manyfold3d · Floppy · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
diff --git a/Gemfile b/Gemfile
@@ -120,8 +120,6 @@ gem "flipper-active_record", "~> 1.3"
 
 gem "rolify", "~> 6.0"
 
-gem "devise-security", "~> 0.18.0"
-
 gem "letter_opener", "~> 1.10", group: :development
 
 gem "sidekiq", "~> 7.3"
@@ -146,3 +144,5 @@ gem "shrine", "~> 3.6"
 gem "aws-sdk-s3", "~> 1.156"
 
 gem "better_content_security_policy", "~> 0.1.4"
+
+gem "devise_zxcvbn", "~> 6.0"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -203,8 +203,9 @@ GEM
       warden (~> 1.2.3)
     devise-i18n (1.12.1)
       devise (>= 4.9.0)
-    devise-security (0.18.0)
-      devise (>= 4.3.0)
+    devise_zxcvbn (6.0.0)
+      devise
+      zxcvbn (~> 0.1.7)
     diff-lcs (1.5.1)
     docile (1.4.0)
     dotenv (3.1.2)
@@ -633,6 +634,7 @@ GEM
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     zeitwerk (2.6.16)
+    zxcvbn (0.1.10)
 
 PLATFORMS
   ruby
@@ -659,7 +661,7 @@ DEPENDENCIES
   database_cleaner-active_record (~> 2.2)
   devise (~> 4.9)
   devise-i18n (~> 1.12)
-  devise-security (~> 0.18.0)
+  devise_zxcvbn (~> 6.0)
   dotenv-rails (~> 3.1)
   erb_lint (~> 0.5.0)
   factory_bot

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,7 +1,9 @@
+require "uri"
+
 class User < ApplicationRecord
   rolify
   devise :database_authenticatable,
-    :registerable, :secure_validatable,
+    :registerable, :zxcvbnable,
     :rememberable, :recoverable,
     :lockable, :timeoutable
 
@@ -14,7 +16,13 @@ class User < ApplicationRecord
 
   validates :email,
     presence: true,
-    uniqueness: {case_sensitive: false}
+    uniqueness: {case_sensitive: false},
+    format: {with: URI::MailTo::EMAIL_REGEXP}
+
+  validates :password,
+    presence: true,
+    confirmation: true,
+    if: :password_required?
 
   after_create :assign_default_role
 
@@ -63,4 +71,12 @@ def has_any_role_of?(*args)
   def assign_default_role
     add_role(:viewer) if roles.blank?
   end
+
+  def password_required?
+    !persisted? || !password.nil? || !password_confirmation.nil?
+  end
+
+  def weak_words
+    ["manyfold", username]
+  end
 end
diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb
diff --git a/app/views/devise/registrations/edit.html.erb b/app/views/devise/registrations/edit.html.erb
@@ -6,7 +6,7 @@
       <div class="card mb-2">
         <h4 class="card-header"><%= t(".security") %></h4>
         <div class="card-body">
-          <%= password_input_row f, :password, autocomplete: "new-password", help: t("devise.shared.password_rules") %>
+          <%= password_input_row f, :password, autocomplete: "new-password" %>
           <%= password_input_row f, :password_confirmation, autocomplete: "new-password" %>
           <%= password_input_row f, :current_password, autocomplete: "current-password",
                 help: t(".current_password_help") %>

