Update Crunchbase

[stuartpb]

Some stray observations:

• They don't allow email changes: http://support.crunchbase.com/knowledgebase/articles/819813-change-email-address-or-password
• Trying to put the date in a dummy registration I got "Names cannot include special characters"
• Reset only reports invalid token on submit - indeed, you can load the view without even providing a token in the query string
• the logged-in change password dialog doesn't prompt for your current password if you register via third-party and your account has no password set - AFAICT there's no way to revert to this passwordless state once you use this to introduce a password to the account
• there's still a "forgot password?" button here that still requests a password reset email that still lets you set a password, though, even when there's no password set - you still have to enter your email address even though you're logged in
• Changing password generates a notification email
• reset password fails silently (no message, but the form doesn't close) if the password is all spaces
• Doing a password reset while logged in in another tab apparently breaks that tab's session and you have to refresh?

[stuartpb]

While it's not clear if developer.crunchbase.com still has a separate account system from crunchbase.com or not (still has a separate https://developer.crunchbase.com/admin/account/password/new and https://developer.crunchbase.com/login, but https://developer.crunchbase.com/signup returns "Signup disabled", so maybe they have some kind of legacy system?), but whatever the situation is, they're not with Mashery any more (they're with 3scale now), so I'll just re-add the profile and/or legacy if/when new, relevant information ever emerges.

[stuartpb]

A QA Engineer walks into a bar and orders "        "

I wrote down these notes before I realized what was up:

• my email address wasn't recognized even though I'm fairly certain I had an account at one point
• Okay, but now it won't let me register as it says an account exists, WTF?
• Every email I tried registration with got rejected as "invalid or already in use" due to the password failing on all-spaces - see bug report

This turned into a series of messages describing a suite of issues via Crunchbase's contact form:

---

Something is wrong with the accounts system: I can't reset my password because it says there's no account associated with stuart@testtrack4.com, but I can't register an account because that form says that there is an account registered to stuart@testtrack4.com.

---

To elaborate, on further testing, it appears that I actually didn't have an account - the registration form reports the "invalid email address" message as the error message for an invalid password if the password consists entirely of spaces.

Steps to reproduce:

Fill out all fields on https://www.crunchbase.com/app/register with otherwise valid information, pressing the spacebar eight times to fill out the password fields with strings consisting entirely of spaces.

Expected results:

The password should be accepted as valid, or at least rejected with an accurate error message in pre-submission validation (the way that a password shorter than 8 characters is rejected when the focus leaves the password input).

Observed results:

After submitting the form, the error message "The e-mail address you provided is invalid or already in use." appears under the first password input.

---

Also note that passwords are allowed to be changed via the "change password" form to a password consisting of spaces, but are rejected when trying to then change from one - the PATCH request to https://www.crunchbase.com/v4/cb/users/me/passwords fails with a 422 Unprocessable Entity.

Example error response body: [{"status":422,"code":"US105","message":"can't be blank","field":"current_password","request_id":"6AE2AF377CDAC124ACF73584BDA04"}]

In the UI, this is presented with both new passwords showing the "invalid email address" error.

If this bug is fixed, there should be a facility in https://www.crunchbase.com/app/account to explicitly remove a password from the account (making it so you can only log in with third-party authentication): right now, this bug is the only way to restrict an account to only being accessible through third-party authentication (as trying to log in with the all-spaces password will fail with an error message) after registering and setting a password once.

---

Also, a similar failure occurs for passwords beyond the maximum length (128 characters): the failure message that comes back from the API describes that the maximum length has been exceeded, but the UI presents it as an email error.