export function getAuthDbPasswordPolicyChecks( + password: string, + policy: AuthDbPasswordPolicy = AUTH_DB_DEFAULT_PASSWORD_POLICY, +): AuthDbPasswordPolicyChecks { + const minLength = Math.max(1, Number(policy.password_min_length) || 1); + return { + minLength: getCodePointLength(password) >= minLength, + uppercase: !policy.password_require_uppercase || /[A-Z]/.test(password), + lowercase: !policy.password_require_lowercase || /[a-z]/.test(password), + digit: !policy.password_require_digit || /\d/.test(password), Review Comment: **Suggestion:** The digit check uses JavaScript `\d`, which only matches ASCII digits, but the backend validator uses Python `\d` (Unicode-aware by default). This creates a frontend/backend contract mismatch where some passwords accepted by the API are blocked in the UI. Align the frontend digit rule with backend behavior (e.g., Unicode numeric category) so validation is consistent. [api mismatch] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ⚠️ Valid Unicode-digit passwords rejected by frontend validation. - ⚠️ Password rules differ between AUTH_DB backend and UI. - ⚠️ Users see spurious "must contain digit" errors. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Run Superset with `AUTH_TYPE` set to `AUTH_DB`, so the password change API `PUT /api/v1/me/password` is enabled; the backend handler `update_my_password` in `superset/views/users/api.py:42-47` enforces this and calls `validate_auth_db_password` at `superset/views/users/api.py:53-56`. 2. From the UI, open a password change flow that uses the shared AUTH_DB password policy helpers, such as the self-service `ChangePasswordModal` (rendered from `UserInfo` in `src/pages/UserInfo/index.tsx:126-170` and implemented in `src/features/userInfo/UserInfoModal.tsx:145-235`) or the admin `UserListResetPasswordModal` in `src/features/users/UserListResetPasswordModal.tsx:49-107`, both of which call `getAuthDbPasswordPolicyError` from `src/utils/generateAuthDbPassword.ts:205-234` via a FormItem `validator`. 3. In the modal, enter a candidate password that contains a Unicode digit but no ASCII digits, for example `Abcdefg!٤` (where `٤` is an Arabic-Indic digit); the frontend `digit` check in `getAuthDbPasswordPolicyChecks` uses the JavaScript regex `/\d/` on line 195 of `src/utils/generateAuthDbPassword.ts`, which only recognizes ASCII `0-9`, so `digit` is `false`, `getAuthDbPasswordPolicyError` returns "Password must contain at least one digit." (lines 223-225), and the form `validator` in `UserInfoModal.tsx:159-175` or `UserListResetPasswordModal.tsx:132-148` rejects the submission with a validation error. 4. On the backend, the AUTH_DB validator `validate_auth_db_password` in `superset/utils/auth_db_password.py:175-187` uses Python's `re.search(r"\d", password)` (line 185), where `\d` is Unicode-aware and matches the non-ASCII digit `٤`, so the same password satisfies the digit requirement server-side and would be accepted by `PUT /api/v1/me/password` (`superset/views/users/api.py:48-56`) if sent, demonstrating a concrete frontend/backend contract mismatch. ``` </details> [](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=dd733e1c683642618ebbf19f3db5506c&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) [](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=dd733e1c683642618ebbf19f3db5506c&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset-frontend/src/utils/generateAuthDbPassword.ts **Line:** 195:195 **Comment:** *Api Mismatch: The digit check uses JavaScript `\d`, which only matches ASCII digits, but the backend validator uses Python `\d` (Unicode-aware by default). This creates a frontend/backend contract mismatch where some passwords accepted by the API are blocked in the UI. Align the frontend digit rule with backend behavior (e.g., Unicode numeric category) so validation is consistent. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F39469&comment_hash=b628454935513927b58f0bbac18c01d58832720a2da7a53a01d26e743ab06c35&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F39469&comment_hash=b628454935513927b58f0bbac18c01d58832720a2da7a53a01d26e743ab06c35&reaction=dislike'>👎</a> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
