Add password policy integration tests (#7489)

* Add password policy integration tests and helper method for generating valid passwords

* Update prodbackend tests to include password policy tests

* Update README with password policy integration testing instructions

Author: ch5zzy

packages/auth/README.md

@@ -54,7 +54,7 @@ firebase emulators:exec --project foo-bar --only auth "yarn test:integration:loc
 
 ### Integration testing with the production backend
 
-Currently, MFA TOTP tests only run against the production backend (since they are not supported on the emulator yet).
+Currently, MFA TOTP and password policy tests only run against the production backend (since they are not supported on the emulator yet).
 Running against the backend also makes it a more reliable end-to-end test.
 
 The TOTP tests require the following email/password combination to exist in the project, so if you are running this test against your test project, please create this user:
@@ -71,6 +71,33 @@ curl   -H "Authorization: Bearer $(gcloud auth print-access-token)"   -H "Conten
     }'
 ```
 
+The password policy tests require a tenant configured with a password policy that requires all options to exist in the project.
+
+If you are running this test against your test project, please create the tenant and configure the policy with the following curl command:
+
+```
+curl   -H "Authorization: Bearer $(gcloud auth print-access-token)"   -H "Content-Type: application/json"   -H "X-Goog-User-Project: ${PROJECT_ID}"   -X POST https://identitytoolkit.googleapis.com/v2/projects/${PROJECT_ID}/tenants   -d     '{
+      "displayName": "passpol-tenant",
+      "passwordPolicyConfig": {
+        "passwordPolicyEnforcementState": "ENFORCE",
+        "passwordPolicyVersions": [
+          {
+            "customStrengthOptions": {
+              "minPasswordLength": 8,
+              "maxPasswordLength": 24,
+              "containsLowercaseCharacter": true,
+              "containsUppercaseCharacter": true,
+              "containsNumericCharacter": true,
+              "containsNonAlphanumericCharacter": true
+            }
+          }
+        ]
+      }
+    }'
+```
+
+Replace the tenant ID `passpol-tenant-d7hha` in [test/integration/flows/password_policy.test.ts](https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/test/integration/flows/password_policy.test.ts) with the ID for the newly created tenant. The tenant ID can be found at the end of the `name` property in the response and is in the format `passpol-tenant-xxxxx`.
+
 ### Selenium Webdriver tests
 
 These tests assume that you have both Firefox and Chrome installed on your

packages/auth/karma.conf.js

@@ -38,7 +38,10 @@ function getTestFiles(argv) {
     return ['src/**/*.test.ts', 'test/helpers/**/*.test.ts'];
   } else if (argv.integration) {
     if (argv.prodbackend) {
-      return ['test/integration/flows/totp.test.ts'];
+      return [
+        'test/integration/flows/totp.test.ts',
+        'test/integration/flows/password_policy.test.ts'
+      ];
     }
     return argv.local
       ? ['test/integration/flows/*.test.ts']

packages/auth/test/helpers/integration/helpers.ts

@@ -25,6 +25,7 @@ import { getAppConfig, getEmulatorUrl } from './settings';
 import { resetEmulator } from './emulator_rest_helpers';
 // @ts-ignore - ignore types since this is only used in tests.
 import totp from 'totp-generator';
+import { _castAuth } from '../../../internal';
 interface IntegrationTestAuth extends Auth {
   cleanUp(): Promise<void>;
 }
@@ -116,3 +117,37 @@ export const email = '[email protected]';
 export const fakePassword = 'password';
 //1000000 is always incorrect since it has 7 digits and we expect 6.
 export const incorrectTotpCode = '1000000';
+
+/**
+ * Generates a valid password for the project or tenant password policy in the Auth instance.
+ * @param auth The {@link Auth} instance.
+ * @returns A valid password according to the password policy.
+ */
+export async function generateValidPassword(auth: Auth): Promise<string> {
+  if (getEmulatorUrl()) {
+    return 'password';
+  }
+
+  // Fetch the policy using the Auth instance if one is not cached.
+  const authInternal = _castAuth(auth);
+  if (!authInternal._getPasswordPolicyInternal()) {
+    await authInternal._updatePasswordPolicy();
+  }
+
+  const passwordPolicy = authInternal._getPasswordPolicyInternal()!;
+  const options = passwordPolicy.customStrengthOptions;
+
+  // Create a string that satisfies all possible options (uppercase, lowercase, numeric, and special characters).
+  const nonAlphaNumericCharacter =
+    passwordPolicy.allowedNonAlphanumericCharacters.charAt(0);
