feat(core): Check password strength on login (SQL Source). Closes #6025.

2026-05-21 19:35:38 +00:00 · 2024-12-02 11:08:39 +01:00
parent 9ffa72ee9b
commit 178b1a3a0e
18 changed files with 274 additions and 132 deletions
@@ -88,6 +88,7 @@ See <a href=\"http://www.sogo.nu/en/support/community.html\">this page</a> for v
 "Change your Password" = "Change your Password";
 "The password was changed successfully." = "The password was changed successfully.";
 "Your password has expired, please enter a new one below" = "Your password has expired, please enter a new one below";
+"Your password is too weak. Please choose a stronger password to enhance your security" = "Your password is too weak. Please choose a stronger password to enhance your security";
 "Password must not be empty." = "Password must not be empty.";
 "The passwords do not match. Please try again." = "The passwords do not match. Please try again.";
 "Password Grace Period" = "Password Grace Period";
@@ -130,4 +131,4 @@ See <a href=\"http://www.sogo.nu/en/support/community.html\">this page</a> for v
 "Invalid configuration for email password recovery" = "Invalid configuration for email password recovery";
 "Password recovery email in error" = "Password recovery email in error";
 "Password reset" = "Password reset";
-"Hi %{0},\nThere was a request to change your password!\n\nIf you did not make this request then please ignore this email.\n\nOtherwise, please click this link to change your password: %{1}" = "Hi %{0},\nThere was a request to change your password!\n\nIf you did not make this request then please ignore this email.\n\nOtherwise, please click this link to change your password: %{1}";
+"Hi %{0},\nThere was a request to change your password!\n\nIf you did not make this request then please ignore this email.\n\nOtherwise, please click this link to change your password: %{1}" = "Hi %{0},\nThere was a request to change your password!\n\nIf you did not make this request then please ignore this email.\n\nOtherwise, please click this link to change your password: %{1}";
@@ -85,6 +85,7 @@
 "Change your Password" = "Changez votre mot de passe";
 "The password was changed successfully." = "Votre mot de passe a bien été changé.";
 "Your password has expired, please enter a new one below" = "Votre mot de passe est expiré, veuillez entrer un nouveau mot de passe";
+"Your password is too weak. Please choose a stronger password to enhance your security" = "Votre mot de passe est trop faible. Veuillez choisir un mot de passe plus sécurisé pour renforcer votre protection";
 "Password must not be empty." = "Le mot de passe ne doit pas être vide.";
 "The passwords do not match. Please try again." = "Les mots de passe ne sont pas identiques. Essayez de nouveau.";
 "Password Grace Period" = "Période de grâce pour le mot de passe";
@@ -127,4 +128,4 @@
 "Invalid configuration for email password recovery" = "Configuration invalide pour la récupération de mot de passe par e-mail";
 "Password recovery email in error" = "Erreur lors de l'envoi de l'email de récupération";
 "Password reset" = "Réinitialisation de mot de passe";
-"Hi %{0},\nThere was a request to change your password!\n\nIf you did not make this request then please ignore this email.\n\nOtherwise, please click this link to change your password: %{1}" = "Bonjour %{0},\nUne demande de changement de mot de passe a été initiée.\n\nSi vous n'êtes pas à l'origine de cet e-mail, n'en tenez pas compte.\n\nSi vous en êtes bien à l'origine, veuillez cliquer sur le lien ci-dessous pour modifier votre mot de passe: %{1}";
+"Hi %{0},\nThere was a request to change your password!\n\nIf you did not make this request then please ignore this email.\n\nOtherwise, please click this link to change your password: %{1}" = "Bonjour %{0},\nUne demande de changement de mot de passe a été initiée.\n\nSi vous n'êtes pas à l'origine de cet e-mail, n'en tenez pas compte.\n\nSi vous en êtes bien à l'origine, veuillez cliquer sur le lien ci-dessous pour modifier votre mot de passe: %{1}";
@@ -52,6 +52,7 @@
 #import <SOGo/SOGoEmptyAuthenticator.h>
 #import <SOGo/SOGoMailer.h>
 #import <SOGo/SOGoAdmin.h>
+#import <SOGo/SOGoPasswordPolicy.h>

 #if defined(MFA_CONFIG)
 #include <liboath/oath.h>
@@ -167,14 +168,23 @@ static const NSString *kJwtKey = @"jwt";
 //
 //
 //
- (WOResponse *) _responseWithLDAPPolicyError: (int) error
+- (WOResponse *) _responseWithLDAPPolicyError: (int) error additionalInfos: (NSDictionary *) additionalInfos
 {
  NSDictionary *jsonError;

