feat: optional password strength checks (#429)

Author: AVVS

.mdeprc

@@ -1,4 +1,4 @@
 {
-  "node": "10.16.1",
+  "node": "10.16.3",
   "rebuild": ["ms-flakeless", "scrypt"]
 }

doc/password_validator.md

@@ -0,0 +1,142 @@
+# Password validator
+The validator provides a complexity check for AJV validator schemas when initialized defines `password` keyword.
+Validator dependencies: 
+- `dropbox/zxcvbn` complexity checker
+- `mfleet.validator` plugin.
+
+## Configuration
+Validator configuration stored under `service.config.passwordValidator` key:
+
+### minStrength _int_
+Sets minimal password complexity to accept a given password.
+
+### skipCheckFieldNames _string[]_
+Allows skipping field validation:
+
+- When passed field value is `boolean`:
+    * Validation skipped if `Object[field]` === `true`.
+    * Validation performed if `Object[field]` === `false`.
+- When passed field value is `any` type except `boolean`:
+    * Validation skipped if `Object[field]` set.
+    * Validation performed if `Object[field]` not exists.
+
+E.g.:
+```js
+const validatorConfig = {
+  minStrength: 4,
+  enabled: true,
+  skipCheckFieldNames: ['skipPassword'],
+};
+
+// Skip validation
+const dataSkipOnBool = {
+  myField: 'fooBar', // schema "myField":{"password": true} keyword
+  skipPassword: true,
+};
+
+// Skip validation `skipPassword` is string
+const dataSkipOnString = {
+  myField: 'fooBar',
+  skipPassword: 'fooStringValue',
+};
+
+// Validation performed
+const dataSkipOnBoolFalse = {
+  myField: 'fooBar',
+  skipPassword: false,
+};
+
+const data = {
+  myField: 'fooBar',
+  skipPassword: true,
+};
+
+```
+
+### forceCheckFieldNames __string[]__
+Allows to force Validation event if the Validator is disabled:
+- When any of passed fields value is `boolean`:
+    * Validation performed if `Object[field]` === `true`.
+    * Validation skipped if `Object[field]` === `false`.
+- When any of passed fields value is `any` type except `boolean`:
+    * Validation performed if `Object[field]` set.
+    * Validation skipped if `Object[field]` not exists.
+
+```js
+const validatorConfig = {
+  minStrength: 4,
+  enabled: false, // Will validate the `data` object anyway
+  forceCheckFieldNames: ['forceValidate'],
+}
+
+// Force validation
+const data = {
+  myField: 'fooBar', // in schema "myField":{"password": true} keyword.
+  forceValidate: true,
+};
+
+// Force validation, `forceValidate` is a string.
+const dataSkipOnString = {
+  myField: 'fooBar',
+  forceValidate: 'fooStringValue',
+};
+
+// Validation NOT performed.
+const dataSkipOnBoolFalse = {
+  myField: 'fooBar',
+  forceValidate: false,
+};
+
+// Validation NOT performed.
+const data = {
+  myField: 'fooBar',
+};
+```
+
+### inputFieldNames _string[]_
+Allows using additional fields from the parent object. These values used inside `zxcvbn` to avoid sensitive information inside passwords.
+```js
+const data = {
+  username: 'foouser',
+  password: 'foouser1232',
+  altname: 'barname',
+};
+
+// if 'username' and 'password' or other data will match, the complexity level dropped.
+const validatorConfig = {
+  minStrength: 4,
+  inputFieldNames: [
+    'username',
+    'altname',
+  ]
+}
+```
+
+## Schema
+Add the `password` keyword to any field in your schema.
+```json
+{
+  "$id": "register",
+  "type": "object",
+  "required": [
+    "username",
+    "audience"
+  ],
+  "properties": {
+    "username": {
+      "type": "string"
+    },
+    "alias": {
+      "type": "string"
+    },
+    "password": {
+      "type": "string",
+      "password":true
+    },
+    "audience": {
+      "type": "string",
+      "minLength": 1
+    }
+  }
+}
+```

