From c9e06effdf72a94a4e244ce8ecb6c5ced53e1b85 Mon Sep 17 00:00:00 2001 From: shay23b Date: Tue, 4 Jul 2023 20:38:16 +0300 Subject: [PATCH 1/2] validate user app password --- server/memphis_cloud.go | 6 ++++++ server/memphis_helper.go | 14 ++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/server/memphis_cloud.go b/server/memphis_cloud.go index 761151279..70bd2c2c6 100644 --- a/server/memphis_cloud.go +++ b/server/memphis_cloud.go @@ -1282,6 +1282,12 @@ func (umh UserMgmtHandler) AddUser(c *gin.Context) { c.AbortWithStatusJSON(SHOWABLE_ERROR_STATUS_CODE, gin.H{"message": "Password was not provided"}) return } + err = validatePassword(body.Password) + if err != nil { + serv.Errorf("[tenant: %v][user: %v]AddUser validate password : User %v: %v", user.TenantName, user.Username, body.Username, err.Error()) + c.AbortWithStatusJSON(SHOWABLE_ERROR_STATUS_CODE, gin.H{"message": "Invalid Password"}) + return + } password, err = EncryptAES([]byte(body.Password)) if err != nil { serv.Errorf("[tenant: %v][user: %v]AddUser at EncryptAES: User %v: %v", user.TenantName, user.Username, body.Username, err.Error()) diff --git a/server/memphis_helper.go b/server/memphis_helper.go index 2120ab5e0..d180eae53 100644 --- a/server/memphis_helper.go +++ b/server/memphis_helper.go @@ -23,6 +23,7 @@ import ( "memphis/db" "memphis/models" "net/textproto" + "regexp" "sort" "strconv" "strings" @@ -1451,3 +1452,16 @@ func (s *Server) MoveResourcesFromOldToNewDefaultAcc() error { } return nil } + +func validatePassword(password string) error { + pattern := `^([A-Z]*)([a-z]*)(.[!?\-@#$%])[A-Za-z\d!?\-@#$%]{8,}$` + regex, err := regexp.Compile(pattern) + if err != nil { + return err + } + if regex.MatchString(password) { + return nil + } else { + return errors.New("Invalid Password") + } +} From bbe2a5770a955df43a9108afb24614751683d958 Mon Sep 17 00:00:00 2001 From: shay23b Date: Tue, 4 Jul 2023 21:04:19 +0300 Subject: [PATCH 2/2] fix validatePassword --- server/memphis_helper.go | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/server/memphis_helper.go b/server/memphis_helper.go index d180eae53..a68ec0cd7 100644 --- a/server/memphis_helper.go +++ b/server/memphis_helper.go @@ -28,6 +28,7 @@ import ( "strconv" "strings" "time" + "unicode" "github.com/gofrs/uuid" "github.com/nats-io/nuid" @@ -1454,14 +1455,37 @@ func (s *Server) MoveResourcesFromOldToNewDefaultAcc() error { } func validatePassword(password string) error { - pattern := `^([A-Z]*)([a-z]*)(.[!?\-@#$%])[A-Za-z\d!?\-@#$%]{8,}$` - regex, err := regexp.Compile(pattern) - if err != nil { - return err + pattern := `^[A-Za-z0-9!?\-@#$%]+$` + match, _ := regexp.MatchString(pattern, password) + if !match { + return errors.New("Invalid Password") } - if regex.MatchString(password) { - return nil - } else { + if len(password) < 8 { return errors.New("Invalid Password") } + var ( + hasUppercase bool + hasLowercase bool + hasDigit bool + hasSpecialChar bool + ) + + for _, char := range password { + switch { + case unicode.IsUpper(char): + hasUppercase = true + case unicode.IsLower(char): + hasLowercase = true + case unicode.IsDigit(char): + hasDigit = true + case char == '!' || char == '?' || char == '-' || char == '@' || char == '#' || char == '$' || char == '%': + hasSpecialChar = true + } + } + + if hasUppercase && hasLowercase && hasDigit && hasSpecialChar { + return nil + } + + return errors.New("Invalid Password") }