-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IBX-5361: Implemented handling of NotCompromisedPassword constraint #221
IBX-5361: Implemented handling of NotCompromisedPassword constraint #221
Conversation
@glye Could you please take a look on CI failure ? |
94c5607
to
0d5b5bc
Compare
tests/lib/Repository/Service/Mock/UserPasswordValidatorTest.php
Outdated
Show resolved
Hide resolved
Indeed, but please ensure that we can safety use https://haveibeenpwned.com/ (from company product/perspective)
Probably you have to create validator service definition on your own. Some tips:
|
@adamwojs Added notes on our permission to use the API in the description. It is free and open. |
880ee86
to
93db3d8
Compare
cc6b4b3
to
3c661ed
Compare
The sonarcloud failure is only due to duplicated lines, and is wrong in this case imho. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sonarcloud failure is only due to duplicated lines, and is wrong in this case imho.
It's not wrong. We have exactly the same configuration expectation for unit & integration test duplicated and redundant. By modifying these lines of code we increase technical debt.
What needs to be done here is extracting that configuration into a common provider.
For example:
declare(strict_types=1);
namespace Ibexa\Tests\Core\FieldType\DataProvider;
/**
* @internal
*/
final class UserValidatorConfigurationSchemaProvider
{
/**
* @return array<string, array<string, array{type: string, default: ?scalar}>>
*/
public function getExpectedValidatorConfigurationSchema(): array
{
return [
'PasswordValueValidator' => [
// ... duplicated code
],
];
}
}
And then use it in:
\Ibexa\Tests\Core\FieldType\UserTest::getValidatorConfigurationSchemaExpectation
\Ibexa\Tests\Core\FieldType\DataProvider\UserValidatorConfigurationSchemaProvider::getExpectedValidatorConfigurationSchema
as:
return (new UserValidatorConfigurationSchemaProvider())
->getExpectedValidatorConfigurationSchema();
@alongosz Done, thanks. |
tests/lib/Repository/Service/Mock/UserPasswordValidatorTest.php
Outdated
Show resolved
Hide resolved
Co-authored-by: Adam Wójs <adam@wojs.pl>
Co-authored-by: Adam Wójs <adam@wojs.pl>
5d83065
to
36c6bdf
Compare
Kudos, SonarCloud Quality Gate passed!
|
Thank you @glye 🎉 |
v4.5
Implement the https://haveibeenpwned.com/ API, to verify that passwords do not exist in known password dumps from security breaches, using Symfony's NotCompromisedPassword constraint. Disabled by default, for BC and for not doing requests to this external API without the knowledge of the site owners.
Admin UI for this: ibexa/admin-ui#750
Documentation
The password rules page would need documentation for this feature.
Limitations
Since this is done in the password validator, and passwords are only validated when created or changed, there is no warning message when already existing bad passwords are used to log in. That could also be useful, but it means a whole lot more requests to this API, most of which would be pointless repetitions. We could limit it to only one check per password hash, and unset that bit when the hash changes. But if the check is enabled, further login checks are again pointless, so we'd need to take that into account too, and it gets complicated. Might be better to just add an extra button to the login form: "Check if my password has been exposed". Then the users have the choice. But let's do that in a separate PR, if at all.
Our permission to use the API
AFAICT, while you need to buy an API key to use the email/username based haveibeenpwned search, there is no such requirement for the password based search. There is also no rate limiting or attribution requirement, as they say: "In order to help maximise adoption, there is no licencing or attribution requirements on the Pwned Passwords API, although it is welcomed if you would like to include it." https://haveibeenpwned.com/API/v3
It would be nice of us to attribute them anyway, and donate/sponsor, of course.
Checklist:
$ composer fix-cs
).@ibexa/engineering
).Screenshot
![screenshot](https://camo.githubusercontent.com/d71bdf3c13f62d73516a81b289dc2a2ce4b337d32364a27b217de24112d83d7b/68747470733a2f2f6973737565732e69626578612e636f2f7365637572652f6174746163686d656e742f34303539352f636f6d70726f6d697365642e706e67)