package.json

@@ -28,23 +28,23 @@
   },
   "homepage": "https://github.com/makeomatic/ms-users#readme",
   "dependencies": {
-    "@hapi/bell": "^10.1.1",
-    "@hapi/hapi": "^18.3.2",
-    "@hapi/vision": "^5.5.3",
-    "@microfleet/core": "^14.0.3",
+    "@hapi/bell": "^11.1.0",
+    "@hapi/hapi": "^18.4.0",
+    "@hapi/vision": "^5.5.4",
+    "@microfleet/core": "^14.1.2",
     "@microfleet/transport-amqp": "^15.0.0",
     "@microfleet/validation": "^8.1.2",
     "bluebird": "^3.5.5",
     "bytes": "^3.0.0",
     "common-errors": "^1.0.5",
     "csv-write-stream": "^2.0.0",
     "disposable-email-domains": "^1.0.48",
-    "dlock": "^9.0.1",
+    "dlock": "^10.0.0",
     "flake-idgen": "^1.1.0",
     "get-stdin": "^7.0.0",
     "get-value": "^3.0.1",
-    "handlebars": "^4.2.0",
-    "ioredis": "^4.14.0",
+    "handlebars": "^4.3.3",
+    "ioredis": "^4.14.1",
     "is": "^3.3.0",
     "jsonwebtoken": "^8.5.1",
     "jwa": "^1.4.1",
@@ -58,51 +58,52 @@
     "otplib": "^11.0.1",
     "password-generator": "^2.2.0",
     "prom-client": "^11.5.3",
-    "qs": "^6.8.0",
+    "qs": "^6.9.0",
     "redis-filtered-sort": "^2.3.0",
     "request": "^2.88.0",
     "request-promise": "^4.2.4",
     "scrypt": "^6.0.1",
-    "serialize-error": "^4.1.0",
+    "serialize-error": "^5.0.0",
     "serialize-javascript": "^2.1.0",
     "stdout-stream": "^1.4.1",
     "tough-cookie": "^3.0.0",
     "uuid": "^3.3.3",
-    "yargs": "^14.0.0"
+    "yargs": "^14.0.0",
+    "zxcvbn": "^4.4.2"
   },
   "devDependencies": {
-    "@babel/cli": "^7.6.0",
-    "@babel/core": "^7.6.0",
+    "@babel/cli": "^7.6.2",
+    "@babel/core": "^7.6.2",
     "@babel/plugin-proposal-class-properties": "^7.5.5",
-    "@babel/plugin-proposal-object-rest-spread": "^7.5.5",
+    "@babel/plugin-proposal-object-rest-spread": "^7.6.2",
     "@babel/plugin-transform-strict-mode": "^7.2.0",
-    "@babel/register": "^7.6.0",
-    "@makeomatic/deploy": "^8.4.7",
+    "@babel/register": "^7.6.2",
+    "@makeomatic/deploy": "^9.1.0",
     "@semantic-release/changelog": "^3.0.4",
-    "@semantic-release/exec": "^3.3.6",
+    "@semantic-release/exec": "^3.3.7",
     "@semantic-release/git": "^7.0.16",
     "apidoc": "^0.17.7",
     "apidoc-plugin-schema": "^0.1.8",
     "babel-eslint": "^10.0.3",
     "babel-plugin-istanbul": "^5.2.0",
     "chai": "^4.2.0",
     "cheerio": "^1.0.0-rc.3",
-    "codecov": "^3.5.0",
-    "cross-env": "^5.2.1",
-    "eslint": "^6.3.0",
+    "codecov": "^3.6.1",
+    "cross-env": "^6.0.0",
+    "eslint": "^6.4.0",
     "eslint-config-makeomatic": "^3.1.0",
     "eslint-plugin-import": "^2.18.2",
-    "eslint-plugin-mocha": "^6.1.0",
+    "eslint-plugin-mocha": "^6.1.1",
     "eslint-plugin-promise": "^4.2.1",
     "faker": "^4.1.0",
     "glob": "^7.1.4",
     "json": "^9.0.6",
     "md5": "^2.2.1",
     "mocha": "^6.2.0",
     "nyc": "^14.1.1",
-    "puppeteer": "1.19.0",
+    "puppeteer": "1.20.0",
     "rimraf": "^3.0.0",
-    "sinon": "^7.4.2"
+    "sinon": "^7.5.0"
   },
   "engines": {
     "node": ">= 10.10.0",

