From bbb07b4e7ede832d69b8fe0089e0707c915710fc Mon Sep 17 00:00:00 2001 From: Matthew Burke Date: Wed, 5 Apr 2023 17:15:30 +0100 Subject: [PATCH] Cognito: Validate password in NEW_PASSWORD_REQUIRED (#6174) --- moto/cognitoidp/models.py | 3 +++ tests/test_cognitoidp/test_server.py | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py index fed3ae33e..d0e19a2e3 100644 --- a/moto/cognitoidp/models.py +++ b/moto/cognitoidp/models.py @@ -1474,6 +1474,9 @@ class CognitoIdpBackend(BaseBackend): if challenge_name == "NEW_PASSWORD_REQUIRED": username: str = challenge_responses.get("USERNAME") # type: ignore[assignment] new_password = challenge_responses.get("NEW_PASSWORD") + if not new_password: + raise InvalidPasswordException() + self._validate_password(user_pool.id, new_password) user = self.admin_get_user(user_pool.id, username) user.password = new_password diff --git a/tests/test_cognitoidp/test_server.py b/tests/test_cognitoidp/test_server.py index c14b42316..4fde36609 100644 --- a/tests/test_cognitoidp/test_server.py +++ b/tests/test_cognitoidp/test_server.py @@ -132,7 +132,7 @@ def test_admin_create_user_without_authentication(): data = { "UserPoolId": user_pool_id, "Username": "test@gmail.com", - "TemporaryPassword": "12345678", + "TemporaryPassword": "A!1a12345678", } res = test_client.post( "/", @@ -148,7 +148,7 @@ def test_admin_create_user_without_authentication(): data = { "ClientId": client_id, "AuthFlow": "USER_PASSWORD_AUTH", - "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "12345678"}, + "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "A!1a12345678"}, } res = test_client.post( "/", @@ -163,7 +163,7 @@ def test_admin_create_user_without_authentication(): "ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": { "USERNAME": "test@gmail.com", - "NEW_PASSWORD": "abcdefgh", + "NEW_PASSWORD": "A!1aabcdefgh", }, "Session": session, }