Fixed password reset service

tallen42 · tallen42 · commit 108ef3c4fc04 · 2026-02-02T01:20:42.000-05:00
diff --git a/selfservice/blueprints/change.py b/selfservice/blueprints/change.py
@@ -4,7 +4,8 @@
 """
 
 from flask import Blueprint, render_template, request, redirect, flash
-from selfservice.utilities.reset import passwd_change, PasswordChangeFailed
+from selfservice.utilities.reset import passwd_change, PasswordChangeFailed, PasswordPolicyViolation, \
+    CurrentPasswordInvalid
 from selfservice import version
 
 change_bp = Blueprint("change", __name__)
@@ -24,14 +25,15 @@ def change():
     verify = request.form.get("verify")
 
     if new_pw == verify:
-        if len(new_pw) >= 12:
-            try:
-                passwd_change(username, old_pw, new_pw)
-                return render_template("success.html", reset=True, version=version)
-            except PasswordChangeFailed:
-                flash("Incorrect password, please try again.")
-        else:
-            flash("Your password does not meet the requirements below.")
+        try:
+            passwd_change(username, old_pw, new_pw)
+            return render_template("success.html", reset=True, version=version)
+        except CurrentPasswordInvalid:
+            flash("Your current password is incorrect, please try again.")
+        except PasswordPolicyViolation as e:
+            flash("Your new password does not match the requirements:", e.message)
+        except PasswordChangeFailed:
+            flash("An unknown error occurred.")
     else:
         flash("Whoops, those passwords didn't match!")
 
diff --git a/selfservice/utilities/reset.py b/selfservice/utilities/reset.py
@@ -29,6 +29,20 @@ class PasswordChangeFailed(Exception):
 
     pass
 
+class CurrentPasswordInvalid(Exception):
+    """
+    Error raised when the current password is invalid.
+    """
+    pass
+
+class PasswordPolicyViolation(Exception):
+    """
+    Error raised when the new password doesn't meet the password policy
+    """
+    def __init__(self, message):
+        self.message = message
+
+
 
 def generate_token(session):
     """
@@ -138,10 +152,22 @@ def passwd_change(username, old_pw, new_pw):
     # Find FreeIPA server
     ldap_srvs = srvlookup.lookup("ldap", "tcp", "csh.rit.edu")
     ldap_uri = ldap_srvs[0].hostname
+    password_url = f"https://{ldap_uri}/ipa/session/change_password"
+    headers = {
+        "Referer": password_url,
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "text/plain",
+    }
     change = requests.post(
-        f"https://{ldap_uri}/ipa/session/change_password",
+        password_url,
+        headers=headers,
         data={"user": username, "old_password": old_pw, "new_password": new_pw},
         timeout=30,
     )
-    if change.headers.get("X-IPA-Pwchange-Result") == "invalid-password":
+    pwchange_result = change.headers.get("X-IPA-Pwchange-Result")
+    if pwchange_result == "invalid-password":
+        raise CurrentPasswordInvalid
+    if pwchange_result == "policy-error":
+        raise PasswordPolicyViolation(change.headers.get("X-IPA-Pwchange-Policy-Error"))
+    if pwchange_result != "ok" or change.status_code != 200:
         raise PasswordChangeFailed
