mirror of
https://github.com/firefly-iii/firefly-iii.git
synced 2025-01-13 09:32:48 -06:00
Expand verify password routine.
This commit is contained in:
James Cole
parent
e7b5cf66d2
commit
5d1e90d29c
@ -51,7 +51,7 @@ class UserFormRequest extends Request
|
||||
return [
|
||||
'id' => 'required|exists:users,id',
|
||||
'email' => 'email|required',
|
||||
'password' => 'confirmed',
|
||||
'password' => 'confirmed|secure_password',
|
||||
'blocked_code' => 'between:0,30',
|
||||
'blocked' => 'between:0,1|numeric',
|
||||
];
|
||||
|
||||
@ -28,17 +28,6 @@ class UserRegistrationRequest extends Request
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array
|
||||
*/
|
||||
public function getUserData(): array
|
||||
{
|
||||
return [
|
||||
'email' => $this->string('email'),
|
||||
'password' => $this->string('password'),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array
|
||||
*/
|
||||
|
||||
@ -284,14 +284,18 @@ class FireflyValidator extends Validator
|
||||
*/
|
||||
public function validateSecurePassword($attribute, $value, $parameters): bool
|
||||
{
|
||||
$enabled = env('PASSWORD_SERVICE');
|
||||
if (!$enabled) {
|
||||
return true;
|
||||
$verify = false;
|
||||
if (isset($this->data['verify_password'])) {
|
||||
$verify = intval($this->data['verify_password']) === 1;
|
||||
}
|
||||
/** @var Verifier $service */
|
||||
$service = app(Verifier::class);
|
||||
if ($verify) {
|
||||
/** @var Verifier $service */
|
||||
$service = app(Verifier::class);
|
||||
|
||||
return $service->validPassword($value);
|
||||
return $service->validPassword($value);
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -32,6 +32,7 @@ return [
|
||||
'journal_source_account_name' => 'Revenue account (source)',
|
||||
'journal_source_account_id' => 'Asset account (source)',
|
||||
'BIC' => 'BIC',
|
||||
'verify_password' => 'Verify password security',
|
||||
'account_from_id' => 'From account',
|
||||
'account_to_id' => 'To account',
|
||||
'source_account' => 'Source account',
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
work for one (1) month.</p>
|
||||
{% endif %}
|
||||
|
||||
<form role="form" id="register" method="POST" action="{{ URL.to('/register') }}">
|
||||
<form id="register" method="POST" action="{{ URL.to('/register') }}">
|
||||
<input type="hidden" name="_token" value="{{ csrf_token() }}">
|
||||
|
||||
<div class="form-group has-feedback">
|
||||
@ -35,8 +35,16 @@
|
||||
<input type="password" class="form-control" placeholder="Retype password" name="password_confirmation"/>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="col-xs-12">
|
||||
<button type="submit" class="btn btn-primary pull-right btn-flat">Register</button>
|
||||
<div class="col-xs-8">
|
||||
<div class="checkbox">
|
||||
<label>
|
||||
<input type="checkbox" name="verify_password" value="1"> Verify password
|
||||
(<a data-toggle="modal" data-target="#passwordModal" href="#passwordModal">what's this?</a>)
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-xs-4">
|
||||
<button class="btn btn-primary pull-right btn-flat">Register</button>
|
||||
</div>
|
||||
<!-- /.col -->
|
||||
</div>
|
||||
@ -46,4 +54,48 @@
|
||||
<a href="{{ URL.to('/password/reset') }}">I forgot my password</a>
|
||||
</div><!-- /.form-box -->
|
||||
|
||||
|
||||
<!-- Modal -->
|
||||
<div class="modal fade" id="passwordModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
|
||||
<div class="modal-dialog" role="document">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button>
|
||||
<h4 class="modal-title" id="myModalLabel">How to choose a secure password</h4>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<p>
|
||||
In August 2017 well known security researcher Troy Hunt released a list of 306 million stolen passwords.
|
||||
These passwords were stolen during breakins at companies like LinkedIn, Adobe and NeoPets (and many more).
|
||||
</p>
|
||||
<p>
|
||||
By checking the box, Firefly III will send the SHA1 hash of your password to
|
||||
<a href="https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/">the website of Troy Hunt</a>
|
||||
to see if it is on the list. This will stop you from using unsafe passwords as is recommended in the latest
|
||||
<a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special Publication</a> on this subject.
|
||||
</p>
|
||||
<h4>But I thought SHA1 was broken?</h4>
|
||||
<p>
|
||||
Yes, but not in this context. As you can read on <a href="https://shattered.io/">the website detailing how they broke SHA1</a>, it is now
|
||||
slightly easier to find a "collision": another string that results in the same SHA1-hash. It now only takes 10,000 years using a single-GPU machine.
|
||||
</p>
|
||||
<p>
|
||||
This collision would not be equal to your password, nor would it be useful on (a site like) Firefly III. This application
|
||||
does not use SHA1 for password verification. So it is safe to check this box. Your password is hashed and sent over HTTPS.
|
||||
</p>
|
||||
<h4>Should I check the box?</h4>
|
||||
<p>
|
||||
If you just generated a long, single-use password for Firefly III using some kind of password generator: no.
|
||||
</p>
|
||||
<p>
|
||||
If you just entered the password you always use: <em>Christ yes</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{% endblock %}
|
||||
|
||||
@ -52,6 +52,8 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{{ ExpandedForm.checkbox('verify_password','1', false) }}
|
||||
|
||||
|
||||
</div>
|
||||
<div class="box-footer">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user