Merge pull request hestiacp#1035 from hestiacp/fix/07-2020-enforce_password_rules

Enforce min password rules + show hint

Author: Kristan Kenney

web/add/db/index.php

@@ -42,8 +42,7 @@
 
     // Check password length
     if (empty($_SESSION['error_msg'])) {
-        $pw_len = strlen($_POST['v_password']);
-        if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg);
+        if (!preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/', $_POST['v_password'])) { $_SESSION['error_msg'] = __('Password does not match the minimum requirements'); }
     }
 
     // Protect input

web/add/mail/index.php

@@ -96,6 +96,8 @@
         header('location: /login/');
         exit();
     }
+    
+    
 
     // Check empty fields
     if (empty($_POST['v_domain'])) $errors[] = __('domain');
@@ -118,6 +120,11 @@
             $_SESSION['error_msg'] = __('Please enter valid email address.');
         }
     }
+    
+    // Check password length
+    if (empty($_SESSION['error_msg']) && !empty($_POST['v_fwd_only']) ) {
+        if (!preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/', $_POST['v_password'])) { $_SESSION['error_msg'] = __('Password does not match the minimum requirements'); }
+    }
 
     // Protect input
     $v_domain = escapeshellarg($_POST['v_domain']);

web/css/src/styles.css

@@ -3977,12 +3977,18 @@ form#vstobjects.suspended {
 meter {
   /* Reset the default appearance */
   -webkit-appearance: none;
-     -moz-appearance: none;
-          appearance: none;
+  -moz-appearance: none;
+  appearance: none;
   margin: 0 auto 1em;
-  width: 380px;
-  background-color: grey;
+  width: 373px;
+  background-color: #e7e7e7;
+  height: 3px;
+  border-bottom-left-radius: 5px;
+  border-bottom-right-radius: 5px;
+  margin-left: 3px;
+  box-shadow: 0px 1px 2px rgba(0,0,0,0.25);
 }
+
 meter[value="1"] { background: red; }
 meter[value="2"] { background: orange; }
 meter[value="3"] { background: yellow; }

web/css/styles.min.css

@@ -63,15 +63,19 @@
 
     // Change database password
     if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {
-        $v_password = tempnam("/tmp","vst");
-        $fp = fopen($v_password, "w");
-        fwrite($fp, $_POST['v_password']."\n");
-        fclose($fp);
-        exec (HESTIA_CMD."v-change-database-password ".$v_username." ".escapeshellarg($v_database)." ".$v_password, $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
-        unlink($v_password);
-        $v_password = escapeshellarg($_POST['v_password']);
+        if (!preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/', $_POST['v_password'])) { 
+            $_SESSION['error_msg'] = __('Password does not match the minimum requirements'); 
+        }else{ 
+            $v_password = tempnam("/tmp","vst");
+            $fp = fopen($v_password, "w");
+            fwrite($fp, $_POST['v_password']."\n");
+            fclose($fp);
+            exec (HESTIA_CMD."v-change-database-password ".$v_username." ".escapeshellarg($v_database)." ".$v_password, $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);
+            unlink($v_password);
+            $v_password = escapeshellarg($_POST['v_password']);
+        }
     }
 
     // Set success message

web/edit/db/index.php

@@ -398,15 +398,19 @@
 
     // Change password
     if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {
-        $v_password = tempnam("/tmp","vst");
-        $fp = fopen($v_password, "w");
-        fwrite($fp, $_POST['v_password']."\n");
-        fclose($fp);
-        exec (HESTIA_CMD."v-change-mail-account-password ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".$v_password, $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
-        unlink($v_password);
-        $v_password = escapeshellarg($_POST['v_password']);;
+        if (!preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/', $_POST['v_password'])) { 
+            $_SESSION['error_msg'] = __('Password does not match the minimum requirements'); 
+        }else{         
+            $v_password = tempnam("/tmp","vst");
+            $fp = fopen($v_password, "w");
+            fwrite($fp, $_POST['v_password']."\n");
+            fclose($fp);
+            exec (HESTIA_CMD."v-change-mail-account-password ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".$v_password, $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);
+            unlink($v_password);
+            $v_password = escapeshellarg($_POST['v_password']);
+        }
     }
 
     // Change quota

web/edit/mail/index.php

@@ -63,19 +63,53 @@ App.Listeners.DB.keypress_db_databasename = function() {
     });
 }
 
