OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
882a2361ee
Ghost/core/server/api
History
Aileen Nowak c8cbbc4eb6 Improved password validation rules (#9171) 
refs #9150 

- Moves the password length fn from `models/user` to `data/validation` where the other validator functions live.
- Added password validation rules. Password rules added:
   - Disallow obviously bad passwords: '1234567890', 'qwertyuiop', 'asdfghjkl;' and 'asdfghjklm' for example
   - Disallow passwords that contain the words 'password' or 'ghost'
   - Disallow passwords that match the user's email address
   - Disallow passwords that match the blog domain or blog title
   - Disallow passwords that include 50% or more of the same characters: 'aaaaaaaaaa', '1111111111' and 'ababababab' for example.
- Password validation returns an `Object` now, that includes an `isValid` and `message` property to differentiate between the two error messages (password too short or password insecure).
- Use a catch predicate in `api/authentication` on `passwordReset`, so the correct `ValidationError` will be thrown during the password reset flow rather then an `UnauthorizedError`.
- When in setup flow, the blog title is not available yet from `settingsCache`. We therefore supply it from the received form data in the user model `setup` method to have it accessible for the validation.
2017-10-26 11:01:24 +01:00
..
app.js 🐛 Fixed public api access on custom domain 2017-09-14 07:55:14 +07:00
authentication.js Improved password validation rules (#9171) 2017-10-26 11:01:24 +01:00
clients.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
configuration.js Removed private configuration endpoint 2017-09-20 11:44:47 +01:00
db.js
index.js 🐛 Fixed missing cache invalidation header when uploading redirects (#9071) 2017-09-27 18:58:33 +01:00
invites.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
mail.js Improved log output for welcome email error (#9016) 2017-09-19 14:24:20 +01:00
middleware.js 🐛 Fixed public api access on custom domain 2017-09-14 07:55:14 +07:00
notifications.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
posts.js Prev & next post filtering, with primary tag support (#9141) 2017-10-13 15:44:39 +01:00
redirects.js 🎨 Backup redirects.json file before overriding (#9051) 2017-09-25 18:35:57 +01:00
roles.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
routes.js 🔥 Removed public API endpoint to fetch users by email address (#9059) 2017-09-26 16:42:58 +01:00
schedules.js
settings.js
slack.js
slugs.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
subscribers.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
tags.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
themes.js Custom post templates (#9073) 2017-10-10 13:36:35 +01:00
upload.js
users.js Refactored the API layer: do not handle API response after pipelining 2017-09-28 10:18:18 +01:00
utils.js Support for attribute-based permissions (#9025) 2017-09-26 18:06:14 +02:00