Backend work to support minimum password complexity (#2965)

* config: Add minimum password complexity option * PasswordManager: add function for checking if complexity is sufficient * Enforce password complexity on registration, change and recovery * cli: Use exit code 1 for weak passwords This seems preferable to exit code 0, but ideally we should choose one and document it. * Expose minimum password complexity score over GraphQL
2025-07-31 09:24:31 +03:00 · 2024-07-11 10:17:39 +01:00
parent 569eb07bd6
commit fbc360d1a9
25 changed files with 317 additions and 66 deletions
--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@ -144,7 +144,8 @@
            "version": 1,
            "algorithm": "argon2id"
          }
-        ]
+        ],
+        "minimum_complexity": 3
      },
      "allOf": [
        {
@ -1507,6 +1508,13 @@
          "items": {
            "$ref": "#/definitions/HashingScheme"
          }
+        },
+        "minimum_complexity": {
+          "description": "Score between 0 and 4 determining the minimum allowed password complexity. Scores are based on the ESTIMATED number of guesses needed to guess the password.\n\n- 0: less than 10^2 (100) - 1: less than 10^4 (10'000) - 2: less than 10^6 (1'000'000) - 3: less than 10^8 (100'000'000) - 4: any more than that",
+          "default": 3,
+          "type": "integer",
+          "format": "uint8",
+          "minimum": 0.0
        }
      }
    },