auth: Use zxcvbn to ensure password strength on server side.

For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880.
2025-11-03 21:43:21 +00:00 · 2019-11-18 08:11:03 +01:00
parent 0c2cc41d2e
commit 06c2161f7e
13 changed files with 175 additions and 19 deletions
--- a/zerver/models.py
+++ b/zerver/models.py
@@ -1138,6 +1138,20 @@ class UserProfile(AbstractBaseUser, PermissionsMixin):
        else:
            return -1

+    def set_password(self, password: Optional[str]) -> None:
+        if password is None:
+            self.set_unusable_password()
+            return
+
+        from zproject.backends import check_password_strength
+        if not check_password_strength(password):
+            raise PasswordTooWeakError
+
+        super().set_password(password)
+
+class PasswordTooWeakError(Exception):
+    pass
+
 class UserGroup(models.Model):
    name = models.CharField(max_length=100)
    members = models.ManyToManyField(UserProfile, through='UserGroupMembership')