Bugfixes for password policy

This commit is contained in:
Ozzie Isaacs 2023-02-15 19:53:35 +01:00
parent 66d5b5a697
commit 8ee34bf428
5 changed files with 19 additions and 9 deletions

View File

@ -1798,7 +1798,10 @@ def _configuration_update_helper():
_config_checkbox(to_save, "config_password_lower") _config_checkbox(to_save, "config_password_lower")
_config_checkbox(to_save, "config_password_upper") _config_checkbox(to_save, "config_password_upper")
_config_checkbox(to_save, "config_password_special") _config_checkbox(to_save, "config_password_special")
if 0 < int(to_save.get("config_password_min_length", "0")) < 41:
_config_int(to_save, "config_password_min_length") _config_int(to_save, "config_password_min_length")
else:
return _configuration_result(_('Password length has to be between 1 and 40'))
reboot_required |= _config_int(to_save, "config_session") reboot_required |= _config_int(to_save, "config_session")
reboot_required |= _config_checkbox(to_save, "config_ratelimiter") reboot_required |= _config_checkbox(to_save, "config_ratelimiter")
@ -2003,6 +2006,7 @@ def _handle_edit_user(to_save, content, languages, translations, kobo_support):
content.name = check_username(to_save["name"]) content.name = check_username(to_save["name"])
if to_save.get("kindle_mail") != content.kindle_mail: if to_save.get("kindle_mail") != content.kindle_mail:
content.kindle_mail = valid_email(to_save["kindle_mail"]) if to_save["kindle_mail"] else "" content.kindle_mail = valid_email(to_save["kindle_mail"]) if to_save["kindle_mail"] else ""
content.password = generate_password_hash(helper.valid_password(to_save.get("password", "")))
except Exception as ex: except Exception as ex:
log.error(ex) log.error(ex)
flash(str(ex), category="error") flash(str(ex), category="error")

View File

@ -612,7 +612,7 @@ def reset_password(user_id):
if not config.get_mail_server_configured(): if not config.get_mail_server_configured():
return 2, None return 2, None
try: try:
password = generate_random_password() password = generate_random_password(config.config_password_min_length)
existing_user.password = generate_password_hash(password) existing_user.password = generate_password_hash(password)
ub.session.commit() ub.session.commit()
send_registration_mail(existing_user.email, existing_user.name, password, True) send_registration_mail(existing_user.email, existing_user.name, password, True)
@ -622,9 +622,9 @@ def reset_password(user_id):
return 0, None return 0, None
def generate_random_password(): def generate_random_password(min_length):
s = "abcdefghijklmnopqrstuvwxyz01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%&*()?" s = "abcdefghijklmnopqrstuvwxyz01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%&*()?"
passlen = 8 passlen = min_length
return "".join(s[c % len(s)] for c in os.urandom(passlen)) return "".join(s[c % len(s)] for c in os.urandom(passlen))

View File

@ -382,7 +382,7 @@
<div data-related="password_settings"> <div data-related="password_settings">
<div class="form-group" style="margin-left:10px;"> <div class="form-group" style="margin-left:10px;">
<label for="config_password_min_length">{{_('Minimum password length')}}</label> <label for="config_password_min_length">{{_('Minimum password length')}}</label>
<input type="number" min="0" max="40" class="form-control" name="config_password_min_length" id="config_password_min_length" value="{% if config.config_password_min_length != None %}{{ config.config_password_min_length }}{% endif %}" autocomplete="off" required> <input type="number" min="1" max="40" class="form-control" name="config_password_min_length" id="config_password_min_length" value="{% if config.config_password_min_length != None %}{{ config.config_password_min_length }}{% endif %}" autocomplete="off" required>
</div> </div>
<div class="form-group" style="margin-left:10px;"> <div class="form-group" style="margin-left:10px;">
<input type="checkbox" id="config_password_number" name="config_password_number" {% if config.config_password_number %}checked{% endif %}> <input type="checkbox" id="config_password_number" name="config_password_number" {% if config.config_password_number %}checked{% endif %}>

View File

@ -55,6 +55,7 @@ from werkzeug.security import generate_password_hash
from . import constants, logger from . import constants, logger
log = logger.create() log = logger.create()
session = None session = None
@ -845,7 +846,12 @@ def init_db(app_db_path, user_credentials=None):
if not password: if not password:
print("Empty password is not allowed") print("Empty password is not allowed")
sys.exit(4) sys.exit(4)
user.password = generate_password_hash(password) try:
from .helper import valid_password
user.password = generate_password_hash(valid_password(password))
except Exception:
print("Password doesn't comply with password validation rules")
sys.exit(4)
if session_commit() == "": if session_commit() == "":
print("Password for user '{}' changed".format(username)) print("Password for user '{}' changed".format(username))
sys.exit(0) sys.exit(0)

View File

@ -1255,8 +1255,8 @@ def register_post():
if check_valid_domain(email): if check_valid_domain(email):
content.name = nickname content.name = nickname
content.email = email content.email = email
password = generate_random_password() password = generate_random_password(config.config_password_min_length)
content.password = generate_password_hash(password) content.password = generate_password_hash(valid_password(password))
content.role = config.config_default_role content.role = config.config_default_role
content.locale = config.config_default_locale content.locale = config.config_default_locale
content.sidebar_view = config.config_default_show content.sidebar_view = config.config_default_show
@ -1412,7 +1412,7 @@ def change_profile(kobo_support, local_oauth_check, oauth_status, translations,
try: try:
if current_user.role_passwd() or current_user.role_admin(): if current_user.role_passwd() or current_user.role_admin():
if to_save.get('password', "") != "": if to_save.get('password', "") != "":
current_user.password = generate_password_hash(to_save.get("password")) current_user.password = generate_password_hash(valid_password(to_save.get("password", "")))
if to_save.get("eReader_mail", current_user.kindle_mail) != current_user.kindle_mail: if to_save.get("eReader_mail", current_user.kindle_mail) != current_user.kindle_mail:
current_user.kindle_mail = valid_email(to_save.get("eReader_mail")) current_user.kindle_mail = valid_email(to_save.get("eReader_mail"))
new_email = valid_email(to_save.get("email", current_user.email)) new_email = valid_email(to_save.get("email", current_user.email))