Add password complexity checks for openhab-cloud account

routes/account.js

@@ -24,6 +24,7 @@ var uuid = require('uuid');
 var mailer = require('../mailer');
 var logger = require('../logger');
 var app = require('../app');
+var UserPassword = require('../userpassword');
 
 exports.lostpasswordget = function(req, res) {
     res.render('lostpassword', {title: "Lost my password", user: req.user,
@@ -102,8 +103,10 @@ exports.lostpasswordresetpost = function(req, res) {
                 if (lostPassword && !error) {
                     User.findOne({_id: lostPassword.user}, function(error, lostUser) {
                         if (lostUser && !error) {
-                            lostUser.password = req.body.password;
-                            lostUser.save(function(error) {
+                            var userPassword, result;
+
+                            userPassword = new UserPassword(lostUser);
+                            result = userPassword.setPassword(req.body.password, function(error) {
                                 if (!error) {
                                     lostPassword.used = true;
                                     lostPassword.save();
@@ -114,6 +117,11 @@ exports.lostpasswordresetpost = function(req, res) {
                                     res.redirect('/');
                                 }
                             });
+
+                            if (!result) {
+                                UserPassword.printPasswordNotComplexEnoughError(req);
+                                res.redirect('/lostpasswordreset?resetCode=' + req.body.resetCode);
+                            }
                         } else {
                             req.flash('error', 'There was an error while processing your request');
                             res.redirect('/');
@@ -179,11 +187,14 @@ exports.accountpasswordpost = function(req, res) {
         res.redirect('/account');
     } else {
         if (req.body.password == req.body.password1) {
-            user = req.user;
-            user.password = req.body.password;
-            user.save();
-            req.flash('info', 'Password successfully changed');
-            res.redirect('/account');
+            userPassword = new UserPassword(req.user);
+            if (!userPassword.setPassword(req.body.password)) {
+                UserPassword.printPasswordNotComplexEnoughError(req);
+                res.redirect('/account');
+            } else {
+                req.flash('info', 'Password successfully changed');
+                res.redirect('/account');
+            }
         } else {
             req.flash('error', 'Passwords don\'t match');
             res.redirect('/account');
@@ -343,6 +354,12 @@ exports.registerpost = function(req, res) {
                       res.render('login', { title: "Login / Sign up", user: req.user,
                           errormessages:req.flash('error'), infomessages:req.flash('info') });
                     } else {
+                        if (!UserPassword.isComplexEnough(req.body.password)) {
+                            UserPassword.printPasswordNotComplexEnoughError(req);
+                            res.render('login', { title: "Login / Sign up", user: req.user,
+                                errormessages:req.flash('error'), infomessages:req.flash('info') });
+                            return;
+                        }
                   User.register(req.body.username, req.body.password, function(err, user) {
                       if (err) {
                           req.flash('error', "An error occured during registration, please contact support");

routes/users.js

@@ -2,6 +2,7 @@ var User = require('../models/user');
 var Openhab = require('../models/openhab');
 var UserDevice = require('../models/userdevice');
 var logger = require('../logger');
+var UserPassword = require('../userpassword');
 var mongoose = require('mongoose'),
     Schema = mongoose.Schema;
 var ObjectId = mongoose.SchemaTypes.ObjectId;
@@ -60,6 +61,11 @@ exports.usersaddpost = function(req, res) {
         res.redirect('/users/add');
     } else {
         if (req.body.password == req.body.password1) {
+            if (!UserPassword.isComplexEnough(req.body.password)) {
+                UserPassword.printPasswordNotComplexEnoughError(req);
+                res.redirect('/users/add');
+                return;
+            }
             User.findOne({username: req.body.username}, function(error, checkUser) {
                 if (!error) {
                     if (checkUser) {

userpassword.js

@@ -0,0 +1,102 @@
+var User = require('./models/user');
+
+/**
+ * A helper class for setting the password of an arbitrary user.
+ *
+ * @param user The user where the password change attempts should happen
+ * @constructor
+ */
+var UserPassword = function(user) {
+    if (!(user instanceof User)) {
+        throw new Error('UserPassword can only be instantiated with an User object, ' +
+            user.constructor + ' given.');
+    }
+    this.user = user;
+};
+
+/**
+ * Verifies the password complexity rules for the given plain text password and, if it
+ * matches the requirements, sets the new password to the given user.
+ *
+ * The complexity rules includes:
+ *  - at least 4 characters
+ *  - has at least two characters of the following categories: uppercase letters, lowercase letters, numbers, special characters
+ *
+ * @param {string} password
+ * @param fn Optional function to pass to the save function of User
+ * @return {boolean} True, if saving the password was initiated, false otherwise. False is garantueed to mean, that the
+ *  password does not meet the complexity requirements.
+ */
+UserPassword.prototype.setPassword = function(password, fn) {
+    if (!UserPassword.isComplexEnough(password)) {
+        return false;
+    }
+
+    this.user.password = password;
+    if (typeof fn !== 'function') {
+        fn = undefined;
+    }
+    this.user.save(fn);
+
+    return true;
+};
+
+/**
+ * Helper function for checking the complexity of a password.
+ *
+ * @param password
+ * @returns {boolean}
+ */
+UserPassword.isComplexEnough = function(password) {
+    var matches = 0;
+
+    if (password.length < 4) {
+        return false;
+    }
+
+    // match against all lowercase letters
+    if (password.match(/^(?=.*[a-z]).+$/)) {
+        matches++;
+    }
+
+    // match against all uppercase letters
+    if (password.match(/^(?=.*[A-Z]).+$/)) {
+        matches++;
+    }
+
+    // match against all numbers
+    if (password.match(/^(?=.*\d).+$/)) {
+        matches++;
+    }
+
+    // match against a reasonable set of special characters
+    if (password.match(/^(?=.*[-+_!@#$%^&*.,?]).+$/)) {
+        matches++;
+    }
+
+    if (matches < 2) {
+        return false;
+    }
+
+    return true;
+};
+
+/**
+ * Prints a message to the given request, that the entered password was not complex enough, while giving the complexity
+ * rules for passwords.
+ *
+ * @param req
+ */
+UserPassword.printPasswordNotComplexEnoughError = function(req) {
+    var message = [];
+    message.push('The password does not meet the password complexity requirements. Please try again.');
+    message.push('Your password must be at least 4 characters long and need to contain at least 2 different characters from the following groups:');
+    message.push(' * Lowercase letters (a, b, c, ...)');
+    message.push(' * Uppercase letters (A, B, C, ...)');
+    message.push(' * Numbers (1, 2, 3, ...)');
+    message.push(' * Special characters out of: -+_!@#$%^&*.,?');
+
+    req.flash('error', message);
+};
+
+module.exports = UserPassword;

views/alerts.ejs

@@ -3,7 +3,15 @@
     <div class="span12">
         <div class="alert alert-error fade in">
             <button type="button" class="close" data-dismiss="alert">×</button>
+            <% if(errormessages.length === 1) { %>
             <%= errormessages %>
+            <% } else { %>
+            <ul>
+                <% errormessages.forEach(function(err) { %>
+                <li><%= err %></li>
+                <% }) %>
+            </ul>
+            <% } %>
         </div>
     </div>
 </div>