-  jsonError = [NSDictionary dictionaryWithObject: [NSNumber numberWithInt: error]
-                                          forKey: @"LDAPPasswordPolicyError"];
-  return [self responseWithStatus: 403
-            andJSONRepresentation: jsonError];
+  if (additionalInfos) {
+    jsonError = [NSDictionary dictionaryWithObjectsAndKeys:
+                 [NSNumber numberWithInt:error], @"LDAPPasswordPolicyError",
+                 additionalInfos, @"additionalInfos",
+                 nil];
+  } else {
+    jsonError = [NSDictionary dictionaryWithObjectsAndKeys:
+                 [NSNumber numberWithInt:error], @"LDAPPasswordPolicyError",
+                 nil];
+  }
+
+  return [self responseWithStatus:403
+            andJSONRepresentation:jsonError];
 }

 - (void) _checkAutoReloadWebCalendars: (SOGoUser *) loggedInUser
@@ -197,6 +207,27 @@ static const NSString *kJwtKey = @"jwt";
    }
 }

+//
+//
+//
+- (void)translateAdditionalLoginInformations:(NSMutableDictionary **)additionalLoginInformations
+{
+  NSDictionary *policy;
+  NSMutableDictionary *translations;
+
+  if (additionalLoginInformations && *additionalLoginInformations) {
+    if ([*additionalLoginInformations objectForKey:@"userPolicies"]) {
+      translations = [[NSMutableDictionary alloc] init];
+      for (policy in [*additionalLoginInformations objectForKey:@"userPolicies"]) {
+        [translations setObject:[self commonLabelForKey: [policy objectForKey:@"label"]] forKey: [policy objectForKey:@"label"]];
+      }
+      [*additionalLoginInformations setObject:[SOGoPasswordPolicy createPasswordPolicyLabels: [*additionalLoginInformations objectForKey:@"userPolicies"] withTranslations: translations] 
+                    forKey:@"userPolicies"];
+      [translations release];
+    }
+  }
+}
+
 //
 //
 //
@@ -210,6 +241,7 @@ static const NSString *kJwtKey = @"jwt";
  SOGoUserSettings *us;
  SOGoUser *loggedInUser;
  NSDictionary *params;
+  NSMutableDictionary *additionalLoginInformations;
  NSString *username, *password, *language, *domain, *remoteHost;
  NSArray *supportedLanguages, *creds;

@@ -223,6 +255,7 @@ static const NSString *kJwtKey = @"jwt";
  auth = [[WOApplication application] authenticatorInContext: context];
  request = [context request];
  params = [[request contentAsString] objectFromJSONString];
+  additionalLoginInformations = [[NSMutableDictionary alloc] init];

  username = [params objectForKey: @"userName"];
  password = [params objectForKey: @"password"];
@@ -232,9 +265,11 @@ static const NSString *kJwtKey = @"jwt";
  /* this will always be set to something more or less useful by
   * [WOHttpTransaction applyAdaptorHeadersWithHttpRequest] */
  remoteHost = [request headerForKey:@"x-webobjects-remote-host"];
+  b = [auth checkLogin: username password: password domain: &domain
+		 perr: &err expire: &expire grace: &grace additionalInfo: &additionalLoginInformations useCache: NO];
+  [self translateAdditionalLoginInformations: &additionalLoginInformations];

-  if ((b = [auth checkLogin: username password: password domain: &domain
-		 perr: &err expire: &expire grace: &grace useCache: NO])
+  if (b
      && (err == PolicyNoError)
      // no password policy
      && ((expire < 0 && grace < 0)     // no password policy or everything is alright
@@ -334,7 +369,7 @@ static const NSString *kJwtKey = @"jwt";
 #endif
      
      if ([us objectForKey: @"ForceResetPassword"]) {
-        response = [self _responseWithLDAPPolicyError: PolicyPasswordExpired];
+        response = [self _responseWithLDAPPolicyError: PolicyPasswordExpired additionalInfos: additionalLoginInformations];
      } else {
        [self _checkAutoReloadWebCalendars: loggedInUser];

@@ -377,7 +412,7 @@ static const NSString *kJwtKey = @"jwt";
      [self logWithFormat: @"Login from '%@' for user '%@' might not have worked - password policy: %d  grace: %d  expire: %d  bound: %d",
            remoteHost, username, err, grace, expire, b];

-      response = [self _responseWithLDAPPolicyError: err];
+      response = [self _responseWithLDAPPolicyError: err additionalInfos: additionalLoginInformations];
    }

  if (rememberLogin)
@@ -385,6 +420,8 @@ static const NSString *kJwtKey = @"jwt";
  else
    [response addCookie: [self _cookieWithUsername: nil]];

+  [additionalLoginInformations release];
+
  return response;
 }

@@ -808,7 +845,7 @@ static const NSString *kJwtKey = @"jwt";
          }
        }
      else
-        response = [self _responseWithLDAPPolicyError: error];
+        response = [self _responseWithLDAPPolicyError: error additionalInfos: nil];
    }

  return response;
@@ -1072,4 +1109,5 @@ static const NSString *kJwtKey = @"jwt";
                              urlCreateAccount];
 }

+
@end /* SOGoRootPage */