diff --git a/src/main/java/net/frozenorb/apiv3/route/emailTokens/POSTEmailTokensIdConfirm.java b/src/main/java/net/frozenorb/apiv3/route/emailTokens/POSTEmailTokensIdConfirm.java index 6871bd7..81630a6 100644 --- a/src/main/java/net/frozenorb/apiv3/route/emailTokens/POSTEmailTokensIdConfirm.java +++ b/src/main/java/net/frozenorb/apiv3/route/emailTokens/POSTEmailTokensIdConfirm.java @@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog; import net.frozenorb.apiv3.auditLog.AuditLogActionType; import net.frozenorb.apiv3.model.User; import net.frozenorb.apiv3.util.ErrorUtils; +import net.frozenorb.apiv3.util.PasswordUtils; import net.frozenorb.apiv3.util.SyncUtils; import java.util.concurrent.TimeUnit; @@ -43,8 +44,13 @@ public final class POSTEmailTokensIdConfirm implements Handler { JsonObject requestBody = ctx.getBodyAsJson(); String password = requestBody.getString("password"); - if (password.length() < 8) { - ErrorUtils.respondInvalidInput(ctx, "Your password is too short."); + if (PasswordUtils.isTooShort(password)) { + ErrorUtils.respondOther(ctx, 409, "Your password is too short.", "passwordTooShort", ImmutableMap.of()); + return; + } + + if (PasswordUtils.isTooSimple(password)) { + ErrorUtils.respondOther(ctx, 409, "Your password is too simple.", "passwordTooSimple", ImmutableMap.of()); return; } diff --git a/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java b/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java index 2c7aaf2..19fe184 100644 --- a/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java +++ b/src/main/java/net/frozenorb/apiv3/route/users/POSTUsersIdChangePassword.java @@ -11,6 +11,7 @@ import net.frozenorb.apiv3.model.User; import net.frozenorb.apiv3.unsorted.RequiresTotpResult; import net.frozenorb.apiv3.unsorted.TotpAuthorizationResult; import net.frozenorb.apiv3.util.ErrorUtils; +import net.frozenorb.apiv3.util.PasswordUtils; import net.frozenorb.apiv3.util.SyncUtils; import net.frozenorb.apiv3.util.UserSessionUtils; @@ -72,8 +73,13 @@ public final class POSTUsersIdChangePassword implements Handler String newPassword = requestBody.getString("newPassword"); - if (newPassword.length() < 8) { - ErrorUtils.respondInvalidInput(ctx, "Password is too short."); + if (PasswordUtils.isTooShort(newPassword)) { + ErrorUtils.respondOther(ctx, 409, "Your password is too short.", "passwordTooShort", ImmutableMap.of()); + return; + } + + if (PasswordUtils.isTooSimple(newPassword)) { + ErrorUtils.respondOther(ctx, 409, "Your password is too simple.", "passwordTooSimple", ImmutableMap.of()); return; } diff --git a/src/main/java/net/frozenorb/apiv3/util/PasswordUtils.java b/src/main/java/net/frozenorb/apiv3/util/PasswordUtils.java new file mode 100644 index 0000000..c21cdc8 --- /dev/null +++ b/src/main/java/net/frozenorb/apiv3/util/PasswordUtils.java @@ -0,0 +1,27 @@ +package net.frozenorb.apiv3.util; + +import com.google.common.collect.ImmutableList; +import lombok.experimental.UtilityClass; + +import java.util.List; + +@UtilityClass +public class PasswordUtils { + + private final List commonPasswords = ImmutableList.copyOf(("123456 password 12345678 qwerty 123456789 12345 1234 111111 1234567 dragon " + + "123123 baseball abc123 football monkey letmein 696969 shadow master 666666 qwertyuiop 123321 mustang 1234567890 " + + "michael 654321 pussy superman 1qaz2wsx 7777777 fuckyou 121212 000000 qazwsx 123qwe killer trustno1 jordan jennifer " + + "zxcvbnm asdfgh hunter buster soccer harley batman andrew tigger sunshine iloveyou fuckme 2000 charlie robert thomas " + + "hockey ranger daniel starwars klaster 112233 george asshole computer michelle jessica pepper 1111 zxcvbn 555555 11111111" + + " 131313 freedom 777777 pass fuck maggie 159753 aaaaaa ginger princess joshua cheese amanda summer love ashley 6969 " + + "nicole chelsea biteme matthew access yankees 987654321 dallas austin thunder taylor matrix").split(" ")); + + public static boolean isTooShort(String password) { + return password.length() < 8; + } + + public static boolean isTooSimple(String password) { + return commonPasswords.contains(password); + } + +} \ No newline at end of file