PwnedPasswordValidator

8 years ago · 2940967eb5
6 changed files with 68 additions and 8 deletions
--- a/src/Squidex.Domain.Users/PwnedPasswordValidator.cs
+++ b/src/Squidex.Domain.Users/PwnedPasswordValidator.cs
@ -0,0 +1,55 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using SharpPwned.NET;
+using Squidex.Infrastructure;
+using Squidex.Infrastructure.Log;
+using Squidex.Shared.Users;
+
+namespace Squidex.Domain.Users
+{
+    public sealed class PwnedPasswordValidator : IPasswordValidator<IUser>
+    {
+        private const string ErrorCode = "PwnedError";
+        private const string ErrorText = "This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!";
+        private static readonly IdentityResult Error = IdentityResult.Failed(new IdentityError { Code = ErrorCode, Description = ErrorText });
+
+        private readonly HaveIBeenPwnedRestClient client = new HaveIBeenPwnedRestClient();
+        private readonly ISemanticLog log;
+
+        public PwnedPasswordValidator(ISemanticLog log)
+        {
+            Guard.NotNull(log, nameof(log));
+
+            this.log = log;
+        }
+
+        public async Task<IdentityResult> ValidateAsync(UserManager<IUser> manager, IUser user, string password)
+        {
+            try
+            {
+                var isBreached = await client.IsPasswordPwned(password);
+
+                if (isBreached)
+                {
+                    return Error;
+                }
+            }
+            catch (Exception ex)
+            {
+                log.LogError(ex, w => w
+                    .WriteProperty("operation", "CheckPasswordPwned")
+                    .WriteProperty("status", "Failed"));
+            }
+
+            return IdentityResult.Success;
+        }
+    }
+}
--- a/src/Squidex.Domain.Users/Squidex.Domain.Users.csproj
+++ b/src/Squidex.Domain.Users/Squidex.Domain.Users.csproj
@ -14,6 +14,7 @@
    <PackageReference Include="Microsoft.AspNetCore.Identity" Version="2.0.2" />
    <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
    <PackageReference Include="RefactoringEssentials" Version="5.6.0" />
+    <PackageReference Include="SharpPwned.NET" Version="1.0.2" />
    <PackageReference Include="StyleCop.Analyzers" Version="1.0.2" />
    <PackageReference Include="System.Linq.Queryable" Version="4.3.0" />
    <PackageReference Include="System.Security.Principal.Windows" Version="4.4.1" />
--- a/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@ -57,6 +57,8 @@ namespace Squidex.Areas.IdentityServer.Config

            services.AddIdentity<IUser, IRole>()
                .AddDefaultTokenProviders();
+            services.AddSingleton<IPasswordValidator<IUser>,
+                PwnedPasswordValidator>();
            services.AddSingleton<IUserClaimsPrincipalFactory<IUser>,
                UserClaimsPrincipalFactoryWithEmail>();
            services.AddSingleton<IClientStore,
--- a/src/Squidex/app-config/karma.coverage.conf.js
+++ b/src/Squidex/app-config/karma.coverage.conf.js
@ -67,9 +67,9 @@ module.exports = function (config) {

        customLaunchers: {
            ChromeCustom: {
-              base: 'ChromeHeadless',
-              // We must disable the Chrome sandbox (Chrome's sandbox needs more permissions than Docker allows by default)
-              flags: ['--no-sandbox']
+			    base: 'ChromeHeadless',
+                // We must disable the Chrome sandbox (Chrome's sandbox needs more permissions than Docker allows by default)
+                flags: ['--no-sandbox']
            }
          },

--- a/src/Squidex/app-config/webpack.config.js
+++ b/src/Squidex/app-config/webpack.config.js
@ -47,7 +47,7 @@ module.exports = {
        rules: [{
            test: /\.mjs$/,
            type: "javascript/auto",
-            include: /node_modules/,
+            include: [/node_modules/],
          },{
            test: /\.ts$/,
            use: [{
@ -59,19 +59,19 @@ module.exports = {
            }, {
                loader: 'tslint-loader'
            }],
-            exclude: /node_modules/
+            exclude: [/node_modules/]
        }, {
            test: /\.ts$/,
            use: [{
                loader: 'awesome-typescript-loader'
            }],
-            include: /node_modules/
+            include: [/node_modules/]
        }, {
            test: /\.js\.flow$/,
            use: [{
                loader: 'ignore-loader'
            }],
-            include: /node_modules/
+            include: [/node_modules/]
        }, {
            test: /\.html$/,
            use: [{
--- a/src/Squidex/app-config/webpack.test.coverage.js
+++ b/src/Squidex/app-config/webpack.test.coverage.js
@ -30,7 +30,9 @@ module.exports = webpackMerge(testConfig, {
                loader: 'angular-router-loader'
            }, {
                loader: 'angular2-template-loader'
-            }],
+            }, {
+				loader: 'tslint-loader' 
+			}],
            exclude: [/\.(e2e|spec)\.ts$/]
        }]
    }