globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

adds configuration option set by default False to check password compromise

Browse source
This commit is contained in:
sebastien 2024-11-13 16:12:50 +01:00
parent faa5c6f966
commit 2a57a05155
2 changed files with 18 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
canaille/app/forms.py
View file

@ -88,25 +88,26 @@ def password_strength_calculator(password):
def compromised_password_validator(form, field): def compromised_password_validator(form, field):
hashed_password = sha1(field.data.encode("utf-8")).hexdigest() if current_app.config["CANAILLE"]["ENABLE_PASSWORD_COMPROMISSION_CHECK"]:
hashed_password_prefix, hashed_password_suffix = ( hashed_password = sha1(field.data.encode("utf-8")).hexdigest()
hashed_password[:5].upper(), hashed_password_prefix, hashed_password_suffix = (
hashed_password[5:].upper(), hashed_password[:5].upper(),
) hashed_password[5:].upper(),
)
api_url = f"https://api.pwnedpasswords.com/range/{hashed_password_prefix}" api_url = f"https://api.pwnedpasswords.com/range/{hashed_password_prefix}"
try: try:
response = requests.api.get(api_url, timeout=10) response = requests.api.get(api_url, timeout=10)
except Exception: except Exception:
check_if_send_mail_to_admins(form, api_url, hashed_password_suffix) check_if_send_mail_to_admins(form, api_url, hashed_password_suffix)
return None return None
decoded_response = response.content.decode("utf8").split("\r\n") decoded_response = response.content.decode("utf8").split("\r\n")
for each in decoded_response: for each in decoded_response:
if hashed_password_suffix == each.split(":")[0]: if hashed_password_suffix == each.split(":")[0]:
raise wtforms.ValidationError(_("This password is compromised.")) raise wtforms.ValidationError(_("This password appears on public compromission databases and is not secure."))
def email_validator(form, field): def email_validator(form, field):

2
canaille/core/configuration.py
View file

@ -320,3 +320,5 @@ class CoreSettings(BaseModel):
corruption), it is necessary to provide an administration contact corruption), it is necessary to provide an administration contact
email. email.
""" """
ENABLE_PASSWORD_COMPROMISSION_CHECK: bool = False