+  const stringWithAllOptions = 'aA0' + nonAlphaNumericCharacter;
+
+  // Repeat the string enough times to fill up the minimum password length.
+  const minPasswordLength = options.minPasswordLength ?? 6;
+  const password = stringWithAllOptions.repeat(
+    Math.round(minPasswordLength / stringWithAllOptions.length)
+  );
+
+  // Return a string that is only as long as the minimum length required by the policy.
+  return password.substring(0, minPasswordLength);
+}

packages/auth/test/integration/flows/anonymous.test.ts

@@ -65,17 +65,21 @@ describe('Integration test: anonymous auth', () => {
 
   context('email/password interaction', () => {
     let email: string;
+    let password: string;
 
     beforeEach(() => {
       email = randomEmail();
+      password = 'password';
+      // Uncomment the following line if you want an autogenerated password that complies with password policy in the test project.
+      // password = await generateValidPassword(auth);
     });
 
     it('anonymous / email-password accounts remain independent', async () => {
       let anonCred = await signInAnonymously(auth);
       const emailCred = await createUserWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       expect(emailCred.user.uid).not.to.eql(anonCred.user.uid);
 
@@ -84,7 +88,7 @@ describe('Integration test: anonymous auth', () => {
       const emailSignIn = await signInWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       expect(emailCred.user.uid).to.eql(emailSignIn.user.uid);
       expect(emailSignIn.user.uid).not.to.eql(anonCred.user.uid);
@@ -93,36 +97,36 @@ describe('Integration test: anonymous auth', () => {
     it('account can be upgraded by setting email and password', async () => {
       const { user: anonUser } = await signInAnonymously(auth);
       await updateEmail(anonUser, email);
-      await updatePassword(anonUser, 'password');
+      await updatePassword(anonUser, password);
 
       await auth.signOut();
 
       const { user: emailPassUser } = await signInWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       expect(emailPassUser.uid).to.eq(anonUser.uid);
     });
 
     it('account can be linked using email and password', async () => {
       const { user: anonUser } = await signInAnonymously(auth);
-      const cred = EmailAuthProvider.credential(email, 'password');
+      const cred = EmailAuthProvider.credential(email, password);
       await linkWithCredential(anonUser, cred);
       await auth.signOut();
 
       const { user: emailPassUser } = await signInWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       expect(emailPassUser.uid).to.eq(anonUser.uid);
     });
 
     it('account cannot be linked with existing email/password', async () => {
-      await createUserWithEmailAndPassword(auth, email, 'password');
+      await createUserWithEmailAndPassword(auth, email, password);
       const { user: anonUser } = await signInAnonymously(auth);
-      const cred = EmailAuthProvider.credential(email, 'password');
+      const cred = EmailAuthProvider.credential(email, password);
       await expect(linkWithCredential(anonUser, cred)).to.be.rejectedWith(
         FirebaseError,
         'auth/email-already-in-use'

packages/auth/test/integration/flows/email.test.ts

@@ -45,9 +45,14 @@ use(chaiAsPromised);
 describe('Integration test: email/password auth', () => {
   let auth: Auth;
   let email: string;
+  let password: string;
+
   beforeEach(() => {
     auth = getTestInstance();
     email = randomEmail();
+    password = 'password';
+    // Uncomment the following line if you want an autogenerated password that complies with password policy in the test project.
+    // password = await generateValidPassword(auth);
   });
 
   afterEach(() => cleanUpTestInstance(auth));
@@ -56,7 +61,7 @@ describe('Integration test: email/password auth', () => {
     const userCred = await createUserWithEmailAndPassword(
       auth,
       email,
-      'password'
+      password
     );
     expect(auth.currentUser).to.eq(userCred.user);
     expect(userCred.operationType).to.eq(OperationType.SIGN_IN);
@@ -76,29 +81,25 @@ describe('Integration test: email/password auth', () => {
   });
 
   it('errors when createUser called twice', async () => {
-    await createUserWithEmailAndPassword(auth, email, 'password');
+    await createUserWithEmailAndPassword(auth, email, password);
     await expect(
-      createUserWithEmailAndPassword(auth, email, 'password')
+      createUserWithEmailAndPassword(auth, email, password)
     ).to.be.rejectedWith(FirebaseError, 'auth/email-already-in-use');
   });
 
   context('with existing user', () => {
     let signUpCred: UserCredential;
 
