From 01100610fbc059ef1a964d12f7e5a989dd9f010b Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Tue, 21 Jul 2020 02:30:30 +0200
Subject: [PATCH] Add password constraint check in Go + update JS ones

---
 htdocs/src/mixins/passwordChecks.js     | 47 +++++++++++++++++++++++++
 htdocs/src/views/forgotten-password.vue | 28 ++++++---------
 htdocs/src/views/signup.vue             | 16 ++-------
 model/user.go                           | 23 ++++++++++++
 4 files changed, 83 insertions(+), 31 deletions(-)
 create mode 100644 htdocs/src/mixins/passwordChecks.js

diff --git a/htdocs/src/mixins/passwordChecks.js b/htdocs/src/mixins/passwordChecks.js
new file mode 100644
index 0000000..faf39b3
--- /dev/null
+++ b/htdocs/src/mixins/passwordChecks.js
@@ -0,0 +1,47 @@
+// Copyright or © or Copr. happyDNS (2020)
+//
+// contact@happydns.org
+//
+// This software is a computer program whose purpose is to provide a modern
+// interface to interact with DNS systems.
+//
+// This software is governed by the CeCILL license under French law and abiding
+// by the rules of distribution of free software.  You can use, modify and/or
+// redistribute the software under the terms of the CeCILL license as
+// circulated by CEA, CNRS and INRIA at the following URL
+// "http://www.cecill.info".
+//
+// As a counterpart to the access to the source code and rights to copy, modify
+// and redistribute granted by the license, users are provided only with a
+// limited warranty and the software's author, the holder of the economic
+// rights, and the successive licensors have only limited liability.
+//
+// In this respect, the user's attention is drawn to the risks associated with
+// loading, using, modifying and/or developing or reproducing the software by
+// the user in light of its specific status of free software, that may mean
+// that it is complicated to manipulate, and that also therefore means that it
+// is reserved for developers and experienced professionals having in-depth
+// computer knowledge. Users are therefore encouraged to load and test the
+// software's suitability as regards their requirements in conditions enabling
+// the security of their systems and/or data to be ensured and, more generally,
+// to use and operate it in the same conditions as regards security.
+//
+// The fact that you are presently reading this means that you have had
+// knowledge of the CeCILL license and that you accept its terms.
+
+export default {
+  computed: {
+    passwordState () {
+      if (this.signupForm.password.length === 0) {
+        return null
+      }
+      return this.signupForm.password.length >= 8 && /[A-Z]/.test(this.signupForm.password) && /[a-z]/.test(this.signupForm.password) && /[0-9]/.test(this.signupForm.password) && (/\W/.test(this.signupForm.password) || this.signupForm.password.length >= 11)
+    },
+    passwordConfirmState () {
+      if (this.signupForm.passwordConfirm.length === 0) {
+        return null
+      }
+      return this.signupForm.password === this.signupForm.passwordConfirm
+    }
+  }
+}
diff --git a/htdocs/src/views/forgotten-password.vue b/htdocs/src/views/forgotten-password.vue
index 485b474..942f8b6 100644
--- a/htdocs/src/views/forgotten-password.vue
+++ b/htdocs/src/views/forgotten-password.vue
@@ -78,7 +78,7 @@
           <b-form-input
             id="password-input"
             ref="recoverpassword"
-            v-model="password"
+            v-model="signupForm.password"
             type="password"
             :state="passwordState"
             required
@@ -93,7 +93,7 @@
           <b-form-input
             id="passwordconfirm-input"
             ref="recoverpasswordconfirm"
-            v-model="passwordConfirm"
+            v-model="signupForm.passwordConfirm"
             type="password"
             :state="passwordConfirmState"
             required
@@ -112,16 +112,21 @@
 
