fix: check passwords against list of 100k common known passwords

2025-06-29 11:23:36 +02:00 · 2025-06-29 11:23:36 +02:00 · d9f4d00379
commit d9f4d00379
parent fa0a82aab1
4 changed files with 100030 additions and 0 deletions
--- a/errors/errors.go
+++ b/errors/errors.go
@ -10,6 +10,7 @@ var (
 	ErrExist                = errors.New("the resource already exists")
 	ErrNotExist             = errors.New("the resource does not exist")
 	ErrEmptyPassword        = errors.New("password is empty")
+	ErrEasyPassword         = errors.New("password is too easy")
 	ErrEmptyUsername        = errors.New("username is empty")
 	ErrEmptyRequest         = errors.New("empty request")
 	ErrScopeIsRelative      = errors.New("scope is a relative path")
--- a/users/assets.go
+++ b/users/assets.go
@ -0,0 +1,25 @@
+package users
+
+import (
+	"embed"
+	"strings"
+)
+
+//go:embed assets
+var assets embed.FS
+var commonPasswords map[string]struct{}
+
+func init() {
+	// Password list sourced from:
+	// https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt
+	data, err := assets.ReadFile("assets/common-passwords.txt")
+	if err != nil {
+		panic(err)
+	}
+
+	passwords := strings.Split(strings.TrimSpace(string(data)), "\n")
+	commonPasswords = make(map[string]struct{}, len(passwords))
+	for _, password := range passwords {
+		commonPasswords[strings.TrimSpace(password)] = struct{}{}
+	}
+}
--- a/users/assets/common-passwords.txt
+++ b/users/assets/common-passwords.txt
--- a/users/password.go
+++ b/users/password.go
@ -15,6 +15,10 @@ func ValidateAndHashPwd(password string, minimumLength uint) (string, error) {
 		return "", fbErrors.ErrShortPassword{MinimumLength: minimumLength}
 	}

+	if _, ok := commonPasswords[password]; ok {
+		return "", fbErrors.ErrEasyPassword
+	}
+
 	return HashPwd(password)
 }