The server will now error out if it detects that its own password is weak

main
_ 2020-11-02 14:23:08 +00:00
parent 903d5f338d
commit 1de6c0aca7
5 changed files with 40 additions and 2 deletions

View File

@ -10,6 +10,7 @@ license = "AGPL-3.0"
[dependencies] [dependencies]
aho-corasick = "0.7.14"
base64 = "0.12.3" base64 = "0.12.3"
blake3 = "0.3.7" blake3 = "0.3.7"
dashmap = "3.11.10" dashmap = "3.11.10"
@ -20,6 +21,7 @@ hyper = "0.13.8"
lazy_static = "1.4.0" lazy_static = "1.4.0"
maplit = "1.0.2" maplit = "1.0.2"
percent-encoding = "2.1.0" percent-encoding = "2.1.0"
rand = "0.7.3"
regex = "1.4.1" regex = "1.4.1"
reqwest = { version = "0.10.8", features = ["stream"] } reqwest = { version = "0.10.8", features = ["stream"] }
rmp-serde = "0.14.4" rmp-serde = "0.14.4"

1
src/bad_passwords.txt Normal file

File diff suppressed because one or more lines are too long

View File

@ -23,6 +23,17 @@ pub fn prefix_match <'a> (hay: &'a str, needle: &str) -> Option <&'a str>
} }
} }
const BAD_PASSWORDS: &[u8] = include_bytes! ("bad_passwords.txt");
pub fn password_is_bad (mut password: String) -> bool {
password.make_ascii_lowercase ();
let ac = aho_corasick::AhoCorasick::new (&[
password
]);
ac.find (BAD_PASSWORDS).is_some ()
}
#[cfg (test)] #[cfg (test)]
mod tests { mod tests {
@ -40,6 +51,28 @@ mod tests {
server, server,
}; };
#[test]
fn check_bad_passwords () {
use crate::password_is_bad;
for pw in vec! [
"password",
"pAsSwOrD",
"secret",
"123123",
] {
assert! (password_is_bad (pw.to_string ()));
}
use rand::prelude::*;
let mut entropy = [0u8; 32];
thread_rng ().fill_bytes (&mut entropy);
let good_password = base64::encode (entropy);
assert! (! password_is_bad (good_password));
}
#[test] #[test]
fn end_to_end () { fn end_to_end () {
use maplit::*; use maplit::*;

View File

@ -106,6 +106,10 @@ pub async fn main (config_file: ConfigFile, opt: Opt)
{ {
use std::convert::TryInto; use std::convert::TryInto;
if crate::password_is_bad (config_file.api_key.clone ()) {
panic! ("API key is too weak, server can't use it");
}
let tripcode = base64::encode (blake3::hash (config_file.api_key.as_bytes ()).as_bytes ()); let tripcode = base64::encode (blake3::hash (config_file.api_key.as_bytes ()).as_bytes ());
println! ("Our tripcode is {}", tripcode); println! ("Our tripcode is {}", tripcode);

View File

@ -1,5 +1,3 @@
- Error out if 2 servers have the same tripcode
- Error out if a server has a weak password
- ETag cache - ETag cache
- Server-side hash? - Server-side hash?
- Log / audit log? - Log / audit log?