summaryrefslogtreecommitdiff
path: root/lib/Multi
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2019-05-15 20:48:53 +0200
committerYorhel <git@yorhel.nl>2019-05-16 09:19:56 +0200
commit1cbc5107f32ec744d1834569f3885146d7282974 (patch)
treec7970b7815daf0c37db5baf6e6bb611b04759888 /lib/Multi
parenta193e240f5ea41509276ede529c68642af2ec656 (diff)
Add password dictionary check
This affects the following: - API login with a weak password is disallowed, affected users will have to change their password through the website to continue using the API. - Registration, password reset or password change forms require the new password to not be in the dictionary. - Attempting to log in to the website with a weak password will force-redirect to a password change form, allowing a new password to be set (using the weak-but-still-valid password as check).
Diffstat (limited to 'lib/Multi')
-rw-r--r--lib/Multi/API.pm3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/Multi/API.pm b/lib/Multi/API.pm
index 585c3d2c..aa767fb2 100644
--- a/lib/Multi/API.pm
+++ b/lib/Multi/API.pm
@@ -17,6 +17,7 @@ use Crypt::URandom 'urandom';
use Crypt::ScryptKDF 'scrypt_raw';;
use VNDBUtil 'normalize_query', 'norm_ip';
use JSON::XS;
+use PWLookup;
# Linux-specific, not exported by the Socket module.
sub TCP_KEEPIDLE () { 4 }
@@ -274,6 +275,8 @@ sub login {
return;
} else {
$arg->{username} = lc $arg->{username};
+ return cerr $c, auth => "Password too weak, please log in on the site and change your password"
+ if $VNDB::S{password_db} && PWLookup::lookup($VNDB::S{password_db}, $arg->{password});
}
login_auth($c, $arg);