diff --git a/app/views/devise/registrations/first_use.html.erb b/app/views/devise/registrations/first_use.html.erb
@@ -8,7 +8,7 @@
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: {method: :put}) do |f| %>
   <%= text_input_row f, :email, autofocus: true, autocomplete: "email", help: t(".email_help") %>
   <%= text_input_row f, :username, help: t(".username_help") %>
-  <%= password_input_row f, :password, autocomplete: "new-password", help: t("devise.shared.password_rules") %>
+  <%= password_input_row f, :password, autocomplete: "new-password" %>
   <%= password_input_row f, :password_confirmation, autocomplete: "new-password" %>
   <button type="submit" class="btn btn-primary"><%= icon("save", t(".submit")) %> <%= t(".submit") %></button>
 <% end %>
diff --git a/app/views/devise/registrations/new.html.erb b/app/views/devise/registrations/new.html.erb
@@ -3,7 +3,7 @@
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |form| %>
   <%= text_input_row form, :email, autofocus: true, autocomplete: "email" %>
   <%= text_input_row form, :username, autocomplete: "username" %>
-  <%= password_input_row form, :password, autocomplete: "new-password", help: t("devise.shared.password_rules") %>
+  <%= password_input_row form, :password, autocomplete: "new-password" %>
   <%= password_input_row form, :password_confirmation, autocomplete: "new-password" %>
   <%= form.submit t(".sign_up"), class: "btn btn-primary" %>
 <% end %>

diff --git a/config/i18n-tasks.yml b/config/i18n-tasks.yml
@@ -127,6 +127,7 @@ ignore_unused:
 - 'activerecord.attributes.*'
 - 'activerecord.errors.*'
 - 'activerecord.models.*'
+- 'errors.messages.weak_password'
 - 'problems.categories.*'
 - 'libraries.storage_services.*' # Names for storage services
 - 'licenses.*'

diff --git a/config/initializers/devise_security.rb b/config/initializers/devise_security.rb
diff --git a/config/locales/devise/en.yml b/config/locales/devise/en.yml
@@ -69,7 +69,6 @@ en:
         sign_in: Log in
         sign_in_with_provider: Sign in with %{provider}
         sign_up: Sign up
-      password_rules: Must be at least 6 characters, and contain at least one uppercase letter, one lowercase letter, one number, and one symbol.
     unlocks:
       new:
         resend_unlock_instructions: Resend unlock instructions
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -233,10 +233,10 @@ en:
     title: Manyfold
   errors:
     messages:
-      invalid: is invalid
       not_saved:
         one: '1 error prohibited this %{resource} from being saved:'
         other: "%{count} errors prohibited this %{resource} from being saved:"
+      weak_password: not strong enough. Consider adding a number, symbols or more letters to make it stronger.
   general:
     delete: Delete
     download: Download

diff --git a/spec/factories/user.rb b/spec/factories/user.rb
@@ -2,7 +2,7 @@
   factory :user do
     email { Faker::Internet.email }
     username { Faker::Internet.username specifier: 3, separators: [] }
-    password { Faker::Internet.password min_length: 6, mix_case: true, special_characters: true }
+    password { Faker::Internet.password max_length: 32, min_length: 32, mix_case: true, special_characters: true }
 
     factory :admin do
       after(:create) { |a| a.add_role :administrator }

diff --git a/spec/requests/users/passwords_spec.rb b/spec/requests/users/passwords_spec.rb
@@ -8,7 +8,7 @@
 #                             POST   /users/password(.:format)
 
 RSpec.describe "Users::Passwords" do
-  let(:new_password) { Faker::Internet.password min_length: 6, mix_case: true, special_characters: true }
+  let(:new_password) { Faker::Internet.password max_length: 32, min_length: 32, mix_case: true, special_characters: true }
   let(:reset_password_token) { SecureRandom.hex }
   let!(:admin) {
     create(:admin)

diff --git a/spec/requests/users/registrations_spec.rb b/spec/requests/users/registrations_spec.rb
@@ -9,8 +9,8 @@
 #                          POST   /users(.:format)                                                        users/registrations#create
 
 RSpec.describe "Users::Registrations" do
-  let(:old_password) { Faker::Internet.password min_length: 6, mix_case: true, special_characters: true }
-  let(:new_password) { Faker::Internet.password min_length: 6, mix_case: true, special_characters: true }
+  let(:old_password) { Faker::Internet.password max_length: 32, min_length: 32, mix_case: true, special_characters: true }
+  let(:new_password) { Faker::Internet.password max_length: 32, min_length: 32, mix_case: true, special_characters: true }
   let!(:admin) {
     create(:admin, password: old_password)
   }