From e0f471715062f46698e8a72f913b2118728e53e2 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Tue, 18 Jul 2023 01:37:48 -0400 Subject: [PATCH 1/4] Update minimum length requirements --- custom/conf/app.example.ini | 2 +- .../config-cheat-sheet.en-us.md | 2 +- increase_min_pass_length.diff | 39 +++++++++++++++++++ modules/setting/security.go | 2 +- 4 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 increase_min_pass_length.diff diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 83c713cb05e6f..d3af33655ef47 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -454,7 +454,7 @@ INTERNAL_TOKEN= ;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 ;; ;; The minimum password length for new Users -;MIN_PASSWORD_LENGTH = 6 +;MIN_PASSWORD_LENGTH = 8 ;; ;; Set to true to allow users to import local server paths ;IMPORT_LOCAL_PATHS = false diff --git a/docs/content/doc/administration/config-cheat-sheet.en-us.md b/docs/content/doc/administration/config-cheat-sheet.en-us.md index 9c307cbc48c78..c79ae64c0f391 100644 --- a/docs/content/doc/administration/config-cheat-sheet.en-us.md +++ b/docs/content/doc/administration/config-cheat-sheet.en-us.md @@ -561,7 +561,7 @@ And the following unique queues: - `scrypt`: `scrypt$65536$16$2$50` - Adjusting the algorithm parameters using this functionality is done at your own risk. - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie. -- `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users. +- `MIN_PASSWORD_LENGTH`: **8**: Minimum password length for new users. - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off): - lower - use one or more lower latin characters - upper - use one or more upper latin characters diff --git a/increase_min_pass_length.diff b/increase_min_pass_length.diff new file mode 100644 index 0000000000000..f72513cff61c7 --- /dev/null +++ b/increase_min_pass_length.diff @@ -0,0 +1,39 @@ +diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini +index 83c713cb0..d3af33655 100644 +--- a/custom/conf/app.example.ini ++++ b/custom/conf/app.example.ini +@@ -454,7 +454,7 @@ INTERNAL_TOKEN= + ;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 + ;; + ;; The minimum password length for new Users +-;MIN_PASSWORD_LENGTH = 6 ++;MIN_PASSWORD_LENGTH = 8 + ;; + ;; Set to true to allow users to import local server paths + ;IMPORT_LOCAL_PATHS = false +diff --git a/docs/content/doc/administration/config-cheat-sheet.en-us.md b/docs/content/doc/administration/config-cheat-sheet.en-us.md +index 9c307cbc4..c79ae64c0 100644 +--- a/docs/content/doc/administration/config-cheat-sheet.en-us.md ++++ b/docs/content/doc/administration/config-cheat-sheet.en-us.md +@@ -561,7 +561,7 @@ And the following unique queues: + - `scrypt`: `scrypt$65536$16$2$50` + - Adjusting the algorithm parameters using this functionality is done at your own risk. + - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie. +-- `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users. ++- `MIN_PASSWORD_LENGTH`: **8**: Minimum password length for new users. + - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off): + - lower - use one or more lower latin characters + - upper - use one or more upper latin characters +diff --git a/modules/setting/security.go b/modules/setting/security.go +index 7064d7a00..90f614d4c 100644 +--- a/modules/setting/security.go ++++ b/modules/setting/security.go +@@ -124,7 +124,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) { + ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"} + } + +- MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) ++ MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(8) + ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) + DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true) + DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false) diff --git a/modules/setting/security.go b/modules/setting/security.go index 7064d7a008f40..90f614d4cd302 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -124,7 +124,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) { ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"} } - MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) + MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(8) ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true) DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false) From 62818a215e58be3f2fa1750bafd77d8af71fc6a8 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Tue, 18 Jul 2023 10:22:48 -0400 Subject: [PATCH 2/4] Delete increase_min_pass_length.diff --- increase_min_pass_length.diff | 39 ----------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 increase_min_pass_length.diff diff --git a/increase_min_pass_length.diff b/increase_min_pass_length.diff deleted file mode 100644 index f72513cff61c7..0000000000000 --- a/increase_min_pass_length.diff +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini -index 83c713cb0..d3af33655 100644 ---- a/custom/conf/app.example.ini -+++ b/custom/conf/app.example.ini -@@ -454,7 +454,7 @@ INTERNAL_TOKEN= - ;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 - ;; - ;; The minimum password length for new Users --;MIN_PASSWORD_LENGTH = 6 -+;MIN_PASSWORD_LENGTH = 8 - ;; - ;; Set to true to allow users to import local server paths - ;IMPORT_LOCAL_PATHS = false -diff --git a/docs/content/doc/administration/config-cheat-sheet.en-us.md b/docs/content/doc/administration/config-cheat-sheet.en-us.md -index 9c307cbc4..c79ae64c0 100644 ---- a/docs/content/doc/administration/config-cheat-sheet.en-us.md -+++ b/docs/content/doc/administration/config-cheat-sheet.en-us.md -@@ -561,7 +561,7 @@ And the following unique queues: - - `scrypt`: `scrypt$65536$16$2$50` - - Adjusting the algorithm parameters using this functionality is done at your own risk. - - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie. --- `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users. -+- `MIN_PASSWORD_LENGTH`: **8**: Minimum password length for new users. - - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off): - - lower - use one or more lower latin characters - - upper - use one or more upper latin characters -diff --git a/modules/setting/security.go b/modules/setting/security.go -index 7064d7a00..90f614d4c 100644 ---- a/modules/setting/security.go -+++ b/modules/setting/security.go -@@ -124,7 +124,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) { - ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"} - } - -- MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) -+ MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(8) - ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) - DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true) - DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false) From bb2c9175a43adc5c011d2ed453268053a4a2371e Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Mon, 21 Aug 2023 15:54:13 +0000 Subject: [PATCH 3/4] increase min password len in e2e --- models/fixtures/user.yml | 2 +- tests/e2e/example.test.e2e.js | 6 +++--- tests/e2e/utils_e2e.js | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml index c7c5c024be89a..8c672bf000a92 100644 --- a/models/fixtures/user.yml +++ b/models/fixtures/user.yml @@ -45,7 +45,7 @@ email: user2@example.com keep_email_private: true email_notifications_preference: enabled - passwd: ZogKvWdyEx:password + passwd: ZogKvWdyEx:passwordpassword passwd_hash_algo: dummy must_change_password: false login_source: 0 diff --git a/tests/e2e/example.test.e2e.js b/tests/e2e/example.test.e2e.js index 5e45bad24af81..725210f5e8635 100644 --- a/tests/e2e/example.test.e2e.js +++ b/tests/e2e/example.test.e2e.js @@ -18,8 +18,8 @@ test('Test Register Form', async ({page}, workerInfo) => { await expect(response?.status()).toBe(200); // Status OK await page.type('input[name=user_name]', `e2e-test-${workerInfo.workerIndex}`); await page.type('input[name=email]', `e2e-test-${workerInfo.workerIndex}@test.com`); - await page.type('input[name=password]', 'test123'); - await page.type('input[name=retype]', 'test123'); + await page.type('input[name=password]', 'test123test123'); + await page.type('input[name=retype]', 'test123test123'); await page.click('form button.ui.green.button:visible'); // Make sure we routed to the home page. Else login failed. await expect(page.url()).toBe(`${workerInfo.project.use.baseURL}/`); @@ -34,7 +34,7 @@ test('Test Login Form', async ({page}, workerInfo) => { await expect(response?.status()).toBe(200); // Status OK await page.type('input[name=user_name]', `user2`); - await page.type('input[name=password]', `password`); + await page.type('input[name=password]', `passwordpassword`); await page.click('form button.ui.green.button:visible'); await page.waitForLoadState('networkidle'); diff --git a/tests/e2e/utils_e2e.js b/tests/e2e/utils_e2e.js index ca6bde8db7a76..bb1b7140545ab 100644 --- a/tests/e2e/utils_e2e.js +++ b/tests/e2e/utils_e2e.js @@ -1,7 +1,7 @@ import {expect} from '@playwright/test'; const ARTIFACTS_PATH = `tests/e2e/test-artifacts`; -const LOGIN_PASSWORD = 'password'; +const LOGIN_PASSWORD = 'passwordpassword'; // log in user and store session info. This should generally be // run in test.beforeAll(), then the session can be loaded in tests. From 55abb457ae4ebe65c389733123d43fc87ab1c15d Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Mon, 21 Aug 2023 17:20:06 +0000 Subject: [PATCH 4/4] pass is already 8 chars --- models/fixtures/user.yml | 2 +- tests/e2e/example.test.e2e.js | 2 +- tests/e2e/utils_e2e.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml index 8c672bf000a92..c7c5c024be89a 100644 --- a/models/fixtures/user.yml +++ b/models/fixtures/user.yml @@ -45,7 +45,7 @@ email: user2@example.com keep_email_private: true email_notifications_preference: enabled - passwd: ZogKvWdyEx:passwordpassword + passwd: ZogKvWdyEx:password passwd_hash_algo: dummy must_change_password: false login_source: 0 diff --git a/tests/e2e/example.test.e2e.js b/tests/e2e/example.test.e2e.js index 725210f5e8635..870c28cc77a8d 100644 --- a/tests/e2e/example.test.e2e.js +++ b/tests/e2e/example.test.e2e.js @@ -34,7 +34,7 @@ test('Test Login Form', async ({page}, workerInfo) => { await expect(response?.status()).toBe(200); // Status OK await page.type('input[name=user_name]', `user2`); - await page.type('input[name=password]', `passwordpassword`); + await page.type('input[name=password]', `password`); await page.click('form button.ui.green.button:visible'); await page.waitForLoadState('networkidle'); diff --git a/tests/e2e/utils_e2e.js b/tests/e2e/utils_e2e.js index bb1b7140545ab..ca6bde8db7a76 100644 --- a/tests/e2e/utils_e2e.js +++ b/tests/e2e/utils_e2e.js @@ -1,7 +1,7 @@ import {expect} from '@playwright/test'; const ARTIFACTS_PATH = `tests/e2e/test-artifacts`; -const LOGIN_PASSWORD = 'passwordpassword'; +const LOGIN_PASSWORD = 'password'; // log in user and store session info. This should generally be // run in test.beforeAll(), then the session can be loaded in tests.