v1.2.1

CHANGELOG.md

@@ -3,6 +3,15 @@
 This changelog goes through all the changes that have been made in each release on the
 [vocascan-server](https://github.com/vocascan/vocascan-server).
 
+## [v1.2.1](https://github.com/vocascan/vocascan-server/releases/tag/v1.2.1) - 2022.01.29
+
+In this release of vocascan-server we have added new security features to force secure passwords to the users.
+
+- Features
+  - Added Password Complexity to register and password reset (#79)
+- Bug
+  - closes Update Swagger Documentation for password reset (#80) (#81)
+
 ## [v1.2.0](https://github.com/vocascan/vocascan-server/releases/tag/v1.2.0) - 2022.01.22
 
 In this release of vocascan-server we have added new features to make your server more secure. On the one hand, the legal side. You can now include static HTML pages or redirects to your privacy policy or imprint. On the other hand, in security, with an improved CORS configuration option to restrict access to only allowed frontend domains.

app/Controllers/AuthController.js

@@ -1,19 +1,26 @@
+const httpStatus = require('http-status');
 const config = require('../config/config');
 const {
   createUser,
   loginUser,
   validateRegister,
   validateLogin,
+  validatePassword,
   destroyUser,
   changePassword,
 } = require('../Services/AuthServiceProvider');
 const { useInviteCode } = require('../Services/InviteCodeProvider');
 const { generateJWT, deleteKeysFromObject } = require('../utils');
 const catchAsync = require('../utils/catchAsync');
+const ApiError = require('../utils/ApiError');
 
 const register = catchAsync(async (req, res) => {
   await validateRegister(req, res);
 
+  if (!validatePassword(req.body.password)) {
+    throw new ApiError(httpStatus.BAD_REQUEST, 'password complexity failed', 'password');
+  }
+
   const user = await createUser(req.body);
   const token = generateJWT({ id: user.id }, config.server.jwt_secret);
 
@@ -56,6 +63,10 @@ const resetPassword = catchAsync(async (req, res) => {
   const userId = req.user.id;
   const { oldPassword, newPassword } = req.body;
 
+  if (!validatePassword(req.body.newPassword)) {
+    throw new ApiError(httpStatus.BAD_REQUEST, 'password complexity failed', 'newPassword');
+  }
+
   await changePassword(userId, oldPassword, newPassword);
 
   res.status(204).end();

app/Services/AuthServiceProvider.js

@@ -4,6 +4,7 @@ const crypto = require('crypto');
 const { deleteKeysFromObject, hashEmail } = require('../utils');
 const { User, Role } = require('../../database');
 const ApiError = require('../utils/ApiError.js');
+const { bytesLength } = require('../utils/index.js');
 const httpStatus = require('http-status');
 const { validateInviteCode } = require('../Services/InviteCodeProvider.js');
 const config = require('../config/config');
@@ -82,6 +83,26 @@ function validateLogin(req, res) {
   return validateAuth(req, res);
 }
 
+function validatePassword(password) {
+  const passwordLength = bytesLength(password);
+
+  const length = passwordLength >= 8 && passwordLength <= 72;
+  const hasUpperCase = /[A-Z]/.test(password);
+  const hasLowerCase = /[a-z]/.test(password);
+  const hasNumbers = /\d/.test(password);
+  const hasNonAlphas = /\W/.test(password);
+
+  let passwordComplexity = 0;
+
+  if (length) {
+    passwordComplexity = length + hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphas;
+  } else if (passwordLength !== 0) {
+    passwordComplexity = 1;
+  }
+
+  return passwordLength >= 8 && passwordLength <= 72 && passwordComplexity >= 4;
+}
+
 // Create new user and store into database
 async function createUser({ username, email, password }) {
   // Hash password
@@ -196,6 +217,7 @@ module.exports = {
   loginUser,
   validateRegister,
   validateLogin,
+  validatePassword,
   destroyUser,
   changePassword,
   checkPasswordValid,

app/utils/index.js

@@ -286,6 +286,14 @@ const askToConfirm = (question) => {
   });
 };
 
+/**
+ * Return the length of a string in bytes
+ * See: https://stackoverflow.com/questions/5515869/string-length-in-bytes-in-javascript
+ * @param {String} string string
+ * @returns bytesLength
+ */
+const bytesLength = (string) => new TextEncoder().encode(string).length;
+
 module.exports = {
   generateJWT,
   parseTokenUserId,
@@ -307,4 +315,5 @@ module.exports = {
   truncateString,
   hashEmail,
   askToConfirm,
+  bytesLength,
 };

docs/api/swagger.json

@@ -125,7 +125,7 @@
         }
       }
     },
-    "/user/password/reset": {
+    "/user/reset-password": {
       "post": {
         "summary": "Reset user password",
         "tags": ["auth"],

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vocascan/server",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "A highly configurable vocabulary trainer",
   "main": "./server.js",
   "scripts": {