From 47d1765b125a1c1c692de457ef475479011ae2bd Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Sun, 8 Jan 2023 20:45:07 +0100 Subject: [PATCH] refactor(backend): don't create local user if password is too weak This prevents the previous problem that the backend created a user that was then not correctly removed again Signed-off-by: Philip Molares --- backend/src/api/private/auth/auth.controller.ts | 1 + backend/src/identity/identity.service.ts | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/backend/src/api/private/auth/auth.controller.ts b/backend/src/api/private/auth/auth.controller.ts index 6dbdb9ade..f3da2c92c 100644 --- a/backend/src/api/private/auth/auth.controller.ts +++ b/backend/src/api/private/auth/auth.controller.ts @@ -58,6 +58,7 @@ export class AuthController { @Req() request: RequestWithSession, @Body() registerDto: RegisterDto, ): Promise { + await this.identityService.checkPasswordStrength(registerDto.password); const user = await this.usersService.createUser( registerDto.username, registerDto.displayName, diff --git a/backend/src/identity/identity.service.ts b/backend/src/identity/identity.service.ts index 63c8bc0a2..83cb8595c 100644 --- a/backend/src/identity/identity.service.ts +++ b/backend/src/identity/identity.service.ts @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file) + * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file) * * SPDX-License-Identifier: AGPL-3.0-only */ @@ -197,7 +197,7 @@ export class IdentityService { * @param {string} password - the password to check * @throws {PasswordTooWeakError} the password is too weak */ - private async checkPasswordStrength(password: string): Promise { + async checkPasswordStrength(password: string): Promise { const result = await zxcvbnAsync(password); if (result.score < this.authConfig.local.minimalPasswordStrength) { throw new PasswordTooWeakError();