coder · defelmnq · Nov 5, 2024 · Oct 18, 2024 · Oct 18, 2024 · Oct 22, 2024
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -991,6 +991,7 @@ func New(options *Options) *API {
 				r.Use(httpmw.RateLimit(options.LoginRateLimit, time.Minute))
 				r.Post("/login", api.postLogin)
 				r.Post("/otp/request", api.postRequestOneTimePasscode)
+				r.Post("/validate-password", api.valid
10000
ateUserPassword)
 				r.Post("/otp/change-password", api.postChangePasswordWithOneTimePasscode)
 				r.Route("/oauth2", func(r chi.Router) {
 					r.Route("/github", func(r chi.Router) {

diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -437,6 +437,38 @@ func (api *API) postChangePasswordWithOneTimePasscode(rw http.ResponseWriter, r
 	}
 }
 
+// ValidateUserPassword validates the complexity of a user password and that it is secured enough.
+//
+// @Summary Validate user password
+// @ID validate-user-password
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Authorization
+// @Param request body codersdk.ValidateUserPasswordRequest true "Validate user password request"
+// @Success 200 {object} codersdk.ValidateUserPasswordResponse
+// @Router /users/validate-password [post]
+func (*API) validateUserPassword(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx   = r.Context()
+		valid = true
+	)
+
+	var req codersdk.ValidateUserPasswordRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	err := userpassword.Validate(req.Password)
+	if err != nil {
+		valid = false
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.ValidateUserPasswordResponse{
+		Valid: valid,
+	})
+}
+
 // Authenticates the user with an email and password.
 //
 // @Summary Log in user

diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -1880,39 +1880,6 @@ func TestUserForgotPassword(t *testing.T) {
 		requireCanLogin(t, ctx, anotherClient, anotherUser.Email, oldPassword)
 	})
 
-	t.Run("CannotChangePasswordWithWeakPassword", func(t *testing.T) {
-		t.Parallel()
-
-		notifyEnq := &testutil.FakeNotificationsEnqueuer{}
-
-		client := coderdtest.New(t, &coderdtest.Options{
-			NotificationsEnqueuer: notifyEnq,
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		anotherClient, anotherUser := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
-
-		oneTimePasscode := requireRequestOneTimePasscode(t, ctx, anotherClient, notifyEnq, anotherUser.Email, anotherUser.ID)
-
-		err := anotherClie
9E7A
nt.ChangePasswordWithOneTimePasscode(ctx, codersdk.ChangePasswordWithOneTimePasscodeRequest{
-			Email:           anotherUser.Email,
-			OneTimePasscode: oneTimePasscode,
-			Password:        "notstrong",
-		})
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
-		require.Contains(t, apiErr.Message, "Invalid password.")
-		require.Equal(t, 1, len(apiErr.Validations))
-		require.Equal(t, "password", apiErr.Validations[0].Field)
-
-		requireCannotLogin(t, ctx, anotherClient, anotherUser.Email, "notstrong")
-		requireCanLogin(t, ctx, anotherClient, anotherUser.Email, oldPassword)
-	})
-
 	t.Run("CannotChangePasswordOfAnotherUser", func(t *testing.T) {
 		t.Parallel()
 

diff --git a/coderd/userpassword/userpassword.go b/coderd/userpassword/userpassword.go
@@ -10,7 +10,6 @@ import (
 	"strconv"
 	"strings"
 
-	passwordvalidator "github.com/wagslane/go-password-validator"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
@@ -138,10 +137,8 @@ func hashWithSaltAndIter(password string, salt []byte, iter int) string {
 // It returns properly formatted errors for detailed form validation on the client.
 func Validate(password string) error {
 	// Ensure passwords are secure enough!
-	// See: https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
-	err := passwordvalidator.Validate(password, 52)
-	if err != nil {
-		return err
+	if len(password) < 6 {
+		return xerrors.Errorf("password must be at least %d characters", 6)
 	}
 	if len(password) > 64 {
 		return xerrors.Errorf("password must be no more than %d characters", 64)

diff --git a/coderd/userpassword/userpassword_test.go b/coderd/userpassword/userpassword_test.go
@@ -5,53 +5,73 @@
 package userpassword_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/userpassword"
 )
 
-func TestUserPassword(t *testing.T) {
+func TestUserPasswordValidate(t *testing.T) {
 	t.Parallel()
-	t.Run("Legacy", func(t *testing.T) {
-		t.Parallel()
-		// Ensures legacy v1 passwords function for v2.
-		// This has is manually generated using a print statement from v1 code.
-		equal, err := userpassword.Compare("$pbkdf2-sha256$65535$z8c1p1C2ru9EImBP1I+ZNA$pNjE3Yk0oG0PmJ0Je+y7ENOVlSkn/b0BEqqdKsq6Y97wQBq0xT+lD5bWJpyIKJqQICuPZcEaGDKrXJn8+SIHRg", "tomato")
-		require.NoError(t, err)
-		require.True(t, equal)
-	})
-
-	t.Run("Same", func(t *testing.T) {
-		t.Parallel()
-		hash, err := userpassword.Hash("password")
-		require.NoError(t, err)
-		equal, err := userpassword.Compare(hash, "password")
-		require.NoError(t, err)
-		require.True(t, equal)
-	})
-
-	t.Run("Different", func(t *testing.T) {
-		t.Parallel()
-		hash, err := userpassword.Hash("password")
-		require.NoError(t, err)
-		equal, err := userpassword.Compare(hash, "notpassword")
-		require.NoError(t, err)
-		require.False(t, equal)
-	})
-
-	t.Run("Invalid", func(t *testing.T) {
-		t.Parallel()
-		equal, err := userpassword.Compare("invalidhash", "password")
-		require.False(t, equal)
-		require.Error(t, err)
-	})
-
-	t.Run("InvalidParts", func(t *testing.T) {
-		t.Parallel()
-		equal, err := userpassword.Compare("abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", "test")
-		require.False(t, equal)
-		require.Error(t, err)
-	})
+	tests := []struct {
+		name     string
+		password string
+		wantErr  bool
+	}{
+		{"Invalid - Too short password", "pass", true},
+		{"Invalid - Too long password", strings.Repeat("a", 65), true},
+		{"Ok", "CorrectPassword", false},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			err := userpassword.Validate(tt.password)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestUserPasswordCompare(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name               string
+		passwordToValidate string
+		password           string
+		shouldHash         bool
+		wantErr            bool
+		wantEqual          bool
+	}{
+		{"Legacy", "$pbkdf2-sha256$65535$z8c1p1C2ru9EImBP1I+ZNA$pNjE3Yk0oG0PmJ0Je+y7ENOVlSkn/b0BEqqdKsq6Y97wQBq0xT+lD5bWJpyIKJqQICuPZcEaGDKrXJn8+SIHRg", "tomato", false, false, true},
+		{"Same", "password", "password", true, false, true},
+		{"Different", "password", "notpassword", true, false, false},
+		{"Invalid", "invalidhash", "password", false, true, false},
+		{"InvalidParts", "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", "test", false, true, false},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			if tt.shouldHash {
+				hash, err := userpassword.Hash(tt.passwordToValidate)
+				require.NoError(t, err)
+				tt.passwordToValidate = hash
+			}
+			equal, err := userpassword.Compare(tt.passwordToValidate, tt.password)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tt.wantEqual, equal)
+		})
+	}
 }