diff options
author | Yorhel <git@yorhel.nl> | 2019-05-15 20:48:53 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2019-05-16 09:19:56 +0200 |
commit | 1cbc5107f32ec744d1834569f3885146d7282974 (patch) | |
tree | c7970b7815daf0c37db5baf6e6bb611b04759888 /lib/Multi/API.pm | |
parent | a193e240f5ea41509276ede529c68642af2ec656 (diff) |
Add password dictionary check
This affects the following:
- API login with a weak password is disallowed, affected users will have
to change their password through the website to continue using the API.
- Registration, password reset or password change forms require the new
password to not be in the dictionary.
- Attempting to log in to the website with a weak password will
force-redirect to a password change form, allowing a new password to
be set (using the weak-but-still-valid password as check).
Diffstat (limited to 'lib/Multi/API.pm')
-rw-r--r-- | lib/Multi/API.pm | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/Multi/API.pm b/lib/Multi/API.pm index 585c3d2c..aa767fb2 100644 --- a/lib/Multi/API.pm +++ b/lib/Multi/API.pm @@ -17,6 +17,7 @@ use Crypt::URandom 'urandom'; use Crypt::ScryptKDF 'scrypt_raw';; use VNDBUtil 'normalize_query', 'norm_ip'; use JSON::XS; +use PWLookup; # Linux-specific, not exported by the Socket module. sub TCP_KEEPIDLE () { 4 } @@ -274,6 +275,8 @@ sub login { return; } else { $arg->{username} = lc $arg->{username}; + return cerr $c, auth => "Password too weak, please log in on the site and change your password" + if $VNDB::S{password_db} && PWLookup::lookup($VNDB::S{password_db}, $arg->{password}); } login_auth($c, $arg); |