Add password blacklist

Author: carlbennett

etc/config.sample.json

@@ -27,6 +27,20 @@
     },
     "server_update_job_token": null,
     "user_login_disabled": false,
+    "user_password_blacklist": [
+      {
+        "password": "123456",
+        "reason": "This password is too simple and well known."
+      },
+      {
+        "password": "correcthorsebatterystaple",
+        "reason": "This is a bad password because it's well known. Don't take advice from a web comic too seriously."
+      },
+      {
+        "password": "password",
+        "reason": "This password is too simple and well known."
+      }
+    ],
     "user_password_pepper": "bnetdocs-INSERTRANDOMVALUEHERE",
     "user_register_disabled": false,
     "user_register_requirements": {

src/controllers/User/ChangePassword.php

@@ -64,6 +64,14 @@ protected function tryChangePassword(
       $model->error = "PASSWORD_INCORRECT";
       return;
     }
+    $blacklist = Common::$config->bnetdocs->user_password_blacklist;
+    foreach ($blacklist as $blacklist_pw) {
+      if (strtolower($blacklist_pw->password) == strtolower($pw2)) {
+        $model->error = "PASSWORD_BLACKLIST";
+        $model->error_extra = $blacklist_pw->reason;
+        return;
+      }
+    }
     $old_password_hash = Authentication::$user->getPasswordHash();
     $old_password_salt = Authentication::$user->getPasswordSalt();
     try {

src/controllers/User/Register.php

@@ -131,6 +131,14 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) {
       $model->error = "PASSWORD_TOO_SHORT";
       return;
     }
+    $blacklist = Common::$config->bnetdocs->user_password_blacklist;
+    foreach ($blacklist as $blacklist_pw) {
+      if (strtolower($blacklist_pw->password) == strtolower($pw1)) {
+        $model->error = "PASSWORD_BLACKLIST";
+        $model->error_extra = $blacklist_pw->reason;
+        return;
+      }
+    }
     if (Common::$config->bnetdocs->user_register_disabled) {
       $model->error = "REGISTER_DISABLED";
       return;
@@ -180,14 +188,15 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) {
       Logger::logEvent(
         EventTypes::USER_CREATED,
         $user_id,
-        getenv("REMOTE_ADDR"),
+        getenv('REMOTE_ADDR'),
         json_encode([
-          "error"           => $model->error,
-          "requirements"    => $req,
-          "email"           => $email,
-          "username"        => $username,
-          "display_name"    => null,
-          "options_bitmask" => 0,
+          'error'           => $model->error,
+          'error_extra'     => $model->error_extra,
+          'requirements'    => $req,
+          'email'           => $email,
+          'username'        => $username,
+          'display_name'    => null,
+          'options_bitmask' => 0,
         ])
       );
 

src/models/User/ChangePassword.php

@@ -6,4 +6,9 @@
 
 class ChangePassword extends Model {
 
+  public $csrf_id;
+  public $csrf_token;
+  public $error;
+  public $error_extra;
+
 }

src/models/User/Register.php

@@ -6,7 +6,11 @@
 
 class Register extends Model {
 
+  public $csrf_id;
+  public $csrf_token;
   public $email;
+  public $error;
+  public $error_extra;
   public $recaptcha;
   public $username;
   public $username_max_len;

src/templates/User/ChangePassword.phtml

@@ -23,6 +23,10 @@ switch ($this->getContext()->error) {
   case "PASSWORD_INCORRECT":
     $message = "You did not enter your correct current password.";
     break;
+  case "PASSWORD_BLACKLIST":
+    $message = $this->getContext()->error_extra;
+    if (empty($message)) $message = "The new password is blacklisted.";
+    break;
   case "INTERNAL_ERROR":
     $message = "An internal error occurred while processing your request. "
       . "Our staff have been notified of the issue. Try again later.";

src/templates/User/Register.phtml

@@ -61,6 +61,11 @@ switch ($this->getContext()->error) {
     $af      = "pw1";
     $message = "The password is too short, use a better password.";
     break;
+  case "PASSWORD_BLACKLIST":
+    $af      = "pw1";
+    $message = $this->getContext()->error_extra;
+    if (empty($message)) $message = "The password is blacklisted.";
+    break;
   case "REGISTER_DISABLED":
     $af      = null;
     $message = "Creating accounts has been administratively disabled "