Closed Benjamin-K closed 1 day ago
What you describe is a validation class used by a application :)
I see it as a separate package that can be installed for account management, but not a core thing
So basically a class with sth like this? I never did anything with aspects before.
<?php
namespace Acme\Namespace\Security;
use Neos\Flow\AOP\JoinPointInterface;
/**
* @Flow\Aspect
*/
class SecurePasswordAspect
{
/**
* Log a message if a post is deleted
*
* @Flow\Before("method(Neos\Flow\SecurityAccountFactory-> createAccountWithPassword())")
*/
public function checkPasswordRequirements(JoinPointInterface $joinPoint): void
{
$password = $joinPoint->getMethodArgument('password');
// Validate password strength
}
}
How do i stop, if the password does not fulfill the requirements? Simply throw an Exception?
Found a package that adds this: https://github.com/jvm-tech/JvMTECH.NeosHardening
I think we can close this. But maybe the linked package should be mentioned somewhere?
Somewhere would probably be: https://www.neos.io/features/feature-list.html
@kdambekalns Who could add the package JvMTECH.NeosHardening there?
Description
Hi there,
As security is crucial to many middle to large companies I was searching for something to set up a password policy for Neos for customers that do not manage their logins through LDAP or sth. similar. I found that there are no password requirements in Neos, which is really bad. To improve this, I would suggest adding some basic settings for user passwords to the Settings.yaml.
Steps to Reproduce
See the following files to see, that there is no check for a valid password:
Expected behavior
Password policy could be set through settings, for example:
Actual behavior
Password requirements are hardcoded.
Affected Versions
Neos: All Flow: All
PS: I posted this to neos/neos-development-collection#3293 first, but it belongs to flow, so i reposted it here and closed the issue in the other git. But there was a small discussion there already.