FIx #43: Ensure fallback validator is called with correct value.

ubernostrum · ubernostrum · commit 66369f685ab2 · 2025-03-08T18:01:59.000-08:00
This also fixes the tests for hte fallback behavior, which were
incorrect and as a result masked the fact that the fallback was being
used incorrectly in the sync path.
diff --git a/src/pwned_passwords_django/middleware.py b/src/pwned_passwords_django/middleware.py
@@ -83,7 +83,7 @@ def _scan_payload_sync(request: http.HttpRequest) -> typing.List[str]:
             "Falling back to Django CommonPasswordValidator due "
             "to error contacting Pwned Passwords."
         )
-        return [key for key in keys_to_search if _fallback(key)]
+        return [key for key in keys_to_search if _fallback(request.POST[key])]
 
 
 @sync_and_async_middleware
@@ -195,7 +195,7 @@ def middleware(request: http.HttpRequest) -> http.HttpResponse:
             containing likely passwords against the Pwned Passwords database.
 
             """
-            request.pwned_passwords = {}
+            request.pwned_passwords = []
             if request.method == "POST":
                 request.pwned_passwords = _scan_payload_sync(request)
             response = get_response(request)
diff --git a/tests/test_middleware.py b/tests/test_middleware.py
@@ -241,8 +241,8 @@ async def test_custom_regex_async(self):
 
     def test_error_handler(self):
         """
-        The middleware will catch a PwnedPasswordsError and set
-        ``request.pwned_passwords`` based on CommonPasswordValidator.
+        If the sync middleware fails and the submitted password is not in
+        Django's common passwords list, request.pwned_passwords will be empty.
 
         """
         sync_mock, _ = self.api_error_mocks()
@@ -251,14 +251,38 @@ def test_error_handler(self):
                 self.test_clean, data={"password": get_random_string(length=20)}
             )
 
+    def test_error_handler_bad_password(self):
+        """
+        If the sync mdidleware fails and the submitted password is in Django's
+        common passwords list, the request.pwned_passwords list is still
+        correctly populated.
+
+        """
+        sync_mock, _ = self.api_error_mocks()
+        with mock.patch("pwned_passwords_django.api.check_password", sync_mock):
+            self.client.post(self.test_breach, data={"password": "password"})
+
     async def test_error_handler_async(self):
         """
-        The async middleware will catch a PwnedPasswordsError and set
-        ``request.pwned_passwords`` to an empty dictionary.
+        If the async middleware fails and the submitted password is not in
+        Django's common passwords list, request.pwned_passwords will be empty.
 
         """
-        async_mock, _ = self.api_error_mocks()
+        _, async_mock = self.api_error_mocks()
         with mock.patch("pwned_passwords_django.api.check_password_async", async_mock):
             await self.async_client.post(
                 self.test_clean_async, data={"password": get_random_string(length=20)}
             )
+
+    async def test_error_handler_async_bad_password(self):
+        """
+        If the async mdidleware fails and the submitted password is in Django's
+        common passwords list, the request.pwned_passwords list is still
+        correctly populated.
+
+        """
+        _, async_mock = self.api_error_mocks()
+        with mock.patch("pwned_passwords_django.api.check_password_async", async_mock):
+            await self.async_client.post(
+                self.test_breach_async, data={"password": "password"}
+            )
diff --git a/tests/urls.py b/tests/urls.py
@@ -27,7 +27,7 @@ async def async_view(request):
     return HttpResponse("Content.")
 
 
-def breach_count(request, field):
+def breach(request, field):
     """
     A view which asserts that it received a compromised password, in the given
     ``field``.
@@ -39,7 +39,7 @@ def breach_count(request, field):
     return HttpResponse("Content.")
 
 
-async def async_breach_count(request, field):
+async def async_breach(request, field):
     """
     An async view which asserts that it received a compromised password, in the
     given ``field``.
@@ -84,14 +84,10 @@ async def async_clean(request):
         async_view,
         name="pwned-middleware-async",
     ),
-    path(
-        "pwned-passwords-django/tests/<str:field>/",
-        breach_count,
-        name="pwned-breach",
-    ),
+    path("pwned-passwords-django/tests/<str:field>/", breach, name="pwned-breach"),
     path(
         "pwned-passwords-django/tests/async/<str:field>/",
-        async_breach_count,
+        async_breach,
         name="pwned-breach-async",
     ),
     path(
