auth: Use zxcvbn to ensure password strength on server side.

For a long time, we've been only doing the zxcvbn password strength
checks on the browser, which is helpful, but means users could through
hackery (or a bug in the frontend validation code) manage to set a
too-weak password.  We fix this by running our password strength
validation on the backend as well, using python-zxcvbn.

In theory, a bug in python-zxcvbn could result in it producing a
different opinion than the frontend version; if so, it'd be a pretty
bad bug in the library, and hopefully we'd hear about it from users,
report upstream, and get it fixed that way. Alternatively, we can
switch to shelling out to node like we do for KaTeX.

Fixes #6880.

zerver/tests/test_settings.py

@@ -77,6 +77,27 @@ class ChangeSettingsTest(ZulipTestCase):
         user_profile = self.example_user('hamlet')
         self.assert_logged_in_user_id(user_profile.id)
 
+    def test_password_change_check_strength(self) -> None:
+        self.login(self.example_email("hamlet"))
+        with self.settings(PASSWORD_MIN_LENGTH=3, PASSWORD_MIN_GUESSES=1000):
+            json_result = self.client_patch(
+                "/json/settings",
+                dict(
+                    full_name='Foo Bar',
+                    old_password=initial_password(self.example_email("hamlet")),
+                    new_password='easy',
+                ))
+            self.assert_json_error(json_result, "New password is too weak!")
+
+            json_result = self.client_patch(
+                "/json/settings",
+                dict(
+                    full_name='Foo Bar',
+                    old_password=initial_password(self.example_email("hamlet")),
+                    new_password='f657gdGGk9',
+                ))
+            self.assert_json_success(json_result)
+
     def test_illegal_name_changes(self) -> None:
         user = self.example_user('hamlet')
         email = user.email