Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: reject common/weak passwords on every set-password path (#31)
CI / Architecture Guardrails (pull_request) Successful in 6m31s
Details
CI / Typecheck (pull_request) Failing after 6m9s
Details
CI / Build (pull_request) Has been skipped
Details
CI / E2E Tests (pull_request) Has been skipped
Details
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
Details
CI / Assistant Split Regression (pull_request) Successful in 7m23s
Details
CI / Lint (pull_request) Successful in 6m54s
Details
CI / Unit Tests (pull_request) Successful in 9m28s
Details
CI / Release Images (pull_request) Has been skipped
Details

Browse Source 
Adds a synchronous policy check that blocks (1) the curated >=12-char
common-password list (rockyou top, predictable seasonal, admin defaults),
(2) trivial patterns (single-char repeat, short-pattern repeat, keyboard
or numeric sequences), and (3) passwords containing the user's email
local-part or any name component. Wired into all five password-mutation
sites: first-admin setup, admin createUser/setUserPassword, invite
acceptance, and password-reset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-18 14:02:43 +02:00
parent d9a7ec0338
commit e01074926e
8 changed files with 359 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/setup/actions.ts
+8
View File
@@ -5,6 +5,7 @@ import {
PASSWORD_MAX_LENGTH,
PASSWORD_MIN_LENGTH,
PASSWORD_POLICY_MESSAGE,
checkPasswordPolicy,
} from "@capakraken/shared";
export type SetupResult =
@@ -26,6 +27,13 @@ export async function createFirstAdmin(formData: {
) {
return { error: "validation", message: PASSWORD_POLICY_MESSAGE };
}
const policy = checkPasswordPolicy(formData.password, {
email: formData.email,
name: formData.name,
});
if (!policy.ok) {
return { error: "validation", message: policy.reason };
}
// TOCTOU guard — check again inside the action
const count = await prisma.user.count();