Enable Password Policy by default for Links

[tbsbdr]

Value

• Security by default

Steps to reproduce

1. Click on the quickaction "Copy Link"
2. No password is required for the link, anyone who has the link, can access

Expected behavior

• A password should be required by default (for links anyone can access)

Actual behavior

• No password is required for the link

[micbar]

@ScharfViktor Can you take care of that?

I can change the default config, but then we need to see how the tests are behaving.

[ScharfViktor]

yes, sure. I'll take care. do you want set OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD by default?
I can do it and change test if needed

[micbar]

we also want the password policy to be enabled by default.

[hodyroff]

I question if a password makes it more secure. What is gained when both are send in the same email?! Same with a strong password policy ... we should think through the complete user story ... what will the user do with the link and the PW?

[ScharfViktor]

we also want the password policy to be enabled by default.

I'm changing api test now. @micbar @tbsbdr which envs do you want to have as default? I can enable them in my PR

[micbar]

I would like to

FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS=8
FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS=1
FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS=1
FRONTEND_PASSWORD_POLICY_MIN_DIGITS=1
FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS=1

but i want them as a default in the code.

[michaelstingl]

Please also deploy a minimal ‘banned passwords list’ file.

Example:
https://github.com/owncloud/ocis/blob/master/tests/config/drone/banned-password-list.txt

[ScharfViktor]

Example: https://github.com/owncloud/ocis/blob/master/tests/config/drone/banned-password-list.txt

I created this list only for api and e2e tests https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/enforcePasswordPublicLink.feature#L286

how written in docs: https://doc.owncloud.com/ocis/next/deployment/services/s-list/frontend.html#the-password-policy The admin can define the path of the banned passwords list file

I'm not sure that it is default config and don't know where is the best location for this file, so I would delegate the resolution of this issue to the developers.

[ScharfViktor]

I would like to

FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS=8
FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS=1
FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS=1
FRONTEND_PASSWORD_POLICY_MIN_DIGITS=1
FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS=1

but i want them as a default in the code.

@micbar it's done and all tests were changed. Should we close issue or should do something with banned passwords list file?

[micbar]

@ScharfViktor thanks!

banned passwords needs a follow up. We can close this ticket here.