security: reject common/weak passwords on every set-password path (#31)
CI / Architecture Guardrails (pull_request) Successful in 3m49s
CI / Typecheck (pull_request) Failing after 4m26s
CI / Build (pull_request) Has been skipped
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
CI / Lint (pull_request) Successful in 7m52s
CI / Assistant Split Regression (pull_request) Successful in 9m18s
CI / Unit Tests (pull_request) Successful in 11m35s
CI / E2E Tests (pull_request) Has been skipped
CI / Release Images (pull_request) Has been skipped
CI / Architecture Guardrails (pull_request) Successful in 3m49s
CI / Typecheck (pull_request) Failing after 4m26s
CI / Build (pull_request) Has been skipped
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
CI / Lint (pull_request) Successful in 7m52s
CI / Assistant Split Regression (pull_request) Successful in 9m18s
CI / Unit Tests (pull_request) Successful in 11m35s
CI / E2E Tests (pull_request) Has been skipped
CI / Release Images (pull_request) Has been skipped
Adds a synchronous policy check that blocks (1) the curated >=12-char common-password list (rockyou top, predictable seasonal, admin defaults), (2) trivial patterns (single-char repeat, short-pattern repeat, keyboard or numeric sequences), and (3) passwords containing the user's email local-part or any name component. Wired into all five password-mutation sites: first-admin setup, admin createUser/setUserPassword, invite acceptance, and password-reset. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@ import {
|
||||
PASSWORD_MAX_LENGTH,
|
||||
PASSWORD_MIN_LENGTH,
|
||||
PASSWORD_POLICY_MESSAGE,
|
||||
checkPasswordPolicy,
|
||||
} from "@capakraken/shared";
|
||||
|
||||
export type SetupResult =
|
||||
@@ -26,6 +27,13 @@ export async function createFirstAdmin(formData: {
|
||||
) {
|
||||
return { error: "validation", message: PASSWORD_POLICY_MESSAGE };
|
||||
}
|
||||
const policy = checkPasswordPolicy(formData.password, {
|
||||
email: formData.email,
|
||||
name: formData.name,
|
||||
});
|
||||
if (!policy.ok) {
|
||||
return { error: "validation", message: policy.reason };
|
||||
}
|
||||
|
||||
// TOCTOU guard — check again inside the action
|
||||
const count = await prisma.user.count();
|
||||
|
||||
Reference in New Issue
Block a user