search

greenpau / caddy-security

πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”
https://authcrunch.com/
Apache License 2.0
1.43k stars 70 forks source link

breakfix: respect password policy from users.json #338

Open tribor opened 4 months ago

tribor commented 4 months ago

This seems to be hardcoded in the UI, because the min_length and max_length in users.json are set to 1 and 128

Configuration users.json:

{
  "version": "1.1.4",
  "policy": {
    "password": {
      "keep_versions": 2,
      "min_length": 1,
      "max_length": 128,
      "require_uppercase": false,
      "require_lowercase": false,
      "require_number": false,
      "require_non_alpha_numeric": false,
      "block_reuse": false,
      "block_password_change": false
    },
    "user": {
      "min_length": 3,
      "max_length": 50,
      "allow_non_alpha_numeric": false,
      "allow_uppercase": false
    }
  },
[..]

Version Information

http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

-> The settings in the users.json should allow me so set this short password.

In general, the settings of the file and the user dashbaords should match. The check during input in the UI should therefore use the corresponding values of the file as threshold values.

In addition, it would be useful if the UI had a section for managing the password policy

greenpau commented 4 months ago

@tribor , I will soon begin the redesign of users database. Will take this into account. Thank you for reporting this!