+App.Actions.DB.update_v_password = function (){
+    var password = $('input[name="v_password"]').val();
+    var min_small = new RegExp(/^(?=.*[a-z]).+$/);
+    var min_cap = new RegExp(/^(?=.*[A-Z]).+$/);
+    var min_num = new RegExp(/^(?=.*\d).+$/); 
+    var min_length = 8;
+    var score = 0;
+    
+    if(password.length >= min_length) { score = score + 1; }
+    if(min_small.test(password)) { score = score + 1;}
+    if(min_cap.test(password)) { score = score + 1;}
+    if(min_num.test(password)) { score = score+ 1; }
+    $('#meter').val(score);   
+}
+
+App.Listeners.DB.keypress_v_password = function() {
+    var ref = $('input[name="v_password"]');
+    ref.bind('keypress input', function(evt) {
+        clearTimeout(window.frp_usr_tmt);
+        window.frp_usr_tmt = setTimeout(function() {
+            var elm = $(evt.target);
+            App.Actions.DB.update_v_password(elm, $(elm).val());
+        }, 100);
+    });
+}
+
+App.Listeners.DB.keypress_v_password();
+
 //
 // Page entry point
 // Trigger listeners
 App.Listeners.DB.keypress_db_username();
 App.Listeners.DB.keypress_db_databasename();
 
-randomString = function() {
+randomString = function(min_length = 16) {
     var chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz';
-    var string_length = 16;
+    var string_length = min_length;
     var randomstring = '';
     for (var i = 0; i < string_length; i++) {
         var rnum = Math.floor(Math.random() * chars.length);
         randomstring += chars.substr(rnum, 1);
     }
-    document.v_add_db.v_password.value = randomstring;
+    var regex = new RegExp(/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\d)[a-zA-Z\d]{8,}$/);
+    if(!regex.test(randomstring)){
+        randomString();
+    }else{
+        $('input[name=v_password]').val(randomstring);
+        App.Actions.DB.update_v_password();
+    }    
 }

web/js/pages/add_db.js

@@ -75,22 +75,56 @@ $('form[name="v_quota"]').on('submit', function(evt) {
     });
 });
 
+App.Actions.MAIL_ACC.update_v_password = function (){
+    var password = $('input[name="v_password"]').val();
+    var min_small = new RegExp(/^(?=.*[a-z]).+$/);
+    var min_cap = new RegExp(/^(?=.*[A-Z]).+$/);
+    var min_num = new RegExp(/^(?=.*\d).+$/); 
+    var min_length = 8;
+    var score = 0;
+    
+    if(password.length >= min_length) { score = score + 1; }
+    if(min_small.test(password)) { score = score + 1;}
+    if(min_cap.test(password)) { score = score + 1;}
+    if(min_num.test(password)) { score = score+ 1; }
+    $('#meter').val(score);   
+}
+
+App.Listeners.MAIL_ACC.keypress_v_password = function() {
+    var ref = $('input[name="v_password"]');
+    ref.bind('keypress input', function(evt) {
+        clearTimeout(window.frp_usr_tmt);
+        window.frp_usr_tmt = setTimeout(function() {
+            var elm = $(evt.target);
+            App.Actions.MAIL_ACC.update_v_password(elm, $(elm).val());
+        }, 100);
+    });
+}
+
+App.Listeners.MAIL_ACC.keypress_v_password();
+
 
-randomString = function() {
+randomString = function(min_length = 16) {
     var chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz';
-    var string_length = 16;
+    var string_length = min_length;
     var randomstring = '';
     for (var i = 0; i < string_length; i++) {
         var rnum = Math.floor(Math.random() * chars.length);
         randomstring += chars.substr(rnum, 1);
     }
-    document.v_add_mail_acc.v_password.value = randomstring;
-
-    if($('input[name=v_password]').attr('type') == 'text')
-        $('#v_password').text(randomstring);
-    else
-        $('#v_password').text(Array(randomstring.length+1).join('*'));
-    generate_mail_credentials();
+    var regex = new RegExp(/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\d)[a-zA-Z\d]{8,}$/);
+    if(!regex.test(randomstring)){
+        randomString();
+    }else{
+        $('input[name=v_password]').val(randomstring);
+        if($('input[name=v_password]').attr('type') == 'text')
+            $('#v_password').text(randomstring);
+        else
+            $('#v_password').text(Array(randomstring.length+1).join('*'));
+        
+        App.Actions.MAIL_ACC.update_v_password();
+        generate_mail_credentials();
+    }    
 }
 
 generate_mail_credentials = function() {

web/js/pages/add_mail_acc.js

@@ -63,20 +63,55 @@ App.Listeners.DB.keypress_db_databasename = function() {
     });
 }
 
