security: reject common/weak passwords on every set-password path (#31)

Adds a synchronous policy check that blocks (1) the curated >=12-char
common-password list (rockyou top, predictable seasonal, admin defaults),
(2) trivial patterns (single-char repeat, short-pattern repeat, keyboard
or numeric sequences), and (3) passwords containing the user's email
local-part or any name component. Wired into all five password-mutation
sites: first-admin setup, admin createUser/setUserPassword, invite
acceptance, and password-reset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

packages/api/src/router/auth.ts

@@ -3,6 +3,7 @@ import {
   PASSWORD_MAX_LENGTH,
   PASSWORD_MIN_LENGTH,
   PASSWORD_POLICY_MESSAGE,
+  checkPasswordPolicy,
 } from "@capakraken/shared";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
@@ -133,6 +134,17 @@ export const authRouter = createTRPCRouter({
         });
       }
 
+      // Reject weak/common/identity-related passwords *after* the token is
+      // validated so attackers can't probe the policy without a valid link.
+      const userForPolicy = await ctx.db.user.findUnique({
+        where: { email: record.email },
+        select: { email: true, name: true },
+      });
+      const policy = checkPasswordPolicy(input.password, userForPolicy ?? undefined);
+      if (!policy.ok) {
+        throw new TRPCError({ code: "BAD_REQUEST", message: policy.reason });
+      }
+
       const { hash } = await import("@node-rs/argon2");
       const passwordHash = await hash(input.password);
 

packages/api/src/router/invite.ts

@@ -6,6 +6,7 @@ import {
   PASSWORD_MAX_LENGTH,
   PASSWORD_MIN_LENGTH,
   PASSWORD_POLICY_MESSAGE,
+  checkPasswordPolicy,
 } from "@capakraken/shared";
 import { createTRPCRouter, adminProcedure, publicProcedure } from "../trpc.js";
 import { getAppBaseUrl } from "../lib/app-base-url.js";
@@ -155,6 +156,11 @@ export const inviteRouter = createTRPCRouter({
         });
       }
 
+      const policy = checkPasswordPolicy(input.password, { email: invite.email });
+      if (!policy.ok) {
+        throw new TRPCError({ code: "BAD_REQUEST", message: policy.reason });
+      }
+
       const { hash } = await import("@node-rs/argon2");
       const passwordHash = await hash(input.password);
 

packages/api/src/router/user-procedure-support.ts

@@ -3,6 +3,7 @@ import {
   PASSWORD_MAX_LENGTH,
   PASSWORD_MIN_LENGTH,
   PASSWORD_POLICY_MESSAGE,
+  checkPasswordPolicy,
 } from "@capakraken/shared";
 import { PermissionOverrides, SystemRole, resolvePermissions } from "@capakraken/shared/types";
 import { TRPCError } from "@trpc/server";
@@ -121,6 +122,11 @@ export async function createUser(
     throw new TRPCError({ code: "CONFLICT", message: "User with this email already exists" });
   }
 
+  const policy = checkPasswordPolicy(input.password, { email: input.email, name: input.name });
+  if (!policy.ok) {
+    throw new TRPCError({ code: "BAD_REQUEST", message: policy.reason });
+  }
+
   const { hash } = await import("@node-rs/argon2");
   const passwordHash = await hash(input.password);
 
@@ -169,6 +175,11 @@ export async function setUserPassword(
     "User",
   );
 
+  const policy = checkPasswordPolicy(input.password, { email: user.email, name: user.name });
+  if (!policy.ok) {
+    throw new TRPCError({ code: "BAD_REQUEST", message: policy.reason });
+  }
+
   const { hash } = await import("@node-rs/argon2");
   const passwordHash = await hash(input.password);