doveauth: invite token doesn't overwrite nocreate file, must be at beginning of password

chatmaild/src/chatmaild/doveauth.py

@@ -24,16 +24,19 @@ def encrypt_password(password: str):
 def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
     """Return True if user and password are admissable."""
     if os.path.exists(NOCREATE_FILE):
-        if not config.invite_token or config.invite_token not in cleartext_password:
-            logging.warning(
-                f"blocked account creation because {NOCREATE_FILE!r} exists."
-            )
-            return False
+        logging.warning(
+            f"blocked account creation because {NOCREATE_FILE!r} exists."
+        )
+        return False
+    if cleartext_password.startswith(config.invite_token):
+        password_length = len(cleartext_password) - len(config.invite_token)
+    else:
+        logging.warning(
+            f"blocked account creation because password didn't contain invite token(s)."
+        )
+        return False
 
-    if (
-        len(cleartext_password.replace(config.invite_token, ""))
-        < config.password_min_length
-    ):
+    if password_length < config.password_min_length:
         logging.warning(
             "Password needs to be at least %s characters long",
             config.password_min_length,

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -68,9 +68,10 @@ def test_dont_overwrite_password_on_wrong_login(dictproxy):
     ["nocreate_file", "account", "invite_token", "password"],
     [
         (False, True, "asdf", "asdfasdmaimfelsgwerw"),
-        (False, True, "asdf", "z9873240187420913798"),
+        (False, False, "asdf", "z9873240187420913798"),
         (False, True, "", "dsaiujfw9fjiwf9w"),
-        (True, True, "asdf", "asdfmosadkdkfwdofkw"),
+        (False, False, "asdf", "z987324018742asdf0913798"),
+        (True, False, "asdf", "asdfmosadkdkfwdofkw"),
         (True, False, "asdf", "z9873240187420913798"),
         (True, False, "", "dsaiujfw9fjiwf9w"),
     ],