Merge pull request #2 from amosfolz/pw-security-updates

Add PasswordSecurity as a service

Author: amosfolz

app/sprinkles/account/config/default.php

@@ -116,10 +116,13 @@
             ]
         ],
         'password_security' => [
-             'enforce_no_compromised'   => '0' // Set to false to turn off this feature. Otherwise, provide a numeric string, which sets the maximum number
-                                               // of times that is "acceptable" for a password to have appeared in breaches. The recommended and most secure
-                                               // option is '0' - meaning only passwords that are not on the list of compromised passwords will be allowed.
-]
+             'enforce_no_compromised'   => [
+              'breaches' => '0', // Set to '-1' to turn off this feature. Otherwise, provide a numeric string, which sets the maximum number
+                                 // of times that is "acceptable" for a password to have appeared in breaches. The recommended and most secure
+                                // option is '0' - meaning only passwords that are not on the list of compromised passwords will be allowed.
+              'cache'    => 10080 // Duration in minutes to store HIBP API responses in cache.
+               ]
+          ]
     ],
 
     /*

app/sprinkles/account/src/Authenticate/PasswordSecurity.php

@@ -116,11 +116,21 @@ private function getHashArrayFromAPI($hashPrefix)
         return $hashArray;
     }
 
-    public function isEnabled()
+    /**
+     * Checks if compromised password reset feature is enabeld.
+     *
+     * @return bool True if the feature is enabled.
+     */
+    public function resetCompromisedEnabled()
     {
         return $this->config['site.login.enforce_reset_compromised'];
     }
 
+    /**
+     * Checks the maximum number of times that is acceptable for a password to have appeared in breaches.
+     *
+     * @return string Numeric string with -1 meaning disabled.
+     */
     public function breachThreshold()
     {
         return $this->config['site.password_security.enforce_no_compromised.breaches'];

app/sprinkles/account/src/Controller/AccountController.php

@@ -28,7 +28,6 @@
 use UserFrosting\Support\Exception\BadRequestException;
 use UserFrosting\Support\Exception\ForbiddenException;
 use UserFrosting\Support\Exception\NotFoundException;
-use UserFrosting\Sprinkle\Account\Authenticate\PasswordSecurity;
 
 /**
  * Controller class for /account/* URLs.  Handles account-related activities, including login, registration, password recovery, and account settings.
@@ -428,12 +427,14 @@ public function login(Request $request, Response $response, $args)
 
         $currentUser = $authenticator->attempt(($isEmail ? 'email' : 'user_name'), $userIdentifier, $data['password'], $data['rememberme']);
 
-        // Check if the enforced password update setting is configured.
-        if ($this->ci->config['site.login.enforce_reset_compromised'] == true) {
+        $passwordSecurity = $this->ci->passwordSecurity;
+
+        // Check if the enforce password update setting is configured.
+        if ($passwordSecurity->resetCompromisedEnabled()) {
             // Check if the password is on the compromised password list.
-            $numberOfBreaches = PasswordSecurity::checkPassword($data['password']);
+            $numberOfBreaches = $passwordSecurity->checkPassword($data['password']);
 
-            if ($numberOfBreaches > $this->ci->config['site.password_security.enforce_no_compromised']) {
+            if ($passwordSecurity->breachThreshold() != '-1' && $numberOfBreaches > $passwordSecurity->breachThreshold()) {
 
                 // Try to generate a new password reset request.
                 // Use timeout for "reset password"
@@ -452,7 +453,7 @@ public function login(Request $request, Response $response, $args)
                 ]
               ], $token);
 
-                $ms->addMessageTranslated('info', 'PASSWORD.SECURITY.RESET_REQUIRED');
+                $ms->addMessageTranslated('info', 'PASSWORD.SECURITY.RESET_REQUIRED.COMPROMISED');
 
                 return $response->withRedirect($forcePasswordChange);
             }

app/sprinkles/account/src/ServicesProvider/ServicesProvider.php

@@ -18,6 +18,7 @@
 use UserFrosting\Sprinkle\Account\Authenticate\Authenticator;
 use UserFrosting\Sprinkle\Account\Authenticate\AuthGuard;
 use UserFrosting\Sprinkle\Account\Authenticate\Hasher;
+use UserFrosting\Sprinkle\Account\Authenticate\PasswordSecurity;
 use UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager;
 use UserFrosting\Sprinkle\Account\Database\Models\User;
 use UserFrosting\Sprinkle\Account\Log\UserActivityDatabaseHandler;
@@ -173,6 +174,19 @@ public function register(ContainerInterface $container)
             return $authenticator;
         };
 
+        /**
+         * PasswordSecurity service.
+         *
+         * Handles password security features.
+         *
+         * @return \UserFrosting\Sprinkle\Account\Authenticate\PasswordSecurity
+         */
+        $container['passwordSecurity'] = function ($c) {
+            $cache = $c->cache;
+            $config = $c->config;
+
+            return new PasswordSecurity($cache, $config);
+        };
         /**
          * Sets up the AuthGuard middleware, used to limit access to authenticated users for certain routes.
          *