Add password security: default credential warning and strength validation (#386)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
2025-12-24 02:39:19 -05:00 · 2025-10-26 19:22:51 +08:00
parent 2f7726b008
commit 5ca5e2ad47
13 changed files with 347 additions and 16 deletions
--- a/src/controllers/authController.ts
+++ b/src/controllers/authController.ts
@@ -10,6 +10,8 @@ import {
 import { getDataService } from '../services/services.js';
 import { DataService } from '../services/dataService.js';
 import { JWT_SECRET } from '../config/jwt.js';
+import { validatePasswordStrength, isDefaultPassword } from '../utils/passwordValidation.js';
+import { getPackageVersion } from '../utils/version.js';

 const dataService: DataService = getDataService();

@@ -64,6 +66,14 @@ export const login = async (req: Request, res: Response): Promise<void> => {
      },
    };

+    // Check if user is admin with default password
+    const version = getPackageVersion();
+    const isUsingDefaultPassword =
+      user.username === 'admin' &&
+      user.isAdmin &&
+      isDefaultPassword(password) &&
+      version !== 'dev';
+
    jwt.sign(payload, JWT_SECRET, { expiresIn: TOKEN_EXPIRY }, (err, token) => {
      if (err) throw err;
      res.json({
@@ -75,6 +85,7 @@ export const login = async (req: Request, res: Response): Promise<void> => {
          isAdmin: user.isAdmin,
          permissions: dataService.getPermissions(user),
        },
+        isUsingDefaultPassword,
      });
    });
  } catch (error) {
@@ -172,6 +183,17 @@ export const changePassword = async (req: Request, res: Response): Promise<void>
  const username = (req as any).user.username;

  try {
+    // Validate new password strength
+    const validationResult = validatePasswordStrength(newPassword);
+    if (!validationResult.isValid) {
+      res.status(400).json({
+        success: false,
+        message: 'Password does not meet security requirements',
+        errors: validationResult.errors,
+      });
+      return;
+    }
+
    // Find user by username
    const user = findUserByUsername(username);

--- a/src/controllers/userController.ts
+++ b/src/controllers/userController.ts
@@ -10,6 +10,7 @@ import {
  getAdminCount,
 } from '../services/userService.js';
 import { loadSettings } from '../config/index.js';
+import { validatePasswordStrength } from '../utils/passwordValidation.js';

 // Admin permission check middleware function
 const requireAdmin = (req: Request, res: Response): boolean => {
@@ -100,6 +101,17 @@ export const createUser = async (req: Request, res: Response): Promise<void> =>
      return;
    }

+    // Validate password strength
+    const validationResult = validatePasswordStrength(password);
+    if (!validationResult.isValid) {
+      res.status(400).json({
+        success: false,
+        message: 'Password does not meet security requirements',
+        errors: validationResult.errors,
+      });
+      return;
+    }
+
    const newUser = await createNewUser(username, password, isAdmin || false);
    if (!newUser) {
      res.status(400).json({
@@ -163,7 +175,19 @@ export const updateExistingUser = async (req: Request, res: Response): Promise<v

    const updateData: any = {};
    if (isAdmin !== undefined) updateData.isAdmin = isAdmin;
-    if (newPassword) updateData.newPassword = newPassword;
+    if (newPassword) {
+      // Validate new password strength
+      const validationResult = validatePasswordStrength(newPassword);
+      if (!validationResult.isValid) {
+        res.status(400).json({
+          success: false,
+          message: 'Password does not meet security requirements',
+          errors: validationResult.errors,
+        });
+        return;
+      }
+      updateData.newPassword = newPassword;
+    }

    if (Object.keys(updateData).length === 0) {
      res.status(400).json({
--- a/src/utils/passwordValidation.ts
+++ b/src/utils/passwordValidation.ts
@@ -0,0 +1,49 @@
+/**
+ * Password strength validation utility
+ * Requirements:
+ * - At least 8 characters
+ * - Contains at least one letter
+ * - Contains at least one number
+ * - Contains at least one special character
+ */
+
+export interface PasswordValidationResult {
+  isValid: boolean;
+  errors: string[];
+}
+
+export const validatePasswordStrength = (password: string): PasswordValidationResult => {
+  const errors: string[] = [];
+
+  // Check minimum length
+  if (password.length < 8) {
+    errors.push('Password must be at least 8 characters long');
+  }
+
+  // Check for at least one letter
+  if (!/[a-zA-Z]/.test(password)) {
+    errors.push('Password must contain at least one letter');
+  }
+
+  // Check for at least one number
+  if (!/\d/.test(password)) {
+    errors.push('Password must contain at least one number');
+  }
+
+  // Check for at least one special character
+  if (!/[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?]/.test(password)) {
+    errors.push('Password must contain at least one special character');
+  }
+
+  return {
+    isValid: errors.length === 0,
+    errors,
+  };
+};
+
+/**
+ * Check if a password is the default password (admin123)
+ */
+export const isDefaultPassword = (plainPassword: string): boolean => {
+  return plainPassword === 'admin123';
+};