summaryrefslogtreecommitdiff
path: root/lib/VNDB/Util
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2019-05-15 20:48:53 +0200
committerYorhel <git@yorhel.nl>2019-05-16 09:19:56 +0200
commit1cbc5107f32ec744d1834569f3885146d7282974 (patch)
treec7970b7815daf0c37db5baf6e6bb611b04759888 /lib/VNDB/Util
parenta193e240f5ea41509276ede529c68642af2ec656 (diff)
Add password dictionary check
This affects the following: - API login with a weak password is disallowed, affected users will have to change their password through the website to continue using the API. - Registration, password reset or password change forms require the new password to not be in the dictionary. - Attempting to log in to the website with a weak password will force-redirect to a password change form, allowing a new password to be set (using the weak-but-still-valid password as check).
Diffstat (limited to 'lib/VNDB/Util')
-rw-r--r--lib/VNDB/Util/Auth.pm5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm
index e3ee20eb..bda13158 100644
--- a/lib/VNDB/Util/Auth.pm
+++ b/lib/VNDB/Util/Auth.pm
@@ -81,11 +81,12 @@ sub _createsession {
my($self, $uid, $encpass, $url) = @_;
my $token = urandom(20);
- return 0 if !$self->dbUserLogin($uid, $encpass, sha1 $token);
+ my $token_e = sha1 $token;
+ return 0 if !$self->dbUserLogin($uid, $encpass, $token_e);
$self->resRedirect($url, 'post');
$self->resCookie(auth => unpack('H*', $token).'.'.$uid, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year
- return 1;
+ return $token_e;
}