imterah/element-portable
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Consider more user inputs when calculating zxcvbn score (#11180)

Browse source 
* Consider more user inputs when calculating zxcvbn score

* MatrixClientPeg.getHomeserverName may throw
This commit is contained in:
Michael Telatynski 2023-07-05 10:36:30 +01:00 committed by GitHub
parent 90e65e8490
commit 4044c2aa66
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

23
src/utils/PasswordScorer.ts
View file

@ -18,6 +18,7 @@ import zxcvbn, { ZXCVBNFeedbackWarning } from "zxcvbn";
import { MatrixClient } from "matrix-js-sdk/src/matrix";
import { _t, _td } from "../languageHandler";
import { MatrixClientPeg } from "../MatrixClientPeg";
const ZXCVBN_USER_INPUTS = ["riot", "matrix"];
@ -59,20 +60,32 @@ _td("Short keyboard patterns are easy to guess");
*
* @param {string} password Password to score
* @param matrixClient the client of the logged in user, if any
* @param userInputs additional strings such as the user's name which should be considered a bad password component
* @returns {object} Score result with `score` and `feedback` properties
*/
export function scorePassword(matrixClient: MatrixClient | null, password: string): zxcvbn.ZXCVBNResult | null {
export function scorePassword(
matrixClient: MatrixClient | null,
password: string,
userInputs: string[] = [],
): zxcvbn.ZXCVBNResult | null {
if (password.length === 0) return null;
const userInputs = ZXCVBN_USER_INPUTS.slice();
const inputs = [...userInputs, ...ZXCVBN_USER_INPUTS];
if (matrixClient) {
userInputs.push(matrixClient.getUserIdLocalpart()!);
inputs.push(matrixClient.getUserIdLocalpart()!);
}
let zxcvbnResult = zxcvbn(password, userInputs);
try {
const domain = MatrixClientPeg.getHomeserverName();
inputs.push(domain);
} catch {
// This is fine
}
let zxcvbnResult = zxcvbn(password, inputs);
// Work around https://github.com/dropbox/zxcvbn/issues/216
if (password.includes(" ")) {
const resultNoSpaces = zxcvbn(password.replace(/ /g, ""), userInputs);
const resultNoSpaces = zxcvbn(password.replace(/ /g, ""), inputs);
if (resultNoSpaces.score < zxcvbnResult.score) zxcvbnResult = resultNoSpaces;
}