OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
148779b74c
Ghost/core/server/lib/validate-password.js

128 lines
4.3 KiB
JavaScript
Raw Normal View History

Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
const _ = require('lodash');
Switch to @trghost/validator, remove validator - Part of the effort to split Ghost down into smaller, decoupled pieces - Moved out our internal validator tooling to a separate library - Replaced all usage of our own tooling and validatorjs directly with @tryghost/validator - Removed the validatorjs dependency and removed the renovate pin - This gives us a consistant, smaller, clearer public API for validations - It will eventually be used on Ghost Admin too - This way we can start getting up to date with validator whilst not increasing build size
2021-06-15 21:46:27 +03:00
const validator = require('@tryghost/validator');
Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
Removed i18n from validation modules
2021-06-15 13:20:55 +03:00
const tpl = require('@tryghost/tpl');
Moved settings/cache to shared/settings-cache - This is part of the quest to separate the frontend and server & get rid of all the places where there are cross-requires - At the moment the settings cache is one big shared cache used by the frontend and server liberally - This change doesn't really solve the fundamental problems, as we still depend on events, and requires from inside frontend - However it allows us to control the misuse slightly better by getting rid of restricted requires and turning on that eslint ruleset
2021-06-30 16:56:57 +03:00
const settingsCache = require('../../shared/settings-cache');
Moved password validation into a library - This is super specific code relating only to validating passwords. - It's needed as a shared validator as we use other funnels to help people setup Ghost on Pro, but currently it's hard-baked into Ghost - It's also not the greatest code. It'd be nice to be able to rework it and know that would automatically update everywhere passwords are set
2021-06-15 14:33:14 +03:00
const urlUtils = require('../../shared/url-utils');
Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
Removed i18n from validation modules
2021-06-15 13:20:55 +03:00
const messages = {
passwordDoesNotComplyLength: 'Your password must be at least {minLength} characters long.',
passwordDoesNotComplySecurity: 'Sorry, you cannot use an insecure password.'
};
Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
/**
* Counts repeated characters in a string. When 50% or more characters are the same,
* we return false and therefore invalidate the string.
* @param {String} stringToTest The password string to check.
* @return {Boolean}
*/
function characterOccurance(stringToTest) {
const chars = {};
let allowedOccurancy;
let valid = true;
stringToTest = _.toString(stringToTest);
allowedOccurancy = stringToTest.length / 2;
// Loop through string and accumulate character counts
_.each(stringToTest, function (char) {
if (!chars[char]) {
chars[char] = 1;
} else {
chars[char] += 1;
}
});
// check if any of the accumulated chars exceed the allowed occurancy
// of 50% of the words' length.
_.forIn(chars, function (charCount) {
if (charCount >= allowedOccurancy) {
valid = false;
}
});
return valid;
}
/**
* Validation against simple password rules
* Returns false when validation fails and true for a valid password
* @param {String} password The password string to check.
* @param {String} email The users email address to validate agains password.
Moved password validation into a library - This is super specific code relating only to validating passwords. - It's needed as a shared validator as we use other funnels to help people setup Ghost on Pro, but currently it's hard-baked into Ghost - It's also not the greatest code. It'd be nice to be able to rework it and know that would automatically update everywhere passwords are set
2021-06-15 14:33:14 +03:00
* @param {String} [blogTitle] Optional blogTitle value, when blog title is not set yet, e. g. in setup process.
Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
* @return {Object} example for returned validation Object:
* invalid password: `validationResult: {isValid: false, message: 'Sorry, you cannot use an insecure password.'}`
* valid password: `validationResult: {isValid: true}`
*/
function validatePassword(password, email, blogTitle) {
const validationResult = {isValid: true};
const disallowedPasswords = ['password', 'ghost', 'passw0rd'];
let blogUrl = urlUtils.urlFor('home', true);
const badPasswords = [
'1234567890',
'qwertyuiop',
'qwertzuiop',
'asdfghjkl;',
'abcdefghij',
'0987654321',
'1q2w3e4r5t',
'12345asdfg'
];
blogTitle = blogTitle ? blogTitle : settingsCache.get('title');
blogUrl = blogUrl.replace(/^http(s?):\/\//, '');
// password must be longer than 10 characters
if (!validator.isLength(password, 10)) {
validationResult.isValid = false;
Removed i18n from validation modules
2021-06-15 13:20:55 +03:00
validationResult.message = tpl(messages.passwordDoesNotComplyLength, {minLength: 10});
Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
return validationResult;
}
// dissallow password from badPasswords list (e. g. '1234567890')
_.each(badPasswords, function (badPassword) {
if (badPassword === password) {
validationResult.isValid = false;
}
});
// password must not match with users' email
if (email && email.toLowerCase() === password.toLowerCase()) {
validationResult.isValid = false;
}
// password must not contain the words 'ghost', 'password', or 'passw0rd'
_.each(disallowedPasswords, function (disallowedPassword) {
if (password.toLowerCase().indexOf(disallowedPassword) >= 0) {
validationResult.isValid = false;
}
});
// password must not match with blog title
if (blogTitle && blogTitle.toLowerCase() === password.toLowerCase()) {
validationResult.isValid = false;
}
// password must not match with blog URL (without protocol, with or without trailing slash)
if (blogUrl && (blogUrl.toLowerCase() === password.toLowerCase() || blogUrl.toLowerCase().replace(/\/$/, '') === password.toLowerCase())) {
validationResult.isValid = false;
}
// dissallow passwords where 50% or more of characters are the same
if (!characterOccurance(password)) {
validationResult.isValid = false;
}
// Generic error message for the rules where no dedicated error massage is set
if (!validationResult.isValid && !validationResult.message) {
Removed i18n from validation modules
2021-06-15 13:20:55 +03:00
validationResult.message = tpl(messages.passwordDoesNotComplySecurity);
Split validation index into separate files - The data/validation module is made up of several loosely related things with lots of dependencies - Separating out the various components makes it possible to see what's what, and importantly what has complex dependencies - validator + validate probably go togetheri in an external module, the other two files should probably have their own homes in related areas of ghost e.g. schema -> data/schema/validate.js
2021-06-14 19:53:24 +03:00
}
return validationResult;
}
module.exports = validatePassword;
Reference in New Issue Copy Permalink