Increase password requirements

2025-03-26 17:51:54 +01:00 · 2024-12-15 16:28:45 -08:00 · 2024-12-15 16:28:45 -08:00 · 334bc6be8c
commit 334bc6be8c
parent 814f97c2c7
6 changed files with 43 additions and 4 deletions
--- a/backend/onyx/auth/users.py
+++ b/backend/onyx/auth/users.py
@ -73,6 +73,7 @@ from onyx.configs.constants import AuthType
 from onyx.configs.constants import DANSWER_API_KEY_DUMMY_EMAIL_DOMAIN
 from onyx.configs.constants import DANSWER_API_KEY_PREFIX
 from onyx.configs.constants import MilestoneRecordType
+from onyx.configs.constants import PASSWORD_SPECIAL_CHARS
 from onyx.configs.constants import UNNAMED_KEY_PLACEHOLDER
 from onyx.db.api_key import fetch_user_for_api_key
 from onyx.db.auth import get_access_token_db
@ -302,6 +303,36 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):

        return user

+    async def validate_password(self, password: str, _: schemas.UC | models.UP) -> None:
+        # Validate password according to basic security guidelines
+        if len(password) < 12:
+            raise exceptions.InvalidPasswordException(
+                reason="Password must be at least 12 characters long."
+            )
+        if len(password) > 64:
+            raise exceptions.InvalidPasswordException(
+                reason="Password must not exceed 64 characters."
+            )
+        if not any(char.isupper() for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one uppercase letter."
+            )
+        if not any(char.islower() for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one lowercase letter."
+            )
+        if not any(char.isdigit() for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one number."
+            )
+        if not any(char in PASSWORD_SPECIAL_CHARS for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one special character from the following set: "
+                f"{PASSWORD_SPECIAL_CHARS}."
+            )
+
+        return
+
    async def oauth_callback(
        self,
        oauth_name: str,
--- a/backend/onyx/configs/constants.py
+++ b/backend/onyx/configs/constants.py
@ -173,6 +173,10 @@ class AuthType(str, Enum):
    CLOUD = "cloud"


+# Special characters for password validation
+PASSWORD_SPECIAL_CHARS = "!@#$%^&*()_+-=[]{}|;:,.<>?"
+
+
 class SessionType(str, Enum):
    CHAT = "Chat"
    SEARCH = "Search"
--- a/backend/onyx/main.py
+++ b/backend/onyx/main.py
@ -243,6 +243,7 @@ def get_application() -> FastAPI:
    include_router_with_global_prefix_prepended(application, admin_query_router)
    include_router_with_global_prefix_prepended(application, admin_router)
    include_router_with_global_prefix_prepended(application, connector_router)
+    include_router_with_global_prefix_prepended(application, user_router)
    include_router_with_global_prefix_prepended(application, credential_router)
    include_router_with_global_prefix_prepended(application, cc_pair_router)
    include_router_with_global_prefix_prepended(application, folder_router)
--- a/backend/tests/integration/common_utils/managers/user.py
+++ b/backend/tests/integration/common_utils/managers/user.py
@ -14,7 +14,7 @@ from tests.integration.common_utils.test_models import DATestUser


 DOMAIN = "test.com"
-DEFAULT_PASSWORD = "test"
+DEFAULT_PASSWORD = "TestPassword123!"


 def build_email(name: str) -> str:
--- a/web/src/app/auth/login/EmailPasswordForm.tsx
+++ b/web/src/app/auth/login/EmailPasswordForm.tsx
@ -9,6 +9,7 @@ import * as Yup from "yup";
 import { requestEmailVerification } from "../lib";
 import { useState } from "react";
 import { Spinner } from "@/components/Spinner";
+import { set } from "lodash";

 export function EmailPasswordForm({
  isSignup = false,
@ -47,10 +48,12 @@ export function EmailPasswordForm({
            );

            if (!response.ok) {
+              setIsWorking(false);
              const errorDetail = (await response.json()).detail;
-
              let errorMsg = "Unknown error";
-              if (errorDetail === "REGISTER_USER_ALREADY_EXISTS") {
+              if (typeof errorDetail === "object" && errorDetail.reason) {
+                errorMsg = errorDetail.reason;
+              } else if (errorDetail === "REGISTER_USER_ALREADY_EXISTS") {
                errorMsg =
                  "An account already exists with the specified email.";
              }
--- a/web/tests/e2e/constants.js
+++ b/web/tests/e2e/constants.js
@ -1,4 +1,4 @@
 export const TEST_CREDENTIALS = {
  email: "admin_user@test.com",
-  password: "test",
+  password: "TestPassword123!",
 };