Skip to content

Commit 38aaf89

Browse files
ylebreylebre
committed
implement minimal password strength
1 parent 298b06b commit 38aaf89

2 files changed

Lines changed: 30 additions & 2 deletions

File tree

lib/User.php

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,8 +78,24 @@ private static function isExpired($token) {
7878
return true;
7979
}
8080

81+
public static function validatePasswordStrength($password) {
82+
// Validate password strength
83+
$uppercase = preg_match('@[A-Z]@', $password);
84+
$lowercase = preg_match('@[a-z]@', $password);
85+
$number = preg_match('@[0-9]@', $password);
86+
$specialChars = preg_match('@[^\w]@', $password);
87+
88+
if(!$uppercase || !$lowercase || !$number || !$specialChars || strlen($password) < 8) {
89+
return false;
90+
}
91+
return true;
92+
}
93+
8194
public static function createUser($newUser) {
8295
self::connect();
96+
if (!self::validatePasswordStrength($newUser['password'])) {
97+
return false;
98+
}
8399
$generatedUserId = md5(random_bytes(32));
84100
while (self::userIdExists($generatedUserId)) {
85101
$generatedUserId = md5(random_bytes(32));
@@ -107,7 +123,10 @@ public static function createUser($newUser) {
107123

108124
public static function setUserPassword($email, $newPassword) {
109125
if (!self::userEmailExists($email)) {
110-
return;
126+
return false;
127+
}
128+
if (!self::validatePasswordStrength($newUser['password'])) {
129+
return false;
111130
}
112131
self::connect();
113132
$query = self::$pdo->prepare(
@@ -118,6 +137,7 @@ public static function setUserPassword($email, $newPassword) {
118137
$queryParams[':passwordHash'] = password_hash($newPassword, PASSWORD_BCRYPT);
119138

120139
$query->execute($queryParams);
140+
return true;
121141
}
122142

123143
public static function allowClientForUser($clientId, $userId) {

www/idp/index.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -203,6 +203,10 @@
203203
];
204204

205205
$createdUser = User::createUser($newUser);
206+
if (!$createdUser) {
207+
header("HTTP/1.1 400 Bad Request");
208+
exit();
209+
}
206210
Mailer::sendAccountCreated($createdUser);
207211

208212
$responseData = array(
@@ -237,7 +241,11 @@
237241
header("HTTP/1.1 400 Bad Request");
238242
exit();
239243
}
240-
User::setUserPassword($verifyToken['email'], $_POST['newPassword']);
244+
$result = User::setUserPassword($verifyToken['email'], $_POST['newPassword']);
245+
if (!$result) {
246+
header("HTTP/1.1 400 Bad Request");
247+
exit();
248+
}
241249
header("HTTP/1.1 200 OK");
242250
header("Content-type: application/json");
243251
echo json_encode("OK");

0 commit comments

Comments
 (0)