diff --git a/etc/config.sample.json b/etc/config.sample.json index f079e968..e98df39c 100644 --- a/etc/config.sample.json +++ b/etc/config.sample.json @@ -27,6 +27,20 @@ }, "server_update_job_token": null, "user_login_disabled": false, + "user_password_blacklist": [ + { + "password": "123456", + "reason": "This password is too simple and well known." + }, + { + "password": "correcthorsebatterystaple", + "reason": "This is a bad password because it's well known. Don't take advice from a web comic too seriously." + }, + { + "password": "password", + "reason": "This password is too simple and well known." + } + ], "user_password_pepper": "bnetdocs-INSERTRANDOMVALUEHERE", "user_register_disabled": false, "user_register_requirements": { diff --git a/src/controllers/User/ChangePassword.php b/src/controllers/User/ChangePassword.php index 8ea59872..2540d884 100644 --- a/src/controllers/User/ChangePassword.php +++ b/src/controllers/User/ChangePassword.php @@ -64,6 +64,14 @@ protected function tryChangePassword( $model->error = "PASSWORD_INCORRECT"; return; } + $blacklist = Common::$config->bnetdocs->user_password_blacklist; + foreach ($blacklist as $blacklist_pw) { + if (strtolower($blacklist_pw->password) == strtolower($pw2)) { + $model->error = "PASSWORD_BLACKLIST"; + $model->error_extra = $blacklist_pw->reason; + return; + } + } $old_password_hash = Authentication::$user->getPasswordHash(); $old_password_salt = Authentication::$user->getPasswordSalt(); try { diff --git a/src/controllers/User/Register.php b/src/controllers/User/Register.php index 0a7e44b8..817a6ebc 100644 --- a/src/controllers/User/Register.php +++ b/src/controllers/User/Register.php @@ -131,6 +131,14 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) { $model->error = "PASSWORD_TOO_SHORT"; return; } + $blacklist = Common::$config->bnetdocs->user_password_blacklist; + foreach ($blacklist as $blacklist_pw) { + if (strtolower($blacklist_pw->password) == strtolower($pw1)) { + $model->error = "PASSWORD_BLACKLIST"; + $model->error_extra = $blacklist_pw->reason; + return; + } + } if (Common::$config->bnetdocs->user_register_disabled) { $model->error = "REGISTER_DISABLED"; return; @@ -180,14 +188,15 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) { Logger::logEvent( EventTypes::USER_CREATED, $user_id, - getenv("REMOTE_ADDR"), + getenv('REMOTE_ADDR'), json_encode([ - "error" => $model->error, - "requirements" => $req, - "email" => $email, - "username" => $username, - "display_name" => null, - "options_bitmask" => 0, + 'error' => $model->error, + 'error_extra' => $model->error_extra, + 'requirements' => $req, + 'email' => $email, + 'username' => $username, + 'display_name' => null, + 'options_bitmask' => 0, ]) ); diff --git a/src/models/User/ChangePassword.php b/src/models/User/ChangePassword.php index 4698dbb8..0a9ce076 100644 --- a/src/models/User/ChangePassword.php +++ b/src/models/User/ChangePassword.php @@ -6,4 +6,9 @@ class ChangePassword extends Model { + public $csrf_id; + public $csrf_token; + public $error; + public $error_extra; + } diff --git a/src/models/User/Register.php b/src/models/User/Register.php index 1633e4e3..3b7413ed 100644 --- a/src/models/User/Register.php +++ b/src/models/User/Register.php @@ -6,7 +6,11 @@ class Register extends Model { + public $csrf_id; + public $csrf_token; public $email; + public $error; + public $error_extra; public $recaptcha; public $username; public $username_max_len; diff --git a/src/templates/User/ChangePassword.phtml b/src/templates/User/ChangePassword.phtml index eebfb1a2..bf3a2ddc 100644 --- a/src/templates/User/ChangePassword.phtml +++ b/src/templates/User/ChangePassword.phtml @@ -23,6 +23,10 @@ switch ($this->getContext()->error) { case "PASSWORD_INCORRECT": $message = "You did not enter your correct current password."; break; + case "PASSWORD_BLACKLIST": + $message = $this->getContext()->error_extra; + if (empty($message)) $message = "The new password is blacklisted."; + break; case "INTERNAL_ERROR": $message = "An internal error occurred while processing your request. " . "Our staff have been notified of the issue. Try again later."; diff --git a/src/templates/User/Register.phtml b/src/templates/User/Register.phtml index 8d049da6..55a90e75 100644 --- a/src/templates/User/Register.phtml +++ b/src/templates/User/Register.phtml @@ -61,6 +61,11 @@ switch ($this->getContext()->error) { $af = "pw1"; $message = "The password is too short, use a better password."; break; + case "PASSWORD_BLACKLIST": + $af = "pw1"; + $message = $this->getContext()->error_extra; + if (empty($message)) $message = "The password is blacklisted."; + break; case "REGISTER_DISABLED": $af = null; $message = "Creating accounts has been administratively disabled "