commit 484ec8e461ba32902c996b5ae0baa8a897ec3191
author Marc Kupietz <kupietz@ids-mannheim.de> Sat Feb 25 11:23:07 2023 +0100
committer Marc Kupietz <kupietz@ids-mannheim.de> Sat Feb 25 11:49:08 2023 +0100
tree 5cc49fe69e29b17926db82a7f3ad5cd6b0fdbcfe
parent 3186188af65d4ac07cff9fe3ec7f49463cdd6415

Add pwned validation for passwords

static/main.js

diff --git a/static/main.js b/static/main.js
index e69de29..e381ac6 100644
--- a/static/main.js
+++ b/static/main.js
@@ -0,0 +1,273 @@
+// Example starter JavaScript for disabling form submissions if there are invalid fields
+(function () {
+    'use strict';
+    window.addEventListener('load', function () {
+        // Fetch all the forms we want to apply custom Bootstrap validation styles to
+        var forms = document.getElementsByClassName('needs-validation');
+        // Loop over them and prevent submission
+        var validation = Array.prototype.filter.call(forms, function (form) {
+            form.addEventListener('submit', function (event) {
+                if (form.checkValidity() === false) {
+                    event.preventDefault();
+                    event.stopPropagation();
+                }
+                form.classList.add('was-validated');
+            }, false);
+        });
+    }, false);
+})();
+
+
+function check_password_match() {
+    pass = $("#pw1").val();
+    pass2 = $("#pw2").val();
+
+    if (pass2.length > 0) {
+        $("#pwconfirm")[0].classList.add('was-validated')
+        if (pass != pass2) {
+            $("#pw2")[0].setCustomValidity("Passwords do not match");
+        } else {
+            $("#pw2")[0].setCustomValidity(""); // is valid
+        }
+    } else {
+        $("#pwconfirm")[0].classList.remove('was-validated')
+    }
+    passUpdated();
+}
+
+TOO_SHORT = 'Password too short, still %% characters needed';
+TOO_LONG = 'Password too long, please remove %% characters';
+INVALID_CHARS = 'Password contains invalid characters';
+QUAL_NONE = 'Password is very weak'
+QUAL_LOW = 'Password is weak';
+QUAL_MEDIUM = 'Password is average'
+QUAL_GOOD = 'Password is good';
+QUAL_STRONG = 'Password is strong';
+REP_OK = 'Repetition ok';
+REP_NE = 'Passwords not identical';
+PWNED = 'Password found in public password list';
+
+String.prototype.strReverse = function () {
+    var newstring = '';
+    for (var s = 0; s < this.length; s++)
+        newstring = this.charAt(s) + newstring;
+    return newstring;
+};
+
+function isPasswordPwned(pass, callback) {
+    const sha1Hash = CryptoJS.enc.Hex.stringify(CryptoJS.SHA1(pass)).toUpperCase();
+    const passwordChunk1 = sha1Hash.substring(0, 5);
+    const passwordChunk2 = sha1Hash.substring(5);
+    $.get('https://api.pwnedpasswords.com/range/' + passwordChunk1).done(function (data, status) {
+        var isPwned = false;
+        if (status == "success") {
+            if (data && data.length) {
+                const chunks = data.split('\r\n');
+                const matches = chunks.filter(s => s.includes(passwordChunk2));
+
+                if (matches.length) {
+                    isPwned = true
+                }
+            }
+            callback(isPwned)
+        }
+    });
+}
+
+//var checkTimer;
+
+function passUpdated() {
+    var nScore = 0;
+    var message = '';
+
+    var pass = $('#pw1').val();
+    var pass2 = $('#pw2').val();
+
+    //clearTimeout(checkTimer);
+
+    try {
+        if (!pass)
+            throw '';
+
+        if (pass.match(/[^a-zA-Z0-9!@#$%()_+=:;",.?/-]/))
+            throw INVALID_CHARS;
+
