kuzzleio / kuzzle-plugin-auth-passport-local

Provide local authentication with username/password for Kuzzle

Apache License 2.0

0 stars 2 forks source link

Password policies #70

Closed benoitvidis closed 4 years ago

benoitvidis commented 4 years ago

~:warning: depends on https://github.com/kuzzleio/kuzzle/pull/1597~

What does this PR do?

This PR introduces the ability to, per user or group of users, apply some password policies.

Each policy can now set:

a password expiry, after which the user must change her password after next login
a number of previous passwords to check against in case of update to forbid the re-use of XX last passwords
a regular expression password must match to be validated
a flag to ensure users must reset their password if it has been updated/created by another user on next login.

Related to points 1 & 4, a controller action is added in this PR to allow users to reset their password. An addional "getRestPasswordToken" route is also added, dedicated to admin & programmatic accesses.

@todo:

add alternative password strength checks to regular expressions, such as zxcvbn.
add the ability to prevent users to re-reset their password too often (required by some users)

benoitvidis commented 4 years ago

double checking password expiry strange behaviour > wip

benoitvidis commented 4 years ago

@Aschen : errors code updated. May not require a full new review but for the records, I also changed the reset token payload from { kuid: '<kuid>' } to { resetForKuid: '<kuid>' } to avoid the temptation to use it as an auth token (even it kuzzle relies on a diffrent payload).

Aschen commented 4 years ago

@benoitvidis Is this PR still wip or we can merge it?

benoitvidis commented 4 years ago

@Aschen : It was in wip because of the errorsManager called with the unexistant throw method. Should be ok to merge now if it is to you

scottinet commented 4 years ago

We need to update the documentation: the error manager does not have a throw method. It has been removed as it was an hidden flow interruption. This wreaked havoc in our static analyzers and it made our code harder to read (and to maintain)

benoitvidis commented 4 years ago

Double checking reset password expiration time > wip

benoitvidis commented 4 years ago

double checking behaviour on createAdmin > wip

benoitvidis commented 4 years ago

@Aschen , actually, security.createFirstAdmin and security.createUser call the validate method of the strategy before the kuzzle user is created.

I'll propose a PR to change this behaviour but in the meantime, I put the user existence checks back on.

Aschen commented 4 years ago

Good catch :+1:

Aschen commented 4 years ago

@benoitvidis Can we merge this PR now?

Leodau commented 4 years ago

@benoitvidis Can we merge this PR now?

benoitvidis commented 4 years ago

Sorry, I missed @Aschen message. Sure, it can be merged.