Merge pull request #20 from sumocoders/297-password-reset-weak-password

jonasdekeukelaere · web-flow · commit 998d7e266023 · 2024-09-10T14:01:08.000+01:00
297 password reset weak password
diff --git a/src/Controller/User/Ajax/PasswordStrengthController.php b/src/Controller/User/Ajax/PasswordStrengthController.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace App\Controller\User\Ajax;
+
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use SumoCoders\FrameworkCoreBundle\Security\PasswordStrengthService;
+
+class PasswordStrengthController extends AbstractController
+{
+    public function __invoke(
+        Request $request,
+        PasswordStrengthService $passwordStrengthService
+    ): Response {
+        $password = json_decode($request->getContent(), true)['password'] ?? '';
+
+        return $this->json([
+              'strength' => $passwordStrengthService->estimateStrength($password),
+        ]);
+    }
+}
diff --git a/src/DataTransferObject/User/UserDataTransferObject.php b/src/DataTransferObject/User/UserDataTransferObject.php
@@ -4,13 +4,15 @@
 
 use App\Validator\User\UniqueEmail;
 use Symfony\Component\Validator\Constraints\Email;
+use Symfony\Component\Validator\Constraints\NoSuspiciousCharacters;
 use Symfony\Component\Validator\Constraints\NotBlank;
 
 class UserDataTransferObject
 {
     #[Email]
     #[NotBlank]
     #[UniqueEmail]
+    #[NoSuspiciousCharacters]
     public string $email;
 
     /**
diff --git a/src/Message/User/RegisterUser.php b/src/Message/User/RegisterUser.php
@@ -3,10 +3,16 @@
 namespace App\Message\User;
 
 use App\DataTransferObject\User\UserDataTransferObject;
+use Symfony\Component\Validator\Constraints as Assert;
 use Symfony\Component\Validator\Constraints\NotBlank;
 
 class RegisterUser extends UserDataTransferObject
 {
     #[NotBlank]
+    #[Assert\PasswordStrength([
+        'minScore' => Assert\PasswordStrength::STRENGTH_STRONG,
+    ])]
+    #[Assert\NotCompromisedPassword()]
+    #[Assert\Length(min: 12)]
     public string $password;
 }
diff --git a/src/Message/User/ResetPassword.php b/src/Message/User/ResetPassword.php
@@ -3,9 +3,15 @@
 namespace App\Message\User;
 
 use App\Entity\User\User;
+use Symfony\Component\Validator\Constraints as Assert;
 
 class ResetPassword
 {
+    #[Assert\PasswordStrength([
+        'minScore' => Assert\PasswordStrength::STRENGTH_STRONG,
+    ])]
+    #[Assert\NotCompromisedPassword()]
+    #[Assert\Length(min: 12)]
     public string $password;
 
     public function __construct(private readonly User $user)
diff --git a/templates/user/password-strength-meter.html.twig b/templates/user/password-strength-meter.html.twig
@@ -0,0 +1,10 @@
+<div class="password-strength-meter">
+  <div class="meter-section rounded me-2"></div>
+  <div class="meter-section rounded me-2"></div>
+  <div class="meter-section rounded me-2"></div>
+  <div class="meter-section rounded me-2"></div>
+  <div class="meter-section rounded"></div>
+</div>
+<div class="mb-3">
+  <small>{{ 'Use 12 or more characters with a mix of letters, numbers & symbols'|trans }}</small>
+</div>
diff --git a/templates/user/profile.html.twig b/templates/user/profile.html.twig
@@ -8,7 +8,11 @@
     <h1>{{ 'Change your password'|trans }}</h1>
     {{ form_start(form) }}
     {{ form_errors(form) }}
-    {{ form_row(form.password) }}
+    <div data-role="check-password" data-route="{{ path('admin_user_ajax_password_strength') }}">
+        {{ form_row(form.password.first) }}
+        {% include '/user/password-strength-meter.html.twig' %}
+    </div>
+    {{ form_row(form.password.second) }}
 
     <input type="submit" class="btn btn-secondary" value="{{ 'Confirm'|trans }}" />
     {{ form_end(form) }}
diff --git a/templates/user/reset.html.twig b/templates/user/reset.html.twig
@@ -3,7 +3,11 @@
 {% block main %}
     {{ form_start(form) }}
     {{ form_errors(form) }}
-    {{ form_row(form.password) }}
+    <div data-role="check-password" data-route="{{ path('admin_user_ajax_password_strength') }}">
+        {{ form_row(form.password.first) }}
+        {% include '/user/password-strength-meter.html.twig' %}
+    </div>
+    {{ form_row(form.password.second) }}
 
     <input type="submit" class="btn btn-secondary" value="{{ 'Confirm'|trans }}" />
     {{ form_end(form) }}
diff --git a/translations/security.nl.yaml b/translations/security.nl.yaml
diff --git a/translations/validators.nl.yaml b/translations/validators.nl.yaml
