Fix #43: Ensure fallback validator is called with correct value.

ubernostrum · ubernostrum · commit dbf7c74920d0 · 2025-03-08T18:05:43.000-08:00
This also fixes the tests for hte fallback behavior, which were
incorrect and as a result masked the fact that the fallback was being
used incorrectly in the sync path.

Thanks Aguswahyudi Steven for noticing the bug with the fallback, and
for the initial patch.
diff --git a/src/pwned_passwords_django/middleware.py b/src/pwned_passwords_django/middleware.py
@@ -83,7 +83,7 @@ def _scan_payload_sync(request: http.HttpRequest) -> typing.List[str]:
             "Falling back to Django CommonPasswordValidator due "
             "to error contacting Pwned Passwords."
         )
-        return [key for key in keys_to_search if _fallback(key)]
+        return [key for key in keys_to_search if _fallback(request.POST[key])]
 
 
 @sync_and_async_middleware
@@ -195,7 +195,7 @@ def middleware(request: http.HttpRequest) -> http.HttpResponse:
             containing likely passwords against the Pwned Passwords database.
 
             """
-            request.pwned_passwords = {}
+            request.pwned_passwords = []
             if request.method == "POST":
                 request.pwned_passwords = _scan_payload_sync(request)
             response = get_response(request)
diff --git a/tests/test_middleware.py b/tests/test_middleware.py
@@ -241,8 +241,8 @@ async def test_custom_regex_async(self):
 
     def test_error_handler(self):
         """
-        The middleware will catch a PwnedPasswordsError and set
-        ``request.pwned_passwords`` based on CommonPasswordValidator.
+        If the sync middleware fails and the submitted password is not in
+        Django's common passwords list, request.pwned_passwords will be empty.
 
         """
         sync_mock, _ = self.api_error_mocks()
@@ -251,14 +251,38 @@ def test_error_handler(self):
                 self.test_clean, data={"password": get_random_string(length=20)}
             )
 
+    def test_error_handler_bad_password(self):
+        """
+        If the sync mdidleware fails and the submitted password is in Django's
+        common passwords list, the request.pwned_passwords list is still
+        correctly populated.
+
+        """
+        sync_mock, _ = self.api_error_mocks()
+        with mock.patch("pwned_passwords_django.api.check_password", sync_mock):
+            self.client.post(self.test_breach, data={"password": "password"})
+
     async def test_error_handler_async(self):
         """
-        The async middleware will catch a PwnedPasswordsError and set
-        ``request.pwned_passwords`` to an empty dictionary.
+        If the async middleware fails and the submitted password is not in
+        Django's common passwords list, request.pwned_passwords will be empty.
 
         """
-        async_mock, _ = self.api_error_mocks()
+        _, async_mock = self.api_error_mocks()
         with mock.patch("pwned_passwords_django.api.check_password_async", async_mock):
             await self.async_client.post(
                 self.test_clean_async, data={"password": get_random_string(length=20)}
             )
+
+    async def test_error_handler_async_bad_password(self):
+        """
+        If the async mdidleware fails and the submitted password is in Django's
+        common passwords list, the request.pwned_passwords list is still
+        correctly populated.
+
+        """
+        _, async_mock = self.api_error_mocks()
+        with mock.patch("pwned_passwords_django.api.check_password_async", async_mock):
+            await self.async_client.post(
+                self.test_breach_async, data={"password": "password"}
+            )
diff --git a/tests/urls.py b/tests/urls.py
@@ -27,7 +27,7 @@ async def async_view(request):
     return HttpResponse("Content.")
 
 
-def breach_count(request, field):
+def breach(request, field):
     """
     A view which asserts that it received a compromised password, in the given
     ``field``.
@@ -39,7 +39,7 @@ def breach_count(request, field):
     return HttpResponse("Content.")
 
 
-async def async_breach_count(request, field):
+async def async_breach(request, field):
     """
     An async view which asserts that it received a compromised password, in the
     given ``field``.
@@ -84,14 +84,10 @@ async def async_clean(request):
         async_view,
         name="pwned-middleware-async",
     ),
-    path(
-        "pwned-passwords-django/tests/<str:field>/",
-        breach_count,
-        name="pwned-breach",
-    ),
+    path("pwned-passwords-django/tests/<str:field>/", breach, name="pwned-breach"),
     path(
         "pwned-passwords-django/tests/async/<str:field>/",
-        async_breach_count,
+        async_breach,
         name="pwned-breach-async",
     ),
     path(
