Better fix for mismatching passwords on signup

jupyterhub · Sep 17, 2024 · 7e5e197 · 7e5e197
1 parent 2760f19
commit 7e5e197
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 17 deletions.
diff --git a/nativeauthenticator/handlers.py b/nativeauthenticator/handlers.py
@@ -164,33 +164,31 @@ async def post(self):
                 else:
                     self.authenticator.log.error("Failed reCaptcha")
 
+        # Collect various information for precise (error) messages.
+        password = self.get_body_argument("signup_password", strip=False)
+        confirmation = self.get_body_argument(
+            "signup_password_confirmation", strip=False
+        )
+        confirmation_matches = password == confirmation
+        user_is_admin = user_info["username"] in self.authenticator.admin_users
+
         if assume_user_is_human:
             user_info = {
                 "username": self.get_body_argument("username", strip=False),
                 "password": self.get_body_argument("signup_password", strip=False),
-                "password_confirmation": self.get_body_argument(
-                    "signup_password_confirmation", strip=False
-                ),
                 "email": self.get_body_argument("email", "", strip=False),
                 "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)),
             }
             username_already_taken = self.authenticator.user_exists(
                 user_info["username"]
             )
 
-            user = self.authenticator.create_user(**user_info)
+            if not username_already_taken and confirmation_matches:
+                user = self.authenticator.create_user(**user_info)
         else:
             username_already_taken = False
             user = None
 
-        # Collect various information for precise (error) messages.
-        password = self.get_body_argument("signup_password", strip=False)
-        confirmation = self.get_body_argument(
-            "signup_password_confirmation", strip=False
-        )
-        confirmation_matches = password == confirmation
-        user_is_admin = user_info["username"] in self.authenticator.admin_users
-
         # Call helper function from above for precise alert-level and message.
         alert, message = self.get_result_message(
             user,

diff --git a/nativeauthenticator/nativeauthenticator.py b/nativeauthenticator/nativeauthenticator.py
@@ -291,15 +291,12 @@ def get_authed_users(self):
     def user_exists(self, username):
         return self.get_user(username) is not None
 
-    def create_user(self, username, password, password_confirmation, **kwargs):
+    def create_user(self, username, password, **kwargs):
         username = self.normalize_username(username)
 
         if self.user_exists(username) or not self.validate_username(username):
             return
 
-        if not password == password_confirmation:
-            return
-
         if not self.is_password_strong(password):
             return
 
@@ -432,7 +429,7 @@ def add_data_from_firstuse(self):
         with dbm.open(self.firstuse_db_path, "c", 0o600) as db:
             for user in db.keys():
                 password = db[user].decode()
-                new_user = self.create_user(user.decode(), password, password)
+                new_user = self.create_user(user.decode(), password)
                 if not new_user:
                     error = (
                         f"User {user} was not created. Check password "