From c636f890b5a6c97c872cec3583620e93395d4c31 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 6 May 2019 09:55:27 -0600 Subject: [PATCH 1/2] Add configuration flag to disable minimum password requirements The configuration flag is intentionally long and annoying - the vast majority of people should not need this. The flag is intended to be used in development environments where accounts are often registered with no intention of them sticking around. --- src/components/views/auth/RegistrationForm.js | 16 ++++++++++++++-- src/i18n/strings/en_EN.json | 1 + 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/components/views/auth/RegistrationForm.js b/src/components/views/auth/RegistrationForm.js index 6e55581af0..eb77e125af 100644 --- a/src/components/views/auth/RegistrationForm.js +++ b/src/components/views/auth/RegistrationForm.js @@ -76,6 +76,7 @@ module.exports = React.createClass({ password: "", passwordConfirm: "", passwordComplexity: null, + passwordUnsafe: false, }; }, @@ -270,12 +271,23 @@ module.exports = React.createClass({ } const { scorePassword } = await import('../../../utils/PasswordScorer'); const complexity = scorePassword(value); + const unsafe = complexity.score < PASSWORD_MIN_SCORE; + const allowUnsafe = SdkConfig.get()["dangerously_allow_unsafe_and_insecure_passwords"]; this.setState({ passwordComplexity: complexity, + passwordUnsafe: unsafe, }); - return complexity.score >= PASSWORD_MIN_SCORE; + return allowUnsafe || !unsafe; + }, + valid: function() { + // Unsafe passwords that are valid are only possible through a + // configuration flag. We'll print some helper text to signal + // to the user that their password is allowed, but unsafe. + if (this.state.passwordUnsafe) { + return _t("Password is allowed, but unsafe"); + } + return _t("Nice, strong password!"); }, - valid: () => _t("Nice, strong password!"), invalid: function() { const complexity = this.state.passwordComplexity; if (!complexity) { diff --git a/src/i18n/strings/en_EN.json b/src/i18n/strings/en_EN.json index eaea057b36..273ca8a571 100644 --- a/src/i18n/strings/en_EN.json +++ b/src/i18n/strings/en_EN.json @@ -1327,6 +1327,7 @@ "Enter email address (required on this homeserver)": "Enter email address (required on this homeserver)", "Doesn't look like a valid email address": "Doesn't look like a valid email address", "Enter password": "Enter password", + "Password is allowed, but unsafe": "Password is allowed, but unsafe", "Nice, strong password!": "Nice, strong password!", "Keep going...": "Keep going...", "Passwords don't match": "Passwords don't match", From 4ffd826e76be3ee1bcd07aa010bc0f9f6c75b7c1 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Sun, 12 May 2019 22:53:06 -0600 Subject: [PATCH 2/2] Flip logic for unsafe->safe --- src/components/views/auth/RegistrationForm.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/components/views/auth/RegistrationForm.js b/src/components/views/auth/RegistrationForm.js index eb77e125af..b4638bf8f4 100644 --- a/src/components/views/auth/RegistrationForm.js +++ b/src/components/views/auth/RegistrationForm.js @@ -76,7 +76,7 @@ module.exports = React.createClass({ password: "", passwordConfirm: "", passwordComplexity: null, - passwordUnsafe: false, + passwordSafe: false, }; }, @@ -271,19 +271,19 @@ module.exports = React.createClass({ } const { scorePassword } = await import('../../../utils/PasswordScorer'); const complexity = scorePassword(value); - const unsafe = complexity.score < PASSWORD_MIN_SCORE; + const safe = complexity.score >= PASSWORD_MIN_SCORE; const allowUnsafe = SdkConfig.get()["dangerously_allow_unsafe_and_insecure_passwords"]; this.setState({ passwordComplexity: complexity, - passwordUnsafe: unsafe, + passwordSafe: safe, }); - return allowUnsafe || !unsafe; + return allowUnsafe || safe; }, valid: function() { // Unsafe passwords that are valid are only possible through a // configuration flag. We'll print some helper text to signal // to the user that their password is allowed, but unsafe. - if (this.state.passwordUnsafe) { + if (!this.state.passwordSafe) { return _t("Password is allowed, but unsafe"); } return _t("Nice, strong password!");