Added configuration for owasp. Synchronize client owap configs with the server configs.

wansco · wansco · commit d896d07d8ba0 · 2016-09-07T19:16:11.000-07:00
Also added a time indicator on failed login attempts to give the user feedback on subsequent failed login attempts.
diff --git a/config/env/development.js b/config/env/development.js
@@ -58,6 +58,13 @@ module.exports = {
     callbackURL: '/api/auth/paypal/callback',
     sandbox: true
   },
+  owasp: {
+    allowPassphrases: true,
+    maxLength: 128,
+    minLength: 4,
+    minPhraseLength: 20,
+    minOptionalTestsToPass: 2
+  },
   mailer: {
     from: process.env.MAILER_FROM || 'MAILER_FROM',
     options: {
diff --git a/config/env/production.js b/config/env/production.js
@@ -78,6 +78,13 @@ module.exports = {
     callbackURL: '/api/auth/paypal/callback',
     sandbox: false
   },
+  owasp: {
+      allowPassphrases       : true,
+      maxLength              : 128,
+      minLength              : 10,
+      minPhraseLength        : 20,
+      minOptionalTestsToPass : 4,
+  },
   mailer: {
     from: process.env.MAILER_FROM || 'MAILER_FROM',
     options: {
diff --git a/modules/users/client/services/password-validator.client.service.js b/modules/users/client/services/password-validator.client.service.js
@@ -6,11 +6,18 @@
     .module('users.services')
     .factory('PasswordValidator', PasswordValidator);
 
-  PasswordValidator.$inject = ['$window'];
+  PasswordValidator.$inject = ['$window', '$http'];
 
-  function PasswordValidator($window) {
+  function PasswordValidator($window, $http) {
     var owaspPasswordStrengthTest = $window.owaspPasswordStrengthTest;
 
+    // get the owasp config from the server configuration
+    $http.get('/password/rules').success(function (response) {
+      owaspPasswordStrengthTest.configs = response; // same owasp config used on the server
+    }).error(function (response) {
+      // well, it should fall back on the default owasp config defined in that package
+    });
+
     var service = {
       getResult: getResult,
       getPopoverMsg: getPopoverMsg
@@ -24,7 +31,7 @@
     }
 
     function getPopoverMsg() {
-      var popoverMsg = 'Please enter a passphrase or password with 10 or more characters, numbers, lowercase, uppercase, and special characters.';
+      var popoverMsg = 'Please enter a passphrase or password with ' + owaspPasswordStrengthTest.configs.minLength + ' or more characters, numbers, lowercase, uppercase, and special characters.';
 
       return popoverMsg;
     }
diff --git a/modules/users/server/config/strategies/local.js b/modules/users/server/config/strategies/local.js
@@ -22,7 +22,7 @@ module.exports = function () {
       }
       if (!user || !user.authenticate(password)) {
         return done(null, false, {
-          message: 'Invalid username or password'
+          message: 'Invalid username or password (' + (new Date()).toLocaleTimeString() + ')'
         });
       }
 
diff --git a/modules/users/server/controllers/users/users.password.server.controller.js b/modules/users/server/controllers/users/users.password.server.controller.js
@@ -14,6 +14,13 @@ var path = require('path'),
 
 var smtpTransport = nodemailer.createTransport(config.mailer.options);
 
+/**
+ * Get the server defined owasp config for the client
+ */
+exports.getowaspconfig = function (req, res) {
+  res.json(config.owasp);
+};
+
 /**
  * Forgot for reset password (forgot POST)
  */
diff --git a/modules/users/server/models/user.server.model.js b/modules/users/server/models/user.server.model.js
@@ -4,12 +4,18 @@
  * Module dependencies
  */
 var mongoose = require('mongoose'),
+  path = require('path'),
+  config = require(path.resolve('./config/config')),
   Schema = mongoose.Schema,
   crypto = require('crypto'),
   validator = require('validator'),
   generatePassword = require('generate-password'),
   owasp = require('owasp-password-strength-test');
 
+
+owasp.configs = config.owasp;
+
+
 /**
  * A Validation function for local strategy properties
  */
diff --git a/modules/users/server/routes/auth.server.routes.js b/modules/users/server/routes/auth.server.routes.js
@@ -54,4 +54,8 @@ module.exports = function (app) {
   // Setting the paypal oauth routes
   app.route('/api/auth/paypal').get(users.oauthCall('paypal'));
   app.route('/api/auth/paypal/callback').get(users.oauthCallback('paypal'));
+
+
+  // get the config settings for the client side owasp
+  app.route('/password/rules').get(users.getowaspconfig);
 };

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ module.exports = function () {`
`22`	`22`	`}`
`23`	`23`	`if (!user \|\| !user.authenticate(password)) {`
`24`	`24`	`return done(null, false, {`
`25`		`- message: 'Invalid username or password'`
	`25`	`+ message: 'Invalid username or password (' + (new Date()).toLocaleTimeString() + ')'`
`26`	`26`	`});`
`27`	`27`	`}`
`28`	`28`