mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-29 13:03:42 -05:00
Merge pull request #17409 from overleaf/jpa-check-before-hibp
[web] check user password before HIBP check GitOrigin-RevId: 7c1bdc220fb9369733a1ff3bf26bed8cacc8e8d4
This commit is contained in:
parent
84a2b25a3c
commit
9daacea6cb
3 changed files with 93 additions and 95 deletions
|
@ -60,19 +60,6 @@ function _metricsForSuccessfulPasswordMatch(password) {
|
|||
|
||||
const AuthenticationManager = {
|
||||
_checkUserPassword(query, password, callback) {
|
||||
HaveIBeenPwned.checkPasswordForReuse(password, (err, isPasswordReused) => {
|
||||
if (err) {
|
||||
logger.err({ err }, 'cannot check password for re-use')
|
||||
}
|
||||
if (isPasswordReused) return callback(new PasswordReusedError())
|
||||
AuthenticationManager._checkUserPasswordWithOutHIBPCheck(
|
||||
query,
|
||||
password,
|
||||
callback
|
||||
)
|
||||
})
|
||||
},
|
||||
_checkUserPasswordWithOutHIBPCheck(query, password, callback) {
|
||||
// Using Mongoose for legacy reasons here. The returned User instance
|
||||
// gets serialized into the session and there may be subtle differences
|
||||
// between the user returned by Mongoose vs mongodb (such as default values)
|
||||
|
@ -132,18 +119,10 @@ const AuthenticationManager = {
|
|||
},
|
||||
|
||||
authenticate(query, password, auditLog, { skipHIBPCheck = false }, callback) {
|
||||
const checkUserPassword = callback => {
|
||||
if (skipHIBPCheck) {
|
||||
AuthenticationManager._checkUserPasswordWithOutHIBPCheck(
|
||||
AuthenticationManager._checkUserPassword(
|
||||
query,
|
||||
password,
|
||||
callback
|
||||
)
|
||||
} else {
|
||||
AuthenticationManager._checkUserPassword(query, password, callback)
|
||||
}
|
||||
}
|
||||
checkUserPassword((error, user, match) => {
|
||||
(error, user, match) => {
|
||||
if (error) {
|
||||
return callback(error)
|
||||
}
|
||||
|
@ -195,12 +174,29 @@ const AuthenticationManager = {
|
|||
if (err) {
|
||||
return callback(err)
|
||||
}
|
||||
if (skipHIBPCheck) {
|
||||
callback(null, user)
|
||||
HaveIBeenPwned.checkPasswordForReuseInBackground(password)
|
||||
return
|
||||
}
|
||||
HaveIBeenPwned.checkPasswordForReuse(
|
||||
password,
|
||||
(err, isPasswordReused) => {
|
||||
if (err) {
|
||||
logger.err({ err }, 'cannot check password for re-use')
|
||||
}
|
||||
if (isPasswordReused) {
|
||||
return callback(new PasswordReusedError())
|
||||
}
|
||||
callback(null, user)
|
||||
}
|
||||
)
|
||||
}
|
||||
)
|
||||
})
|
||||
}
|
||||
)
|
||||
}
|
||||
)
|
||||
},
|
||||
|
||||
validateEmail(email) {
|
||||
|
@ -348,7 +344,7 @@ const AuthenticationManager = {
|
|||
}
|
||||
// check if we can log in with this password. In which case we should reject it,
|
||||
// because it is the same as the existing password.
|
||||
AuthenticationManager._checkUserPasswordWithOutHIBPCheck(
|
||||
AuthenticationManager._checkUserPassword(
|
||||
{ _id: user._id },
|
||||
password,
|
||||
(err, _user, match) => {
|
||||
|
|
|
@ -1280,7 +1280,7 @@
|
|||
"password_change_password_must_be_different": "The password you entered is the same as your current password. Please try a different password.",
|
||||
"password_change_passwords_do_not_match": "Passwords do not match",
|
||||
"password_change_successful": "Password changed",
|
||||
"password_compromised_try_again_or_use_known_device_or_reset": "The password you’ve entered is on a <0>public list of compromised passwords</0>. Please check it’s correct and try again. Alternatively, try logging in from a device you’ve previously used or <1>reset your password</1>",
|
||||
"password_compromised_try_again_or_use_known_device_or_reset": "The password you’ve entered is on a <0>public list of compromised passwords</0>. Please try logging in from a device you’ve previously used or <1>reset your password</1>",
|
||||
"password_managed_externally": "Password settings are managed externally",
|
||||
"password_reset": "Password Reset",
|
||||
"password_reset_email_sent": "You have been sent an email to complete your password reset.",
|
||||
|
|
|
@ -85,11 +85,17 @@ describe('HaveIBeenPwnedApi', function () {
|
|||
beforeEach('login', async function () {
|
||||
try {
|
||||
await user.loginNoUpdate()
|
||||
} catch (e) {
|
||||
expect(e.message).to.include('password-compromised')
|
||||
return
|
||||
}
|
||||
expect.fail('should have failed login with weak password')
|
||||
} catch (err) {
|
||||
expect(err).to.match(/login failed: status=400/)
|
||||
expect(err.info.body).to.deep.equal({
|
||||
message: {
|
||||
type: 'error',
|
||||
key: 'password-compromised',
|
||||
text: `The password you’ve entered is on a public list of compromised passwords (https://haveibeenpwned.com). Please try logging in from a device you’ve previously used or reset your password (${Settings.siteUrl}/user/password/reset).`,
|
||||
},
|
||||
})
|
||||
}
|
||||
})
|
||||
it('should track the weak password', async function () {
|
||||
const after = await getMetricReUsed()
|
||||
|
@ -160,19 +166,15 @@ describe('HaveIBeenPwnedApi', function () {
|
|||
await user.loginWithEmailPassword(user.email, 'aLeakedPassword42')
|
||||
expect.fail('expected the login request to fail')
|
||||
} catch (err) {
|
||||
expect(err).to.match(/login failed: status=400/)
|
||||
expect(err).to.match(/login failed: status=401/)
|
||||
expect(err.info.body).to.deep.equal({
|
||||
message: {
|
||||
type: 'error',
|
||||
key: 'password-compromised',
|
||||
text: `The password you’ve entered is on a public list of compromised passwords (https://haveibeenpwned.com). Please check it’s correct and try again. Alternatively, try logging in from a device you’ve previously used or reset your password (${Settings.siteUrl}/user/password/reset).`,
|
||||
},
|
||||
message: { type: 'error', key: 'invalid-password-retry-or-reset' },
|
||||
})
|
||||
}
|
||||
})
|
||||
it('should increment the counter', async function () {
|
||||
it('should not increment the counter', async function () {
|
||||
expect(previous).to.deep.equal({
|
||||
reUsed: (await getMetricReUsed()) - 1,
|
||||
reUsed: await getMetricReUsed(),
|
||||
unique: await getMetricUnique(),
|
||||
failure: await getMetricFailure(),
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue