-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Place sanity checks on Username and Password length on RPC keystore.createUser method #13
Conversation
Codecov Report
@@ Coverage Diff @@
## master #13 +/- ##
===================================================
+ Coverage 63.70802% 63.71946% +0.01144%
===================================================
Files 191 191
Lines 12686 12690 +4
===================================================
+ Hits 8082 8086 +4
Misses 3972 3972
Partials 632 632 |
…when creating this branch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@swdee Thanks for this! Good contribution and much appreciated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might make sense for us to place some restrictions on the password. If we are going to disallow them from having an empty password, we may want to enforce that they use a strong password. I.E. length >= 8 with at least 1 special character (or something along those lines).
For password checking, what approach do you prefer? There are a few packages out there that cover parsing of given passwords to determine the strength using a score, eg: https://github.com/nbutton23/zxcvbn-go Or others with simple regex checking for the presence of specific chars (upper/lowercase, numbers, special char), such as https://github.com/hasanaliqureshi/Go-Validation |
I'd say that https://github.com/nbutton23/zxcvbn-go is probably the way to go. It seems to give us the most optionality for strength requirements, while also not require too much thought. What do you think? |
zxcvbn is the better package as it allows for a greater range of stronger passwords without requiring use of specific characters. The only cost of the package is a bigger Go binary so unless one is conscious of size due to wanting to limit themselves to Raspberry Pi's and dialup modems, then the point is moot ;) Note that with this change of checking for password strength, the documentation https://docs.ava.network/v1.0/en/quickstart/ava-getting-started/ should be updated with a note about password strength. Sample interaction with RPC;
The variable There is an online tester of this library here https://lowe.github.io/tryzxcvbn/ which you can test out password combinations with which gives a |
- Added support for xput tests on the AVM - Implemented an AVM wallet for throughput tests. - Fixed credential bug in the AVM for transactions that depend on un-confirmed UTXOs.
Hey @swdee thanks again for your contribution. Two suggestions:
Can you please address these? Thanks |
Hi @danlaine I have made the changes per your suggestion. |
api/keystore/service.go
Outdated
@@ -44,7 +44,7 @@ const ( | |||
var ( | |||
errEmptyUsername = errors.New("username can't be the empty string") | |||
errUserPassMaxLength = fmt.Errorf("CreateUser call rejected due to username or password exceeding maximum length of %d chars", maxUserPassLen) | |||
errWeakPassword = errors.New("Failed to create user as the given password is to weak. Passwords must be 8 or more characters and contain a combination of UPPER and lowercase letters, numbers, and special characters") | |||
errWeakPassword = errors.New("Failed to create user as the given password is to weak. A stronger password is one of 8 or more characters containing attributes of upper and lowercase letters, numbers, and/or special characters") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to
should be too
Other than the one typo this looks great. Will approve once the typo is corrected. Thanks again for your contribution @swdee ! |
With reference to #6 this PR checks the Username and Password RPC Args length before creating a new user via the RPC keystore.createUser method.
Currently it limits the maximum length for both of these fields to 1024 characters.
Sample RPC rejection response;
Furthermore should the presence of nil/empty password be checked, or is it a feature to not require one?