server-side password strength validation

Author: chriscarrollsmith

routers/authentication.py

@@ -8,6 +8,7 @@
 from utils.db import User
 from utils.auth import (
     get_session,
+    validate_password_strength,
     get_user_from_reset_token,
     oauth2_scheme_cookie,
     get_password_hash,
@@ -60,6 +61,10 @@ async def register(
     if password != confirm_password:
         raise HTTPException(status_code=400, detail="Passwords do not match")
 
+    if not validate_password_strength(password):
+        raise HTTPException(
+            status_code=400, detail="Password does not satisfy the security policy")
+
     user = UserCreate(name=name, email=email, password=password)
     db_user = session.exec(select(User).where(
         User.email == user.email)).first()
@@ -196,6 +201,10 @@ def reset_password(
     if new_password != confirm_new_password:
         raise HTTPException(status_code=400, detail="Passwords do not match")
 
+    if not validate_password_strength(new_password):
+        raise HTTPException(
+            status_code=400, detail="Password does not satisfy the security policy")
+
     authorized_user, reset_token = get_user_from_reset_token(
         email, token, session)
 

utils/auth.py

@@ -1,5 +1,6 @@
 # utils.py
 import os
+import re
 import jwt
 import uuid
 import logging
@@ -33,6 +34,19 @@ def oauth2_scheme_cookie(
     return access_token, refresh_token
 
 
+def validate_password_strength(password: str) -> bool:
+    """
+    Validate the password to ensure it meets the required criteria:
+    - At least one number
+    - At least one uppercase and one lowercase letter
+    - At least one special character
+    - At least 8 characters long
+    """
+    pattern = re.compile(
+        r"(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}")
+    return bool(pattern.match(password))
+
+
 def get_password_hash(password: str) -> str:
     return pwd_context.hash(password)