flow-development-collection icon indicating copy to clipboard operation
flow-development-collection copied to clipboard

Published 20 hours ago verified publisher icon neos

Add user password policy to settings

Open Benjamin-K opened this issue 2 years ago • 4 comments

Description

Hi there,

As security is crucial to many middle to large companies I was searching for something to set up a password policy for Neos for customers that do not manage their logins through LDAP or sth. similar. I found that there are no password requirements in Neos, which is really bad. To improve this, I would suggest adding some basic settings for user passwords to the Settings.yaml.

Steps to Reproduce

See the following files to see, that there is no check for a valid password:

Expected behavior

Password policy could be set through settings, for example:

Neos:
  Flow:
    security:
      passwordPolicy:
        minLength: 6
        maxLength: 255
        requireNumbers: false
        requireLetters: false
        requireUppercaseAndLowercase: false
        # for special chars I'd prefer a list of the required special chars, sth. like '$%_-!@'
        requireSpecialChars: ''

Actual behavior

Password requirements are hardcoded.

Affected Versions

Neos: All Flow: All

PS: I posted this to neos/neos-development-collection#3293 first, but it belongs to flow, so i reposted it here and closed the issue in the other git. But there was a small discussion there already.

Benjamin-K avatar Jan 14 '22 10:01 Benjamin-K

What you describe is a validation class used by a application :)

I see it as a separate package that can be installed for account management, but not a core thing

sorenmalling avatar Jan 14 '22 11:01 sorenmalling

So basically a class with sth like this? I never did anything with aspects before.

<?php
namespace Acme\Namespace\Security;

use Neos\Flow\AOP\JoinPointInterface;

/**
 * @Flow\Aspect
 */
class SecurePasswordAspect
{
    /**
     * Log a message if a post is deleted
     *
     * @Flow\Before("method(Neos\Flow\SecurityAccountFactory-> createAccountWithPassword())")
     */
    public function checkPasswordRequirements(JoinPointInterface $joinPoint): void
    {
        $password = $joinPoint->getMethodArgument('password');
        // Validate password strength
    }
}

How do i stop, if the password does not fulfill the requirements? Simply throw an Exception?

Benjamin-K avatar Jan 14 '22 13:01 Benjamin-K

Found a package that adds this: https://github.com/jvm-tech/JvMTECH.NeosHardening

Benjamin-K avatar Mar 11 '22 16:03 Benjamin-K

I think we can close this. But maybe the linked package should be mentioned somewhere?

Benjamin-K avatar May 16 '24 04:05 Benjamin-K