fix: check passwords against list of 100k common known passwords

errors/errors.go

@@ -10,6 +10,7 @@ var (
 	ErrExist                = errors.New("the resource already exists")
 	ErrNotExist             = errors.New("the resource does not exist")
 	ErrEmptyPassword        = errors.New("password is empty")
+	ErrEasyPassword         = errors.New("password is too easy")
 	ErrEmptyUsername        = errors.New("username is empty")
 	ErrEmptyRequest         = errors.New("empty request")
 	ErrScopeIsRelative      = errors.New("scope is a relative path")

users/assets.go

@@ -0,0 +1,25 @@
+package users
+
+import (
+	"embed"
+	"strings"
+)
+
+//go:embed assets
+var assets embed.FS
+var commonPasswords map[string]struct{}
+
+func init() {
+	// Password list sourced from:
+	// https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt
+	data, err := assets.ReadFile("assets/common-passwords.txt")
+	if err != nil {
+		panic(err)
+	}
+
+	passwords := strings.Split(strings.TrimSpace(string(data)), "\n")
+	commonPasswords = make(map[string]struct{}, len(passwords))
+	for _, password := range passwords {
+		commonPasswords[strings.TrimSpace(password)] = struct{}{}
+	}
+}

users/password.go

@@ -15,6 +15,10 @@ func ValidateAndHashPwd(password string, minimumLength uint) (string, error) {
 		return "", fbErrors.ErrShortPassword{MinimumLength: minimumLength}
 	}
 
+	if _, ok := commonPasswords[password]; ok {
+		return "", fbErrors.ErrEasyPassword
+	}
+
 	return HashPwd(password)
 }