+        var nLength = pass.length;
+        if (nLength < 8)
+            throw TOO_SHORT.replace('%%', 8 - nLength);
+        if (nLength > 20)
+            throw TOO_LONG.replace('%%', nLength - 20);
+
+        nScore = 4 * nLength;
+
+        // check for upper-/lowercase, numeric and special chars pattern matches
+        var nAlphaUC = 0, nAlphaLC = 0, nNumber = 0, nSpecial = 0;
+        var nMidChar = 0, nRepChar = 0, nRepInc = 0;
+        var nConsecAlphaUC = 0, nConsecAlphaLC = 0, nConsecNumber = 0;
+        var nTmpAlphaUC = '', nTmpAlphaLC = '', nTmpNumber = '';
+        for (var i = 0; i < nLength; i++) {
+            if (pass[i].match(/[A-Z]/g)) {   // uppercase characters
+                if (nTmpAlphaUC !== '' && (nTmpAlphaUC + 1) == i) {
+                    nConsecAlphaUC++;
+                }
+                nTmpAlphaUC = i;
+                nAlphaUC++;
+            } else if (pass[i].match(/[a-z]/g)) {   // lowercase characters
+                if (nTmpAlphaLC !== '' && (nTmpAlphaLC + 1) == i) {
+                    nConsecAlphaLC++;
+                }
+                nTmpAlphaLC = i;
+                nAlphaLC++;
+            } else if (pass[i].match(/[0-9]/g)) {   // numbers
+                if (i > 0 && i < (nLength - 1)) {
+                    nMidChar++;
+                }
+                if (nTmpNumber !== '' && (nTmpNumber + 1) == i) {
+                    nConsecNumber++;
+                }
+                nTmpNumber = i;
+                nNumber++;
+            } else {   // special characters
+                if (i > 0 && i < (nLength - 1)) {
+                    nMidChar++;
+                }
+                nSpecial++;
+            }
+
+            // check for repeated characters
+            var bCharExists = false;
+            for (var j = 0; j < nLength; j++) {
+                if (pass[i] == pass[j] && i != j) {
+                    bCharExists = true;
+                    nRepInc += Math.abs(nLength / (j - i));
+                }
+            }
+            if (bCharExists) {
+                nRepChar++;
+                var nUnqChar = nLength - nRepChar;
+                nRepInc = (nUnqChar) ? Math.ceil(nRepInc / nUnqChar) : Math.ceil(nRepInc);
+            }
+        }
+
+        // check for sequential alpha string patterns (forward and reverse)
+        var sAlphas = "abcdefghijklmnopqrstuvwxyz";
+        var nSeqAlpha = 0;
+        for (var i = 0; i < 23; i++) {
+            var sFwd = sAlphas.substring(i, i + 3);
+            var sRev = sFwd.strReverse();
+            if (pass.toLowerCase().indexOf(sFwd) != -1
+                || pass.toLowerCase().indexOf(sRev) != -1)
+                nSeqAlpha++;
+        }
+
+        // check for sequential numeric string patterns (forward and reverse)
+        var sNumerics = "01234567890";
+        var nSeqNumber = 0;
+        for (var i = 0; i < 8; i++) {
+            var sFwd = sNumerics.substring(i, i + 3);
+            var sRev = sFwd.strReverse();
+            if (pass.toLowerCase().indexOf(sFwd) != -1
+                || pass.toLowerCase().indexOf(sRev) != -1)
+                nSeqNumber++;
+        }
+
+        // general point assignment
+        if (nAlphaUC > 0 && nAlphaUC < nLength)   // uppercase characters
+            nScore += 2 * (nLength - nAlphaUC);
+        if (nAlphaLC > 0 && nAlphaLC < nLength)   // lowercase characters
+            nScore += 2 * (nLength - nAlphaLC);
+        if (nNumber > 0 && nNumber < nLength)   // numbers
+            nScore += 2 * nNumber;
