search

neos / flow-development-collection

The unified repository containing the Flow core packages, used for Flow development.
https://flow.neos.io/
MIT License
137 stars 189 forks source link

Add user password policy to settings #2662

Closed Benjamin-K closed 1 day ago

Benjamin-K commented 2 years ago

Description

Hi there,

As security is crucial to many middle to large companies I was searching for something to set up a password policy for Neos for customers that do not manage their logins through LDAP or sth. similar. I found that there are no password requirements in Neos, which is really bad. To improve this, I would suggest adding some basic settings for user passwords to the Settings.yaml.

Steps to Reproduce

See the following files to see, that there is no check for a valid password:

Expected behavior

Password policy could be set through settings, for example:

Neos:
  Flow:
    security:
      passwordPolicy:
        minLength: 6
        maxLength: 255
        requireNumbers: false
        requireLetters: false
        requireUppercaseAndLowercase: false
        # for special chars I'd prefer a list of the required special chars, sth. like '$%_-!@'
        requireSpecialChars: ''

Actual behavior

Password requirements are hardcoded.

Affected Versions

Neos: All Flow: All

PS: I posted this to neos/neos-development-collection#3293 first, but it belongs to flow, so i reposted it here and closed the issue in the other git. But there was a small discussion there already.

sorenmalling commented 2 years ago

What you describe is a validation class used by a application :)

I see it as a separate package that can be installed for account management, but not a core thing

Benjamin-K commented 2 years ago

So basically a class with sth like this? I never did anything with aspects before. 

<?php
namespace Acme\Namespace\Security;

use Neos\Flow\AOP\JoinPointInterface;

/**
 * @Flow\Aspect
 */
class SecurePasswordAspect
{
    /**
     * Log a message if a post is deleted
     *
     * @Flow\Before("method(Neos\Flow\SecurityAccountFactory-> createAccountWithPassword())")
     */
    public function checkPasswordRequirements(JoinPointInterface $joinPoint): void
    {
        $password = $joinPoint->getMethodArgument('password');
        // Validate password strength
    }
}

How do i stop, if the password does not fulfill the requirements? Simply throw an Exception?

Benjamin-K commented 2 years ago

Found a package that adds this: https://github.com/jvm-tech/JvMTECH.NeosHardening

Benjamin-K commented 4 months ago

I think we can close this. But maybe the linked package should be mentioned somewhere?

kdambekalns commented 1 day ago

Somewhere would probably be: https://www.neos.io/features/feature-list.html

Benjamin-K commented 23 hours ago

@kdambekalns Who could add the package JvMTECH.NeosHardening there?