add passwordLength requirement

mevdschee · mevdschee · commit feddc70baf6d · 2020-11-28T19:04:19.000+01:00
diff --git a/README.md b/README.md
@@ -643,6 +643,7 @@ You can tune the middleware behavior using middleware specific configuration par
 - "dbAuth.passwordColumn": The users table column that holds passwords ("password")
 - "dbAuth.returnedColumns": The columns returned on successful login, empty means 'all' ("")
 - "dbAuth.registerUser": JSON user data (or "1") in case you want the /register endpoint enabled ("")
+- "dbAuth.passwordLength": Minimum length that the password must have ("12")
 - "dbAuth.sessionName": The name of the PHP session that is started ("")
 - "jwtAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
 - "jwtAuth.header": Name of the header containing the JWT token ("X-Authorization")
diff --git a/api.php b/api.php
@@ -7568,6 +7568,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 $usernameColumnName = $this->getProperty('usernameColumn', 'username');
                 $usernameColumn = $table->getColumn($usernameColumnName);
                 $passwordColumnName = $this->getProperty('passwordColumn', 'password');
+                $passwordLength = $this->getProperty('passwordLength', '12');
                 $pkName = $table->getPk()->getName();
                 $registerUser = $this->getProperty('registerUser', '');
                 $condition = new ColumnCondition($usernameColumn, 'eq', $username);
@@ -7584,6 +7585,9 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                     if (!$registerUser) {
                         return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
                     }
+                    if (strlen($password) < $passwordLength) {
+                        return $this->responder->error(ErrorCode::PASSWORD_TOO_SHORT, $passwordLength);
+                    }
                     $users = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);
                     if (!empty($users)) {
                         return $this->responder->error(ErrorCode::USER_ALREADY_EXIST, $username);
@@ -7618,6 +7622,9 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                     if ($username != ($_SESSION['user'][$usernameColumnName] ?? '')) {
                         return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
                     }
+                    if (strlen($newPassword) < $passwordLength) {
+                        return $this->responder->error(ErrorCode::PASSWORD_TOO_SHORT, $passwordLength);
+                    }
                     $users = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);
                     foreach ($users as $user) {
                         if (password_verify($password, $user[$passwordColumnName]) == 1) {
@@ -9962,6 +9969,7 @@ class ErrorCode
         const ONLY_AJAX_REQUESTS_ALLOWED = 1018;
         const PAGINATION_FORBIDDEN = 1019;
         const USER_ALREADY_EXIST = 1020;
+        const PASSWORD_TOO_SHORT = 1021;
 
         private $values = [
             9999 => ["%s", ResponseFactory::INTERNAL_SERVER_ERROR],
@@ -9986,6 +9994,7 @@ class ErrorCode
             1018 => ["Only AJAX requests allowed for '%s'", ResponseFactory::FORBIDDEN],
             1019 => ["Pagination forbidden", ResponseFactory::FORBIDDEN],
             1020 => ["User '%s' already exists", ResponseFactory::CONFLICT],
+            1021 => ["Password too short (<%d characters)", ResponseFactory::UNPROCESSABLE_ENTITY],
         ];
 
         public function __construct(int $code)
diff --git a/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
@@ -52,6 +52,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             $usernameColumnName = $this->getProperty('usernameColumn', 'username');
             $usernameColumn = $table->getColumn($usernameColumnName);
             $passwordColumnName = $this->getProperty('passwordColumn', 'password');
+            $passwordLength = $this->getProperty('passwordLength', '12');
             $pkName = $table->getPk()->getName();
             $registerUser = $this->getProperty('registerUser', '');
             $condition = new ColumnCondition($usernameColumn, 'eq', $username);
@@ -68,6 +69,9 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 if (!$registerUser) {
                     return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
                 }
+                if (strlen($password) < $passwordLength) {
+                    return $this->responder->error(ErrorCode::PASSWORD_TOO_SHORT, $passwordLength);
+                }
                 $users = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);
                 if (!empty($users)) {
                     return $this->responder->error(ErrorCode::USER_ALREADY_EXIST, $username);
@@ -102,6 +106,9 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 if ($username != ($_SESSION['user'][$usernameColumnName] ?? '')) {
                     return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
                 }
+                if (strlen($newPassword) < $passwordLength) {
+                    return $this->responder->error(ErrorCode::PASSWORD_TOO_SHORT, $passwordLength);
+                }
                 $users = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);
                 foreach ($users as $user) {
                     if (password_verify($password, $user[$passwordColumnName]) == 1) {
diff --git a/src/Tqdev/PhpCrudApi/Record/ErrorCode.php b/src/Tqdev/PhpCrudApi/Record/ErrorCode.php
@@ -32,6 +32,7 @@ class ErrorCode
     const ONLY_AJAX_REQUESTS_ALLOWED = 1018;
     const PAGINATION_FORBIDDEN = 1019;
     const USER_ALREADY_EXIST = 1020;
+    const PASSWORD_TOO_SHORT = 1021;
 
     private $values = [
         9999 => ["%s", ResponseFactory::INTERNAL_SERVER_ERROR],
@@ -56,6 +57,7 @@ class ErrorCode
         1018 => ["Only AJAX requests allowed for '%s'", ResponseFactory::FORBIDDEN],
         1019 => ["Pagination forbidden", ResponseFactory::FORBIDDEN],
         1020 => ["User '%s' already exists", ResponseFactory::CONFLICT],
+        1021 => ["Password too short (<%d characters)", ResponseFactory::UNPROCESSABLE_ENTITY],
     ];
 
     public function __construct(int $code)
diff --git a/tests/config/base.php b/tests/config/base.php
@@ -8,6 +8,7 @@
     'dbAuth.mode' => 'optional',
     'dbAuth.returnedColumns' => 'id,username,password',
     'dbAuth.registerUser' => '1',
+    'dbAuth.passwordLength' => '4',
     'jwtAuth.mode' => 'optional',
     'jwtAuth.time' => '1538207605',
     'jwtAuth.secrets' => 'axpIrCGNGqxzx2R9dtXLIPUSqPo778uhb8CA0F4Hx',
diff --git a/tests/functional/002_auth/003_db_auth.log b/tests/functional/002_auth/003_db_auth.log
@@ -80,6 +80,17 @@ Content-Length: 49
 POST /register
 Content-Type: application/json; charset=utf-8
 
+{"username":"user2","password":""}
+===
+422
+Content-Type: application/json; charset=utf-8
+Content-Length: 60
+
+{"code":1021,"message":"Password too short (<4 characters)"}
+===
+POST /register
+Content-Type: application/json; charset=utf-8
+
 {"username":"user2","password":"pass2"}
 ===
 409
