Cognito: Validate password in NEW_PASSWORD_REQUIRED (#6174)

2023-04-05 17:15:30 +01:00 · 2023-04-05 17:15:30 +01:00 · bbb07b4e7e
commit bbb07b4e7e
parent f424c6ac05
2 changed files with 6 additions and 3 deletions
--- a/moto/cognitoidp/models.py
+++ b/moto/cognitoidp/models.py
@ -1474,6 +1474,9 @@ class CognitoIdpBackend(BaseBackend):
        if challenge_name == "NEW_PASSWORD_REQUIRED":
            username: str = challenge_responses.get("USERNAME")  # type: ignore[assignment]
            new_password = challenge_responses.get("NEW_PASSWORD")
+            if not new_password:
+                raise InvalidPasswordException()
+            self._validate_password(user_pool.id, new_password)
            user = self.admin_get_user(user_pool.id, username)

            user.password = new_password
--- a/tests/test_cognitoidp/test_server.py
+++ b/tests/test_cognitoidp/test_server.py
@ -132,7 +132,7 @@ def test_admin_create_user_without_authentication():
    data = {
        "UserPoolId": user_pool_id,
        "Username": "test@gmail.com",
-        "TemporaryPassword": "12345678",
+        "TemporaryPassword": "A!1a12345678",
    }
    res = test_client.post(
        "/",
@ -148,7 +148,7 @@ def test_admin_create_user_without_authentication():
    data = {
        "ClientId": client_id,
        "AuthFlow": "USER_PASSWORD_AUTH",
-        "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "12345678"},
+        "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "A!1a12345678"},
    }
    res = test_client.post(
        "/",
@ -163,7 +163,7 @@ def test_admin_create_user_without_authentication():
        "ChallengeName": "NEW_PASSWORD_REQUIRED",
        "ChallengeResponses": {
            "USERNAME": "test@gmail.com",
-            "NEW_PASSWORD": "abcdefgh",
+            "NEW_PASSWORD": "A!1aabcdefgh",
        },
        "Session": session,
    }