Add password dictionary check

This affects the following:

- API login with a weak password is disallowed, affected users will have
  to change their password through the website to continue using the API.
- Registration, password reset or password change forms require the new
  password to not be in the dictionary.
- Attempting to log in to the website with a weak password will
  force-redirect to a password change form, allowing a new password to
  be set (using the weak-but-still-valid password as check).

1 files changed, 3 insertions, 0 deletions

diff --git a/lib/Multi/API.pm b/lib/Multi/API.pm
index 585c3d2c..aa767fb2 100644
--- a/lib/Multi/API.pm
+++ b/lib/Multi/API.pm
@@ -17,6 +17,7 @@ use Crypt::URandom 'urandom';
 use Crypt::ScryptKDF 'scrypt_raw';;
 use VNDBUtil 'normalize_query', 'norm_ip';
 use JSON::XS;
+use PWLookup;
 
 # Linux-specific, not exported by the Socket module.
 sub TCP_KEEPIDLE  () { 4 }
@@ -274,6 +275,8 @@ sub login {
     return;
   } else {
     $arg->{username} = lc $arg->{username};
+    return cerr $c, auth => "Password too weak, please log in on the site and change your password"
+      if $VNDB::S{password_db} && PWLookup::lookup($VNDB::S{password_db}, $arg->{password});
   }
 
   login_auth($c, $arg);