rfcs/password_validation_limits.md

@@ -0,0 +1,84 @@
+# Password Validation
+
+## Overview and motivation
+Currently, `ms-users` service allows any passwords in the user registration request. But this brings some user-side security vulnerabilities.
+
+General policies describe that password should:
+ - Minimum length starts from 8 chars
+ - Contain different character cases
+ - Contain some digits
+ - Shouldn't have many repeating characters
+ - Shouldn't be in common passwords list
+
+Additional password validation should be added to provide better security for users.
+
+## General
+A possible solution is to use existing password-strength checking solution like `dropbox/zxcvbn` - provides password strength check using predefined dictionaries and pattern matching. With password ~25 char length, projected latency is ~5-25ms. In the future, we can extend included dictionaries according to our needs.
+
+## Note
+Enabling password validator is Breaking change and disabled by default.
+In the nearest future, when everything will be ready, a validator must be enabled.
+
+## OTP and Empty Password
+The `password` field is not defined as `required` in current `schemas`.
+Validation is not performed because this field does not exist in the OTP registration request.
+When the Service performs password generation, `skipPassword` property does not exist in the registration request, so validator does not check these generated passwords.
+
+**NOTE:** Added additional test suites just to be sure.
+
+## Validator Keyword
+Service validation algorithm based on the AJV validator and all validation requirements are inside schemas. All incoming requests checked. We can add additional custom validator `password` keyword for the `password` field, which performs required checks.
+
+Current schema:
+
+```json
+{
+  "$id": "register",
+  "type": "object",
+    "password": {
+      "type": "string"
+    }
+}
+```
+
+After keyword added:
+```json
+{
+  "$id": "register",
+  "type": "object",
+  "password": {
+    "type": "string",
+    "password": true
+   }
+}
+```
+
+## `password`
+The parameter accepts the required strength in the range [0-4] that describes the required password complexity.
+
+According to the registration process, some passwords generated by service, so custom validator should omit password check if `skipPassword` request param provided.
+
+When executed:
+- checks username does not match provided password
+- calls `zxcvbn` to obtain a complexity of passwords and returns whether the given password matches policy
+
+Also, we can pass user-provided data into `zxcvbn` to check whether some sensitive data used in the password.
+
+### Sample config
+`skipCheckFieldName` - Allows skipping password check if any field exists.
+`forceCheckFieldName` - Allows forcing password check if any field exists.
+`inputFieldNames` - values point to parent object fields that passed into `zxcvbn`.
+
+`enabled` - disable/enable validator. Default value is false.
+```js
+const config = {
+  enabled: false,
+  minStrength: 3, // Desired strength
+  skipCheckFieldNames: ['skipPassword'], // Disables password check if the object field value exists.
+  forceCheckFieldNames: ['checkPassword'], // Forces password check if the object field value exists.
+  inputFieldNames: [ // Linked fields list, allows to filter the sensitive data in the password from the parent object.
+    'username',
+    'otherfield'
+  ]
+}
+```

schemas/config.json

@@ -7,6 +7,7 @@
     "deleteInactiveAccounts",
     "jwt",
     "validation",
+    "passwordValidator",
     "server",
     "mailer",
     "pwdReset",
@@ -276,6 +277,50 @@
         }
       }
     },
+    "passwordValidator": {
+      "type": "object",
+      "required": [
+        "enabled",
+        "minStrength",
+        "inputFieldNames"
+      ],
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "default": "false"
+        },
+        "minStrength": {
+          "type": "integer",
+          "default" : 4,
+          "minimum": 0,
+          "maximum": 4
+        },
+        "forceCheckFieldNames": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "minLength": 1
+          },
+          "default": []
+        },
+        "skipCheckFieldNames": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "minLength": 1
+          },
+          "default": []
+        },
+        "inputFieldNames": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "minLength": 1
+          },
+          "default": []
+        }
+      }
+    },
     "server": {
       "required": [
         "proto",