authentik fork
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
Find a file
sdimovv 5156aeee0f
policies/password: Always add generic message to failing zxcvbn check (#4100)
* Always add generic message to failing zxcvbn password policy

Depending on the settings, sometimes a password policy that checks a password with the zxcvbn tool can fail without any message.

For example:
```
$ echo  'Awdccdw1234' | zxcvbn | jq | grep "feedback" -A 5 -B 1
Password: 
  "score": 3,
  "feedback": {
    "warning": "",
    "suggestions": []
  }
}
```

As seen above the tool does not produce any warnings or suggestions for the given password, but if the password policy is set to have a zxcvbn threshold of 3, the policy will silently fail without communicating the reason to the user. 

There are two ways to handle this:
1. Always add a generic "password is too weak" message when the policy fails.
2. Check if there are any suggestions or warnings from the zxcvbn tool and only add the generic message if not.

I personally prefer 1. This way the generic message will  be shown whenever the policy fails, and will get combined with extra "tips" whenever zxcvbn has some.



Signed-off-by: sdimovv <36302090+sdimovv@users.noreply.github.com>

* Update authentik/policies/password/models.py

Co-authored-by: Jens L. <jens@beryju.org>
Signed-off-by: sdimovv <36302090+sdimovv@users.noreply.github.com>

* Added test case

* fix black formatting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: sdimovv <36302090+sdimovv@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Co-authored-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-11-30 07:58:16 +00:00
.github ci: allow errors in migrate-from-stable for now 2022-11-14 21:52:31 +01:00
.vscode blueprints: add desired state attribute to objects (#4061) 2022-11-22 14:27:20 +01:00
authentik policies/password: Always add generic message to failing zxcvbn check (#4100) 2022-11-30 07:58:16 +00:00
blueprints blueprints: add desired state attribute to objects (#4061) 2022-11-22 14:27:20 +01:00
cmd root: make sentry DSN configurable (#4016) 2022-11-15 16:05:29 +01:00
internal internal: reuse http transport to prevent leaking connections (#3996) 2022-11-25 18:24:01 +01:00
lifecycle root: use single redis db (#4009) 2022-11-15 14:31:29 +01:00
locale web/admin: clarify phrasing that user ID is required 2022-11-24 11:37:54 +01:00
scripts root: update options for generating TS API (#3833) 2022-10-21 09:08:25 +02:00
tests events: fix incorrect EventAction being used 2022-11-25 11:53:05 +01:00
web web: bump @sentry/browser from 7.21.1 to 7.22.0 in /web (#4120) 2022-11-30 08:46:22 +01:00
website website/docs: Change Kubernetes ingress apiVersion out of beta (#4099) 2022-11-28 16:42:59 +01:00
xml */saml: test against SAML Schema 2020-12-13 19:53:16 +01:00
.bumpversion.cfg release: 2022.11.1 2022-11-22 21:42:10 +01:00
.dockerignore root: add bundled docs 2021-07-13 11:06:51 +02:00
.editorconfig repo cleanup, switch to new docker registry 2019-04-29 17:05:39 +02:00
.gitignore root: add vscode tasks 2022-07-01 16:10:08 +02:00
CODE_OF_CONDUCT.md root: rework and expand security policy 2022-11-28 12:10:53 +01:00
CONTRIBUTING.md root: rework and expand security policy 2022-11-28 12:10:53 +01:00
docker-compose.yml release: 2022.11.1 2022-11-22 21:42:10 +01:00
Dockerfile root: include security policy in website container 2022-11-29 00:05:42 +01:00
go.mod core: bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#4118) 2022-11-30 08:37:48 +01:00
go.sum core: bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#4118) 2022-11-30 08:37:48 +01:00
ldap.Dockerfile core: bump golang from 1.19.2-bullseye to 1.19.3-bullseye (#3925) 2022-11-01 23:26:17 +01:00
LICENSE root: relicense and launch blog post 2022-11-03 16:00:00 +01:00
Makefile root: use single redis db (#4009) 2022-11-15 14:31:29 +01:00
manage.py root: update deprecation warnings 2022-11-25 11:47:28 +01:00
poetry.lock core: bump pylint from 2.15.6 to 2.15.7 (#4124) 2022-11-30 08:36:14 +01:00
proxy.Dockerfile core: bump golang from 1.19.2-bullseye to 1.19.3-bullseye (#3925) 2022-11-01 23:26:17 +01:00
pyproject.toml release: 2022.11.1 2022-11-22 21:42:10 +01:00
README.md root: rework and expand security policy 2022-11-28 12:10:53 +01:00
schema.yml release: 2022.11.1 2022-11-22 21:42:10 +01:00
SECURITY.md root: rework and expand security policy 2022-11-28 12:10:53 +01:00

authentik logo


Join Discord GitHub Workflow Status GitHub Workflow Status GitHub Workflow Status Code Coverage Docker pulls Latest version

What is authentik?

authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols. authentik is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.

Installation

For small/test setups it is recommended to use docker-compose, see the documentation

For bigger setups, there is a Helm Chart here. This is documented here

Screenshots

Light Dark

Development

See Development Documentation

Security

See SECURITY.md

Sponsors

This project is proudly sponsored by:

DigitalOcean provides development and testing resources for authentik.

Deploys by Netlify

Netlify hosts the goauthentik.io site.