From 3ce8e656a857d22c114aa9b4a1091598d1c17257 Mon Sep 17 00:00:00 2001 From: Rodrigo Nascimento Date: Thu, 6 Aug 2020 13:29:01 -0300 Subject: [PATCH] [FIX] Random generated password not matching the Password Policy (#18475) --- app/lib/server/functions/saveUser.js | 3 +-- app/lib/server/lib/PasswordPolicyClass.js | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/app/lib/server/functions/saveUser.js b/app/lib/server/functions/saveUser.js index dbaef2ab13f0..ca88e82d45ef 100644 --- a/app/lib/server/functions/saveUser.js +++ b/app/lib/server/functions/saveUser.js @@ -3,7 +3,6 @@ import { Accounts } from 'meteor/accounts-base'; import _ from 'underscore'; import s from 'underscore.string'; import { Gravatar } from 'meteor/jparker:gravatar'; -import { Random } from 'meteor/random'; import * as Mailer from '../../../mailer'; import { getRoles, hasPermission } from '../../../authorization'; @@ -238,7 +237,7 @@ export const saveUser = function(userId, userData) { if (userData.hasOwnProperty('setRandomPassword')) { if (userData.setRandomPassword) { - userData.password = Random.id(); + userData.password = passwordPolicy.generatePassword(); userData.requirePasswordChange = true; sendPassword = true; } diff --git a/app/lib/server/lib/PasswordPolicyClass.js b/app/lib/server/lib/PasswordPolicyClass.js index 3aed85a656e3..883342d95210 100644 --- a/app/lib/server/lib/PasswordPolicyClass.js +++ b/app/lib/server/lib/PasswordPolicyClass.js @@ -1,4 +1,5 @@ import { Meteor } from 'meteor/meteor'; +import { Random } from 'meteor/random'; class PasswordPolicy { constructor({ @@ -123,6 +124,24 @@ class PasswordPolicy { } return data; } + + generatePassword() { + if (this.enabled) { + for (let i = 0; i < 10; i++) { + const password = this._generatePassword(); + if (this.validate(password)) { + return password; + } + } + } + + return Random.id(); + } + + _generatePassword() { + const length = Math.min(Math.max(this.minLength, 12), this.maxLength > 0 ? this.maxLength : Number.MAX_SAFE_INTEGER); + return new Array(length).fill().map(() => String.fromCharCode(Math.random() * 86 + 40)).join(''); + } } export default PasswordPolicy;