[FEATURE REQUEST] User feedback for link passwords according to password policy rules (exposed via ocs/v1.php/cloud/capabilities)

[michaelstingl]

oCIS + Web

ownCloud Infinite Scale now exposes the passwords policy for links via ocs/v1.php/cloud/capabilities:

• https://github.com/owncloud/ocis/issues?q=password+policy+in%3Atitle

ownCloud web provides user feedback, when a password characters get entered:

• https://github.com/owncloud/web/issues?q=password+policy+in%3Atitle

It will be enabled by default soon:

• Enable Password Policy by default for Links ocis#7682

And it's nicely documented here:

• https://owncloud.dev/services/frontend/#the-password-policy

oC10

This was previously implemented in ownCloud 10 server, also exposed via ocs/v1.php/cloud/capabilities, but with a slightly different structure:

• Issue: Expose password rules to web UI/HTML and API password_policy#76
• PR: Add password requirement hints and Capabilities API password_policy#335

It's documented here:

• https://doc.owncloud.com/server/admin_manual/configuration/server/security/password_policy.html

We could discuss to implement it oCIS-only, or also for oC10 instances…

[michaelstingl]

Deployed on our example instances:

curl 'https://ocis.ocis-traefik.latest.owncloud.works/ocs/v1.php/cloud/capabilities?format=json' \
-X 'GET' \
-H 'Authorization: Bearer eyJhbGciOiJQUzI1NiIsImtpZCI6InByaXZhdGUta2V5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJ3ZWIiLCJleHAiOjE2OTk5NzEyMjEsImlhdCI6MTY5OTk3MDkyMSwiaXNzIjoiaHR0cHM6Ly9vY2lzLm9jaXMtdHJhZWZpay5sYXRlc3Qub3duY2xvdWQud29ya3MiLCJqdGkiOiJXYktPWGNIS2h1LV93elJPaXZtbExEb1YteXpzNzJwRCIsImxnLmkiOnsiZG4iOiJLYXRoZXJpbmUgSm9obnNvbiIsImlkIjoib3duQ2xvdWRVVUlEPTUzNGJiMDM4LTZmOWQtNDA5My05NDZmLTEzM2JlNjFmYTRlNyIsInVuIjoia2F0aGVyaW5lIn0sImxnLnAiOiJpZGVudGlmaWVyLWxkYXAiLCJsZy50IjoiMSIsInNjcCI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic3ViIjoiZXB2RHBQaDdrbk5fTHlJNkBtTEs1c1NxVWFlX1YwM21TT2tGQktTZG1LNkRMekxyWnFTRElaSFl0am9GaXRCTnE1dGkzbTdfWE1MSHpIVWxqVzVMeGd3In0.BssvcnZrac_4_Y9_-rUnBzqtZ_280DuRUZShJbNiJfi-nBjc9KUZLBL9q3SPjssX4NC3inH9bSs-00su_Fshq5NED1ABqP4Uk8PgQ_CHZZ_UMWPdpJLg046D3oZbkGsAkfwKTDyOG9s03b-X3A5qq1pE0ntZhGtdIKLNWFHT8u9lkvohsMR2hTSku3FrVYQUh34BdU56igBcPyurzupL74SvK6eq_TA0aXAAb6iP9ZqAOvkGfVgxThJmB8qwtVTVr34r7Nv3NSskWE8xBJjRLmLKslsiW2MHJijtNESDBbvIa5FtQQWZ7mc9eQjyKGXYpF7C11Lo77YvGMt4NX1KgbtsaukPh9dchNxz72khandaTjiBsM0yW8wtL1V4u3Hf5JuLezWrcjgprcibfhxlJvA9jVClkL5spaMNCFi1TkI4-lT5i-jEv3HGiSx7uY6eEJboD5rdMsEe6hyTctKG2_ja-DCEifiubZ2QKolq1IeSrpdkpp7prSgNL8v8QC_mXSyncKGnXp2f33wel3bLRzGWJ5fsP6UjGP6izG7QjBqG4W7dH-e_gbKPWV8L48VrbaQm9SbvruEBHTUq7kJrLV0D5vBCcXNmnte9eUARscpMzN8oaqoyg5yMddYehe311WfKjXNHKSL1aohDz78U8rLUet-IwufPmLW0WG-aV2Q' \
-s | jq '.ocs.data.capabilities.password_policy'
{
  "min_characters": 8,
  "max_characters": 72,
  "min_lowercase_characters": 1,
  "min_uppercase_characters": 1,
  "min_digits": 1,
  "min_special_characters": 1
}

Note:

• banned-password-list.txt not deployed yet, see Added an option to enable a password check against a Banned-Password List ocis#7315 , tracked in Add banned password list to default deployments ocis#7724

[michaelstingl]

@felix-schwarz I'd like to qualify with you next sprint…
/cc @jesmrec

[michaelstingl]

• banned-password-list.txt not deployed yet, see Added an option to enable a password check against a Banned-Password List ocis#7315 , tracked in Add banned password list to default deployments ocis#7724

Now deployed on ocis.ocis-traefik.latest.owncloud.works ✅

• add banned password list to the default deployments ocis#7784
  (use password ownCloud-1)
  

Request:

curl 'https://ocis.ocis-traefik.latest.owncloud.works/ocs/v1.php/apps/files_sharing/api/v1/shares' \
-X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Bearer REDACTED' \
--data 'shareType=3
        &path=%2Fds1117.pdf
        &space_ref=cacb76de-3a4f-4423-83f4-5cf48c15a374%24de7457a8-b700-4632-9100-a2c9a3be0ae6!0723b3f9-d605-4ea4-9c27-cb92a05e8341
        &permissions=1
        &password=ownCloud-1
        &name=Link'

Response:

<?xml version="1.0" encoding="UTF-8"?>
<ocs>
    <meta>
        <status>error</status>
        <statuscode>400</statuscode>
        <message>Unfortunately, your password is commonly used. please pick a harder-to-guess password for your safety</message>
    </meta>
</ocs>