Add exposed password check to manual password change
This commit is contained in:
parent
d34a92ab2b
commit
ca13570251
2 changed files with 19 additions and 1 deletions
|
@ -390,6 +390,11 @@ function settings_post(App $a)
|
||||||
$err = true;
|
$err = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (User::checkPasswordExposed($newpass)) {
|
||||||
|
notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL);
|
||||||
|
$err = true;
|
||||||
|
}
|
||||||
|
|
||||||
// check if the old password was supplied correctly before changing it to the new value
|
// check if the old password was supplied correctly before changing it to the new value
|
||||||
if (!User::authenticate(intval(local_user()), $_POST['opassword'])) {
|
if (!User::authenticate(intval(local_user()), $_POST['opassword'])) {
|
||||||
notice(L10n::t('Wrong password.') . EOL);
|
notice(L10n::t('Wrong password.') . EOL);
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
*/
|
*/
|
||||||
namespace Friendica\Model;
|
namespace Friendica\Model;
|
||||||
|
|
||||||
|
use DivineOmega\PasswordExposed\PasswordStatus;
|
||||||
use Friendica\Core\Addon;
|
use Friendica\Core\Addon;
|
||||||
use Friendica\Core\Config;
|
use Friendica\Core\Config;
|
||||||
use Friendica\Core\L10n;
|
use Friendica\Core\L10n;
|
||||||
|
@ -22,6 +23,7 @@ use Friendica\Util\Network;
|
||||||
use dba;
|
use dba;
|
||||||
use Exception;
|
use Exception;
|
||||||
use LightOpenID;
|
use LightOpenID;
|
||||||
|
use function password_exposed;
|
||||||
|
|
||||||
require_once 'boot.php';
|
require_once 'boot.php';
|
||||||
require_once 'include/dba.php';
|
require_once 'include/dba.php';
|
||||||
|
@ -101,7 +103,7 @@ class User
|
||||||
* @param string $password
|
* @param string $password
|
||||||
* @return int|boolean
|
* @return int|boolean
|
||||||
* @deprecated since version 3.6
|
* @deprecated since version 3.6
|
||||||
* @see Friendica\Model\User::getIdFromPasswordAuthentication()
|
* @see User::getIdFromPasswordAuthentication()
|
||||||
*/
|
*/
|
||||||
public static function authenticate($user_info, $password)
|
public static function authenticate($user_info, $password)
|
||||||
{
|
{
|
||||||
|
@ -216,6 +218,17 @@ class User
|
||||||
return autoname(6) . mt_rand(100, 9999);
|
return autoname(6) . mt_rand(100, 9999);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if the provided plaintext password has been exposed or not
|
||||||
|
*
|
||||||
|
* @param string $password
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public static function checkPasswordExposed($password)
|
||||||
|
{
|
||||||
|
return password_exposed($password) === PasswordStatus::EXPOSED;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Legacy hashing function, kept for password migration purposes
|
* Legacy hashing function, kept for password migration purposes
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in a new issue