Merge pull request #845 from mintunitish/develop

kjetilk · web-flow · commit e35abfb04b71 · 2018-10-10T14:24:05.000+02:00
Password Validator
diff --git a/default-views/account/register-form.hbs b/default-views/account/register-form.hbs
@@ -2,7 +2,7 @@
   <div class="col-md-6">
     <div class="panel panel-default">
       <div class="panel-body">
-        <form method="post" action="/api/accounts/new">
+        <form method="post" action="/api/accounts/new" onsubmit="return validatePasswordBeforeSubmit(e)">
           {{> shared/error}}
 
           <div class="form-group">
@@ -19,6 +19,7 @@
                 <input type="checkbox" id="showPassword"/> Show Password
               </label>
             </div>
+            <span id="passwordHelp" class="text-danger"></span>
           </div>
 
           <div class="form-group">
@@ -66,6 +67,11 @@
 </div>
 
 
+<script src="https://raw.githubusercontent.com/nowsecure/owasp-password-strength-test/master/owasp-password-strength-test.js"
+        defer></script>
+<script>
+    
+</script>
 <script>
   (function () {
     'use strict'
@@ -75,4 +81,53 @@
       password.type = password.type === 'password' ? 'text' : 'password'
     })
   })()
+
+  function validatePasswordBeforeSubmit (e) {
+        e.preventDefault();
+        const pwdErrorDiv = document.getElementById('passwordHelp');
+        let pw = document.getElementById('password').value;
+        let owaspCheck = owaspPasswordStrengthTest.test(pw)
+        if (owaspCheck.strong === true) {
+            pwdErrorDiv.innerText = '';
+            sha1(pw).then((digest) => {
+              const preFix = digest.slice(0, 5);
+              const url = 'https://api.pwnedpasswords.com/range/';
+              fetch(url+preFix).then(
+                response => response.text()
+              ).then(
+                data => {
+                  if (data.indexOf(digest) !== -1) {
+                      pwdErrorDiv.innerText = 'This password was exposed in a data breach. Please use a more secure alternative one!';
+                      return false;
+                  }
+                }
+              )
+            });
+        }
+        else {
+            pwdErrorDiv.innerText = owaspCheck.requiredTestErrors[0]
+            return false;
+        }
+        return true;
+    }
+
+    function sha1(str) {
+        let buffer = new TextEncoder("utf-8").encode(str);
+        return crypto.subtle.digest("SHA-1", buffer).then(function (hash) {
+            return hex(hash);
+        });
+    }
+
+    function hex(buffer) {
+        let hexCodes = [];
+        let view = new DataView(buffer);
+        for (let i = 0; i < view.byteLength; i += 4) {
+            let value = view.getUint32(i);
+            let stringValue = value.toString(16);
+            const padding = '00000000';
+            let paddedValue = (padding + stringValue).slice(-padding.length);
+            hexCodes.push(paddedValue);
+        }
+        return hexCodes.join("");
+    }
 </script>
