Investigate text encoding for passwords

[dkess]

Interesting rootspam from last night:

 An exception occured in ocfweb:

Traceback (most recent call last):
  File "/opt/ocfweb/venv/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/ocfweb/ocfweb/auth.py", line 53, in wrapper
    return fn(request, *args, **kwargs)
  File "/opt/ocfweb/ocfweb/account/register.py", line 75, in request_account
    RSA.importKey(CREATE_PUBLIC_KEY),
  File "/opt/ocfweb/venv/lib/python3.7/site-packages/ocflib/account/creation.py", line 435, in encrypt_password
    return RSA_CIPHER.encrypt(password.encode('ascii'))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-5: ordinal not in range(128)

Request:
  * Host: www.ocf.berkeley.edu
  * Path: /account/register/
  * Method: POST
  * Secure: True

I assume this is from someone trying to use non-ascii character in their password. I am not sure what the best practices for this are, but we should investigate this further and see if we can avoid using the ascii encoding.

[zpfeiffer]

I'm also not sure what the best practice here is but as far as preventing this error goes it seems to be a problem with the password validation. validate_password should reject non-ascii characters here, but validate_password isn't called until the NewAccountRequest is created, by which point the non-ascii characters have already been passed to encrypt_password.

Perhaps a short term fix could be to validate the password before creating the NewAccountRequest and a long term fix could be to change the encoding used for encrypted passwords to something more general like password.encode('base64','strict') (assuming that no other software requires ascii-only passwords).

[dkess]

You have to be careful with full Unicode passwords since you don't want to allow passwords that users won't be able to type. Unicode is full of surprises and edge cases. For now, let's stick with ASCII and if you want to go beyond that, do some research on the state-of-the-art and implement what's done elsewhere in a separate, future commit.

[bzh-bzh]

Tfw no emoji passwords 😭

[emmatyping]

TIL https://tools.ietf.org/html/rfc8265

E: also I have someone in mind to ask about sources of how to handle Unicode correctly.