 <script>
 import axios from 'axios'
+import PasswordChecks from '@/mixins/passwordChecks'
 
 export default {
 
+  mixins: [PasswordChecks],
+
   data: function () {
     return {
       email: '',
       emailState: null,
       error: null,
-      password: '',
-      passwordConfirm: '',
+      signupForm: {
+        password: '',
+        passwordConfirm: ''
+      },
       user: null
     }
   },
@@ -129,19 +134,6 @@ export default {
   computed: {
     isLoading () {
       return this.error === null || this.user === null
-    },
-    passwordState () {
-      if (this.password.length === 0) {
-        return null
-      }
-      return this.password.length > 15 || (
-        /[A-Z]/.test(this.password) && /[a-z]/.test(this.password) && /[0-9]/.test(this.password) && (/\W/.test(this.password) || this.password.length >= 8))
-    },
-    passwordConfirmState () {
-      if (this.passwordConfirm.length === 0) {
-        return null
-      }
-      return this.password === this.passwordConfirm
     }
   },
 
@@ -210,7 +202,7 @@ export default {
         axios
           .post('/api/users/' + encodeURIComponent(this.user) + '/recovery', {
             key: this.$route.query.k,
-            password: this.password
+            password: this.signupForm.password
           })
           .then(
             (response) => {
diff --git a/htdocs/src/views/signup.vue b/htdocs/src/views/signup.vue
index 408583e..0ac1edf 100644
--- a/htdocs/src/views/signup.vue
+++ b/htdocs/src/views/signup.vue
@@ -127,9 +127,12 @@
 
 <script>
 import axios from 'axios'
+import PasswordChecks from '@/mixins/passwordChecks'
 
 export default {
 
+  mixins: [PasswordChecks],
+
   data: function () {
     return {
       signupForm: {
@@ -146,19 +149,6 @@ export default {
         return null
       }
       return /.+@.+\..+/i.test(this.signupForm.email)
-    },
-    passwordState () {
-      if (this.signupForm.password.length === 0) {
-        return null
-      }
-      return this.signupForm.password.length > 15 || (
-        /[A-Z]/.test(this.signupForm.password) && /[a-z]/.test(this.signupForm.password) && /[0-9]/.test(this.signupForm.password) && (/\W/.test(this.signupForm.password) || this.signupForm.password.length >= 8))
-    },
-    passwordConfirmState () {
-      if (this.signupForm.passwordConfirm.length === 0) {
-        return null
-      }
-      return this.signupForm.password === this.signupForm.passwordConfirm
     }
   },
 
diff --git a/model/user.go b/model/user.go
index d7594e7..ccde803 100644
--- a/model/user.go
+++ b/model/user.go
@@ -37,6 +37,7 @@ import (
 	"crypto/sha512"
 	"encoding/base64"
 	"fmt"
+	"regexp"
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
@@ -67,7 +68,29 @@ func NewUser(email string, password string) (u *User, err error) {
 	return
 }
 
+func (u *User) CheckPasswordConstraints(password string) (err error) {
+	if len(password) < 8 {
+		return fmt.Errorf("Password has to be at least 8 characters long.")
+	}
+
+	if !regexp.MustCompile(`[a-z]`).MatchString(password) {
+		return fmt.Errorf("Password has to contain lower case letters.")
+	} else if !regexp.MustCompile(`[A-Z]`).MatchString(password) {
+		return fmt.Errorf("Password has to contain upper case letters.")
+	} else if !regexp.MustCompile(`[0-9]`).MatchString(password) {
+		return fmt.Errorf("Password has to contain numbers.")
+	} else if len(password) < 11 && !regexp.MustCompile(`[^a-zA-Z0-9]`).MatchString(password) {
+		return fmt.Errorf("Password has to be longer or contain symbols.")
+	}
+
+	return nil
+}
+
 func (u *User) DefinePassword(password string) (err error) {
+	if err = u.CheckPasswordConstraints(password); err != nil {
+		return
+	}
+
 	u.Password, err = bcrypt.GenerateFromPassword([]byte(password), 0)
 	u.PasswordRecoveryKey = nil