+App.Actions.DB.update_v_password = function (){
+    var password = $('input[name="v_password"]').val();
+    var min_small = new RegExp(/^(?=.*[a-z]).+$/);
+    var min_cap = new RegExp(/^(?=.*[A-Z]).+$/);
+    var min_num = new RegExp(/^(?=.*\d).+$/); 
+    var min_length = 8;
+    var score = 0;
+    
+    if(password.length >= min_length) { score = score + 1; }
+    if(min_small.test(password)) { score = score + 1;}
+    if(min_cap.test(password)) { score = score + 1;}
+    if(min_num.test(password)) { score = score+ 1; }
+    $('#meter').val(score);   
+}
+
+App.Listeners.DB.keypress_v_password = function() {
+    var ref = $('input[name="v_password"]');
+    ref.bind('keypress input', function(evt) {
+        clearTimeout(window.frp_usr_tmt);
+        window.frp_usr_tmt = setTimeout(function() {
+            var elm = $(evt.target);
+            App.Actions.DB.update_v_password(elm, $(elm).val());
+        }, 100);
+    });
+}
+
+App.Listeners.DB.keypress_v_password();
+
 //
 // Page entry point
 // Trigger listeners
 App.Listeners.DB.keypress_db_username();
 App.Listeners.DB.keypress_db_databasename();
 
-randomString = function() {
+randomString = function(min_length = 16) {
     var chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz';
-    var string_length = 16;
+    var string_length = min_length;
     var randomstring = '';
     for (var i = 0; i < string_length; i++) {
         var rnum = Math.floor(Math.random() * chars.length);
         randomstring += chars.substr(rnum, 1);
     }
-    document.v_edit_db.v_password.value = randomstring;
+    var regex = new RegExp(/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\d)[a-zA-Z\d]{8,}$/);
+    if(!regex.test(randomstring)){
+        randomString();
+    }else{
+        $('input[name=v_password]').val(randomstring);
+        App.Actions.DB.update_v_password();
+    }    
 }
+
 

web/js/pages/edit_db.js

@@ -53,47 +53,57 @@ App.Listeners.MAIL_ACC.init = function() {
     });
 }
 
-App.Helpers.isUnlimitedValue = function(value) {
-    var value = value.trim();
-    if (value == App.Constants.UNLIM_VALUE || value == App.Constants.UNLIM_TRANSLATED_VALUE) {
-        return true;
-    }
-
-    return false;
+App.Actions.MAIL_ACC.update_v_password = function (){
+    var password = $('input[name="v_password"]').val();
+    var min_small = new RegExp(/^(?=.*[a-z]).+$/);
+    var min_cap = new RegExp(/^(?=.*[A-Z]).+$/);
+    var min_num = new RegExp(/^(?=.*\d).+$/); 
+    var min_length = 8;
+    var score = 0;
+    
+    if(password.length >= min_length) { score = score + 1; }
+    if(min_small.test(password)) { score = score + 1;}
+    if(min_cap.test(password)) { score = score + 1;}
+    if(min_num.test(password)) { score = score+ 1; }
+    $('#meter').val(score);   
 }
 
-//
-// Page entry point
-// Trigger listeners
-App.Listeners.MAIL_ACC.init();
-App.Listeners.MAIL_ACC.checkbox_unlimited_feature();
-$('form[name="v_quota"]').on('submit', function(evt) {
-    $('input:disabled').each(function(i, elm) {
-        $(elm).attr('disabled', false);
-        if (App.Helpers.isUnlimitedValue($(elm).val())) {
-            $(elm).val(App.Constants.UNLIM_VALUE);
-        }
+App.Listeners.MAIL_ACC.keypress_v_password = function() {
+    var ref = $('input[name="v_password"]');
+    ref.bind('keypress input', function(evt) {
+        clearTimeout(window.frp_usr_tmt);
+        window.frp_usr_tmt = setTimeout(function() {
+            var elm = $(evt.target);
+            App.Actions.MAIL_ACC.update_v_password(elm, $(elm).val());
+        }, 100);
     });
-});
+}
+
+App.Listeners.MAIL_ACC.keypress_v_password();
 
 
-randomString = function() {
+randomString = function(min_length = 16) {
     var chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz';
-    var string_length = 16;
+    var string_length = min_length;
     var randomstring = '';
     for (var i = 0; i < string_length; i++) {
         var rnum = Math.floor(Math.random() * chars.length);
         randomstring += chars.substr(rnum, 1);
     }
-    document.v_edit_mail_acc.v_password.value = randomstring;
-
-    if($('input[name=v_password]').attr('type') == 'text')
-        $('#v_password').text(randomstring);
-    else
-        $('#v_password').text(Array(randomstring.length+1).join('*'));
-    generate_mail_credentials();
+    var regex = new RegExp(/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\d)[a-zA-Z\d]{8,}$/);
+    if(!regex.test(randomstring)){
+        randomString();
+    }else{
+        $('input[name=v_password]').val(randomstring);
+        if($('input[name=v_password]').attr('type') == 'text')
+            $('#v_password').text(randomstring);
+        else
+            $('#v_password').text(Array(randomstring.length+1).join('*'));
+        
+        App.Actions.MAIL_ACC.update_v_password();
+        generate_mail_credentials();
+    }    
 }
-
 generate_mail_credentials = function() {
     var div = $('.mail-infoblock').clone();
     div.find('#mail_configuration').remove();