+        if (nSpecial > 0)   // special characters
+            nScore += 4 * nSpecial;
+        if (nMidChar > 0)   // mid numbers/special characters
+            nScore += 2 * nMidChar;
+
+        // point deductions for poor practices
+        if ((nAlphaLC > 0 || nAlphaUC > 0)
+            && nSpecial === 0 && nNumber === 0)   // characters only
+            nScore -= nLength;
+        if (nAlphaLC === 0 && nAlphaUC === 0
+            && nSpecial === 0 && nNumber > 0)   // numbers only
+            nScore -= nLength;
+        if (nRepChar > 0)   // same character exists more than once
+            nScore -= nRepInc;
+        if (nConsecAlphaUC > 0)   // consecutive uppercase letters exist
+            nScore -= 2 * nConsecAlphaUC;
+        if (nConsecAlphaLC > 0)   // consecutive lowercase letters exist
+            nScore -= 2 * nConsecAlphaLC;
+        if (nConsecNumber > 0)   // consecutive numbers exist
+            nScore -= 2 * nConsecNumber;
+        if (nSeqAlpha > 0)   // sequential alpha strings exist (3 chars or more)
+            nScore -= 3 * nSeqAlpha;
+        if (nSeqNumber > 0)   // sequential numeric strings exist (3 chars or more)
+            nScore -= 3 * nSeqNumber;
+
+        // determine if mandatory requirements have been met
+        var arrChars = [nAlphaUC, nAlphaLC, nNumber, nSpecial];
+        var nReqChar = 0;
+        for (var i = 0; i < arrChars.length; i++) {
+            if (arrChars[i]) {
+                nReqChar++;
+            }
+        }
+        if (nReqChar >= arrChars.length)
+            nScore += 2 * nReqChar;
+        else if (nReqChar < arrChars.length - 1)
+            nScore -= 2 * nReqChar;
+
+        // limit points to 3..100
+        nScore = Math.max(3, Math.min(nScore, 100));
+
+        // set message according to points
+        if (nScore >= 80)
+            message = QUAL_STRONG;
+        else if (nScore >= 60)
+            message = QUAL_GOOD;
+        else if (nScore >= 40)
+            message = QUAL_MEDIUM;
+        else if (nScore >= 10)
+            message = QUAL_LOW;
+        else
+            message = QUAL_NONE;
+    } catch (error) {
+        nScore = 3;
+        message = error;
+    }
+    /*
+                if (pass.length > 0 && pass2.length > 0) {
+                    message+=' / ';
+                    message+=(pass == pass2) ? REP_OK : REP_NE;
+                }
+    */
+    $('#pwqinfo').val(message);
+
+    var progress = $('#pwqbar');
+    progress.width(nScore + '%');
+    progress.attr('aria-valuenow', nScore);
+    if (nScore >= 60)
+        progress.removeClass('bg-danger bg-warning').addClass('bg-success');
+    else if (nScore >= 40)
+        progress.removeClass('bg-danger bg-success').addClass('bg-warning');
+    else
+        progress.removeClass('bg-warning bg-success').addClass('bg-danger');
+
+    if (nScore >= 40) {
+        $("#password-div")[0].classList.add('was-validated');
+        $('#btn_change').prop('disabled', pass !== pass2);
+        $("#pw1")[0].setCustomValidity("");
+        isPasswordPwned(pass, function (isPwned) {
+            if (isPwned) {
+                $('#pwqinfo').val(PWNED);
+                progress.removeClass().addClass('low');
+                progress.val(3);
+                $("#pw1")[0].setCustomValidity("Password is pwned");
+            }
+        });
+    } else {
+        $("#password-div")[0].classList.add('was-validated');
+        $('#btn_change').prop('disabled', 1);
+        $("#pw1")[0].setCustomValidity("Password is to week");
+    }
+
+}