adds configuration option set by default False to check password compromise

2024-11-13 16:12:50 +01:00 · 2024-11-13 16:12:50 +01:00 · 2a57a05155
commit 2a57a05155
parent faa5c6f966
2 changed files with 18 additions and 15 deletions
--- a/canaille/app/forms.py
+++ b/canaille/app/forms.py
@ -88,25 +88,26 @@ def password_strength_calculator(password):


 def compromised_password_validator(form, field):
-    hashed_password = sha1(field.data.encode("utf-8")).hexdigest()
-    hashed_password_prefix, hashed_password_suffix = (
-        hashed_password[:5].upper(),
-        hashed_password[5:].upper(),
-    )
+    if current_app.config["CANAILLE"]["ENABLE_PASSWORD_COMPROMISSION_CHECK"]:
+        hashed_password = sha1(field.data.encode("utf-8")).hexdigest()
+        hashed_password_prefix, hashed_password_suffix = (
+            hashed_password[:5].upper(),
+            hashed_password[5:].upper(),
+        )

-    api_url = f"https://api.pwnedpasswords.com/range/{hashed_password_prefix}"
+        api_url = f"https://api.pwnedpasswords.com/range/{hashed_password_prefix}"

-    try:
-        response = requests.api.get(api_url, timeout=10)
-    except Exception:
-        check_if_send_mail_to_admins(form, api_url, hashed_password_suffix)
-        return None
+        try:
+            response = requests.api.get(api_url, timeout=10)
+        except Exception:
+            check_if_send_mail_to_admins(form, api_url, hashed_password_suffix)
+            return None

-    decoded_response = response.content.decode("utf8").split("\r\n")
+        decoded_response = response.content.decode("utf8").split("\r\n")

-    for each in decoded_response:
-        if hashed_password_suffix == each.split(":")[0]:
-            raise wtforms.ValidationError(_("This password is compromised."))
+        for each in decoded_response:
+            if hashed_password_suffix == each.split(":")[0]:
+                raise wtforms.ValidationError(_("This password appears on public compromission databases and is not secure."))


 def email_validator(form, field):
--- a/canaille/core/configuration.py
+++ b/canaille/core/configuration.py
@ -320,3 +320,5 @@ class CoreSettings(BaseModel):
    corruption), it is necessary to provide an administration contact
    email.
    """
+
+    ENABLE_PASSWORD_COMPROMISSION_CHECK: bool = False