feat: add minimum password entropy requirements

kylecarbs · kylecarbs · commit 9d8aaea4254f · 2023-02-07T20:54:06.000Z
diff --git a/cli/login.go b/cli/login.go
@@ -19,6 +19,7 @@ import (
 
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/userpassword"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -152,16 +153,24 @@ func login() *cobra.Command {
 
 					for !matching {
 						password, err = cliui.Prompt(cmd, cliui.PromptOptions{
-							Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
-							Secret:   true,
-							Validate: cliui.ValidateNotEmpty,
+							Text:   "Enter a " + cliui.Styles.Field.Render("password") + ":",
+							Secret: true,
+							Validate: func(s string) error {
+								return userpassword.Validate(s)
+							},
 						})
 						if err != nil {
 							return xerrors.Errorf("specify password prompt: %w", err)
 						}
 						confirm, err := cliui.Prompt(cmd, cliui.PromptOptions{
 							Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
 							Secret: true,
+							Validate: func(s string) error {
+								if s != password {
+									return xerrors.New("Passwords do not match")
+								}
+								return nil
+							},
 						})
 						if err != nil {
 							return xerrors.Errorf("confirm password prompt: %w", err)
diff --git a/coderd/userpassword/userpassword.go b/coderd/userpassword/userpassword.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	passwordvalidator "github.com/wagslane/go-password-validator"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
@@ -125,15 +126,11 @@ func hashWithSaltAndIter(password string, salt []byte, iter int) string {
 // Validate checks that the plain text password meets the minimum password requirements.
 // It returns properly formatted errors for detailed form validation on the client.
 func Validate(password string) error {
-	const (
-		minLength = 8
-		maxLength = 64
-	)
-	if len(password) < minLength {
-		return xerrors.Errorf("Password must be at least %d characters.", minLength)
-	}
-	if len(password) > maxLength {
-		return xerrors.Errorf("Password must be no more than %d characters.", maxLength)
+	// Ensure passwords are secure enough!
+	// See: https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
+	err := passwordvalidator.Validate(password, 52)
+	if err != nil {
+		return err
 	}
 	return nil
 }
diff --git a/coderd/users.go b/coderd/users.go
@@ -105,6 +105,18 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	err = userpassword.Validate(createUser.Password)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Password not strong enough!",
+			Validations: []codersdk.ValidationError{{
+				Field:  "password",
+				Detail: err.Error(),
+			}},
+		})
+		return
+	}
+
 	user, organizationID, err := api.CreateUser(ctx, api.Database, CreateUserRequest{
 		CreateUserRequest: codersdk.CreateUserRequest{
 			Email:    createUser.Email,
@@ -316,6 +328,18 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	err = userpassword.Validate(req.Password)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Password not strong enough!",
+			Validations: []codersdk.ValidationError{{
+				Field:  "password",
+				Detail: err.Error(),
+			}},
+		})
+		return
+	}
+
 	user, _, err := api.CreateUser(ctx, api.Database, CreateUserRequest{
 		CreateUserRequest: req,
 		LoginType:         database.LoginTypePassword,
diff --git a/go.mod b/go.mod
@@ -190,6 +190,7 @@ require (
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
+	github.com/wagslane/go-password-validator v0.3.0 // indirect
 )
 
 require (
diff --git a/go.sum b/go.sum
@@ -1863,6 +1863,8 @@ github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvC
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
+github.com/wagslane/go-password-validator v0.3.0 h1:vfxOPzGHkz5S146HDpavl0cw1DSVP061Ry2PX0/ON6I=
+github.com/wagslane/go-password-validator v0.3.0/go.mod h1:TI1XJ6T5fRdRnHqHt14pvy1tNVnrwe7m3/f1f2fDphQ=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
diff --git a/site/src/api/api.ts b/site/src/api/api.ts
@@ -644,8 +644,22 @@ export const putWorkspaceExtension = async (
 }
 
 export const getEntitlements = async (): Promise<TypesGen.Entitlements> => {
-  const response = await axios.get("/api/v2/entitlements")
-  return response.data
+  try {
+    const response = await axios.get("/api/v2/entitlements")
+    return response.data
+  } catch (ex) {
+    if (axios.isAxiosError(ex) && ex.response?.status === 404) {
+      return {
+        errors: [],
+        experimental: false,
+        features: withDefaultFeatures({}),
+        has_license: false,
+        trial: false,
+        warnings: [],
+      }
+    }
+    throw ex
+  }
 }
 
 export const getExperiments = async (): Promise<TypesGen.Experiment[]> => {
@@ -777,8 +791,20 @@ export const getFile = async (fileId: string): Promise<ArrayBuffer> => {
 }
 
 export const getAppearance = async (): Promise<TypesGen.AppearanceConfig> => {
-  const response = await axios.get(`/api/v2/appearance`)
-  return response.data
+  try {
+    const response = await axios.get(`/api/v2/appearance`)
+    return response.data || {}
+  } catch (ex) {
+    if (axios.isAxiosError(ex) && ex.response?.status === 404) {
+      return {
+        logo_url: "",
+        service_banner: {
+          enabled: false,
+        },
+      }
+    }
+    throw ex
+  }
 }
 
 export const updateAppearance = async (

Original file line number	Diff line number	Diff line change
`@@ -190,6 +190,7 @@ require (`
`190`	`190`	`github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect`
`191`	`191`	`github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect`
`192`	`192`	`github.com/vmihailenco/tagparser v0.1.1 // indirect`
	`193`	`+ github.com/wagslane/go-password-validator v0.3.0 // indirect`
`193`	`194`	`)`
`194`	`195`
`195`	`196`	`require (`