     beforeEach(async () => {
-      signUpCred = await createUserWithEmailAndPassword(
-        auth,
-        email,
-        'password'
-      );
+      signUpCred = await createUserWithEmailAndPassword(auth, email, password);
       await auth.signOut();
     });
 
     it('allows the user to sign in with signInWithEmailAndPassword', async () => {
       const signInCred = await signInWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       expect(auth.currentUser).to.eq(signInCred.user);
 
@@ -110,7 +111,7 @@ describe('Integration test: email/password auth', () => {
     });
 
     it('allows the user to sign in with signInWithCredential', async () => {
-      const credential = EmailAuthProvider.credential(email, 'password');
+      const credential = EmailAuthProvider.credential(email, password);
       const signInCred = await signInWithCredential(auth, credential);
       expect(auth.currentUser).to.eq(signInCred.user);
 
@@ -122,7 +123,7 @@ describe('Integration test: email/password auth', () => {
     });
 
     it('allows the user to update profile', async () => {
-      let { user } = await signInWithEmailAndPassword(auth, email, 'password');
+      let { user } = await signInWithEmailAndPassword(auth, email, password);
       await updateProfile(user, {
         displayName: 'Display Name',
         photoURL: 'photo-url'
@@ -132,17 +133,13 @@ describe('Integration test: email/password auth', () => {
 
       await auth.signOut();
 
-      user = (await signInWithEmailAndPassword(auth, email, 'password')).user;
+      user = (await signInWithEmailAndPassword(auth, email, password)).user;
       expect(user.displayName).to.eq('Display Name');
       expect(user.photoURL).to.eq('photo-url');
     });
 
     it('allows the user to delete the account', async () => {
-      const { user } = await signInWithEmailAndPassword(
-        auth,
-        email,
-        'password'
-      );
+      const { user } = await signInWithEmailAndPassword(auth, email, password);
       await user.delete();
 
       await expect(reload(user)).to.be.rejectedWith(
@@ -152,28 +149,28 @@ describe('Integration test: email/password auth', () => {
 
       expect(auth.currentUser).to.be.null;
       await expect(
-        signInWithEmailAndPassword(auth, email, 'password')
+        signInWithEmailAndPassword(auth, email, password)
       ).to.be.rejectedWith(FirebaseError, 'auth/user-not-found');
     });
 
     it('sign in can be called twice successively', async () => {
       const { user: userA } = await signInWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       const { user: userB } = await signInWithEmailAndPassword(
         auth,
         email,
-        'password'
+        password
       );
       expect(userA.uid).to.eq(userB.uid);
     });
 
     generateMiddlewareTests(
       () => auth,
       () => {
-        return signInWithEmailAndPassword(auth, email, 'password');
+        return signInWithEmailAndPassword(auth, email, password);
       }
     );
   });

packages/auth/test/integration/flows/middleware_test_generator.ts

@@ -34,10 +34,14 @@ export function generateMiddlewareTests(
   context('middleware', () => {
     let auth: Auth;
     let unsubscribes: Array<() => void>;
+    let password: string;
 
     beforeEach(() => {
       auth = authGetter();
       unsubscribes = [];
+      password = 'password';
+      // Uncomment the following line if you want an autogenerated password that complies with password policy in the test project.
+      // password = await generateValidPassword(auth);
     });
 
     afterEach(() => {
@@ -81,7 +85,7 @@ export function generateMiddlewareTests(
       const { user: baseUser } = await createUserWithEmailAndPassword(
         auth,
         randomEmail(),
-        'password'
+        password
       );
 
       beforeAuthStateChanged(() => {
@@ -115,7 +119,7 @@ export function generateMiddlewareTests(
       const { user: baseUser } = await createUserWithEmailAndPassword(
         auth,
         randomEmail(),
-        'password'
+        password
       );
 
       beforeAuthStateChanged(() => {
@@ -148,7 +152,7 @@ export function generateMiddlewareTests(
       const { user: baseUser } = await createUserWithEmailAndPassword(
         auth,
         randomEmail(),
-        'password'
+        password
       );
 
       // Also check that the function is called multiple
@@ -172,7 +176,7 @@ export function generateMiddlewareTests(
       const { user: baseUser } = await createUserWithEmailAndPassword(
         auth,
         randomEmail(),
-        'password'
+        password
       );
 
       // Also check that the function is called multiple