From d896d07d8ba0b886bc420ab547940f69a3e9aa42 Mon Sep 17 00:00:00 2001 From: walter Date: Wed, 7 Sep 2016 19:16:11 -0700 Subject: [PATCH] Added configuration for owasp. Synchronize client owap configs with the server configs. Also added a time indicator on failed login attempts to give the user feedback on subsequent failed login attempts. --- config/env/development.js | 7 +++++++ config/env/production.js | 7 +++++++ .../services/password-validator.client.service.js | 13 ++++++++++--- modules/users/server/config/strategies/local.js | 2 +- .../users/users.password.server.controller.js | 7 +++++++ modules/users/server/models/user.server.model.js | 6 ++++++ modules/users/server/routes/auth.server.routes.js | 4 ++++ 7 files changed, 42 insertions(+), 4 deletions(-) diff --git a/config/env/development.js b/config/env/development.js index 74526e5335..c60bc87c76 100644 --- a/config/env/development.js +++ b/config/env/development.js @@ -58,6 +58,13 @@ module.exports = { callbackURL: '/api/auth/paypal/callback', sandbox: true }, + owasp: { + allowPassphrases: true, + maxLength: 128, + minLength: 4, + minPhraseLength: 20, + minOptionalTestsToPass: 2 + }, mailer: { from: process.env.MAILER_FROM || 'MAILER_FROM', options: { diff --git a/config/env/production.js b/config/env/production.js index 3ad416ed2a..41ebd6ca11 100644 --- a/config/env/production.js +++ b/config/env/production.js @@ -78,6 +78,13 @@ module.exports = { callbackURL: '/api/auth/paypal/callback', sandbox: false }, + owasp: { + allowPassphrases : true, + maxLength : 128, + minLength : 10, + minPhraseLength : 20, + minOptionalTestsToPass : 4, + }, mailer: { from: process.env.MAILER_FROM || 'MAILER_FROM', options: { diff --git a/modules/users/client/services/password-validator.client.service.js b/modules/users/client/services/password-validator.client.service.js index d163558697..45697cd57c 100644 --- a/modules/users/client/services/password-validator.client.service.js +++ b/modules/users/client/services/password-validator.client.service.js @@ -6,11 +6,18 @@ .module('users.services') .factory('PasswordValidator', PasswordValidator); - PasswordValidator.$inject = ['$window']; + PasswordValidator.$inject = ['$window', '$http']; - function PasswordValidator($window) { + function PasswordValidator($window, $http) { var owaspPasswordStrengthTest = $window.owaspPasswordStrengthTest; + // get the owasp config from the server configuration + $http.get('/password/rules').success(function (response) { + owaspPasswordStrengthTest.configs = response; // same owasp config used on the server + }).error(function (response) { + // well, it should fall back on the default owasp config defined in that package + }); + var service = { getResult: getResult, getPopoverMsg: getPopoverMsg @@ -24,7 +31,7 @@ } function getPopoverMsg() { - var popoverMsg = 'Please enter a passphrase or password with 10 or more characters, numbers, lowercase, uppercase, and special characters.'; + var popoverMsg = 'Please enter a passphrase or password with ' + owaspPasswordStrengthTest.configs.minLength + ' or more characters, numbers, lowercase, uppercase, and special characters.'; return popoverMsg; } diff --git a/modules/users/server/config/strategies/local.js b/modules/users/server/config/strategies/local.js index 9caa9091ff..a458e8d780 100644 --- a/modules/users/server/config/strategies/local.js +++ b/modules/users/server/config/strategies/local.js @@ -22,7 +22,7 @@ module.exports = function () { } if (!user || !user.authenticate(password)) { return done(null, false, { - message: 'Invalid username or password' + message: 'Invalid username or password (' + (new Date()).toLocaleTimeString() + ')' }); } diff --git a/modules/users/server/controllers/users/users.password.server.controller.js b/modules/users/server/controllers/users/users.password.server.controller.js index 06197fba73..1c96d274ce 100644 --- a/modules/users/server/controllers/users/users.password.server.controller.js +++ b/modules/users/server/controllers/users/users.password.server.controller.js @@ -14,6 +14,13 @@ var path = require('path'), var smtpTransport = nodemailer.createTransport(config.mailer.options); +/** + * Get the server defined owasp config for the client + */ +exports.getowaspconfig = function (req, res) { + res.json(config.owasp); +}; + /** * Forgot for reset password (forgot POST) */ diff --git a/modules/users/server/models/user.server.model.js b/modules/users/server/models/user.server.model.js index 0797faa404..f734244c6a 100644 --- a/modules/users/server/models/user.server.model.js +++ b/modules/users/server/models/user.server.model.js @@ -4,12 +4,18 @@ * Module dependencies */ var mongoose = require('mongoose'), + path = require('path'), + config = require(path.resolve('./config/config')), Schema = mongoose.Schema, crypto = require('crypto'), validator = require('validator'), generatePassword = require('generate-password'), owasp = require('owasp-password-strength-test'); + +owasp.configs = config.owasp; + + /** * A Validation function for local strategy properties */ diff --git a/modules/users/server/routes/auth.server.routes.js b/modules/users/server/routes/auth.server.routes.js index eb73b5eab0..4795a080e1 100644 --- a/modules/users/server/routes/auth.server.routes.js +++ b/modules/users/server/routes/auth.server.routes.js @@ -54,4 +54,8 @@ module.exports = function (app) { // Setting the paypal oauth routes app.route('/api/auth/paypal').get(users.oauthCall('paypal')); app.route('/api/auth/paypal/callback').get(users.oauthCallback('paypal')); + + + // get the config settings for the client side owasp + app.route('/password/rules').get(users.getowaspconfig); };