The server will now error out if it detects that its own password is weak

Cargo.toml

@@ -10,6 +10,7 @@ license = "AGPL-3.0"
 
 [dependencies]
 
+aho-corasick = "0.7.14"
 base64 = "0.12.3"
 blake3 = "0.3.7"
 dashmap = "3.11.10"
@@ -20,6 +21,7 @@ hyper = "0.13.8"
 lazy_static = "1.4.0"
 maplit = "1.0.2"
 percent-encoding = "2.1.0"
+rand = "0.7.3"
 regex = "1.4.1"
 reqwest = { version = "0.10.8", features = ["stream"] }
 rmp-serde = "0.14.4"

src/lib.rs

@@ -23,6 +23,17 @@ pub fn prefix_match <'a> (hay: &'a str, needle: &str) -> Option <&'a str>
 	}
 }
 
+const BAD_PASSWORDS: &[u8] = include_bytes! ("bad_passwords.txt");
+
+pub fn password_is_bad (mut password: String) -> bool {
+	password.make_ascii_lowercase ();
+	
+	let ac = aho_corasick::AhoCorasick::new (&[
+		password
+	]);
+	
+	ac.find (BAD_PASSWORDS).is_some ()
+}
 
 #[cfg (test)]
 mod tests {
@@ -40,6 +51,28 @@ mod tests {
 		server,
 	};
 	
+	#[test]
+	fn check_bad_passwords () {
+		use crate::password_is_bad;
+		
+		for pw in vec! [
+			"password",
+			"pAsSwOrD",
+			"secret",
+			"123123",
+		] {
+			assert! (password_is_bad (pw.to_string ()));
+		}
+		
+		use rand::prelude::*;
+		
+		let mut entropy = [0u8; 32];
+		thread_rng ().fill_bytes (&mut entropy);
+		let good_password = base64::encode (entropy);
+		
+		assert! (! password_is_bad (good_password));
+	}
+	
 	#[test]
 	fn end_to_end () {
 		use maplit::*;

src/server/mod.rs

@@ -106,6 +106,10 @@ pub async fn main (config_file: ConfigFile, opt: Opt)
 {
 	use std::convert::TryInto;
 	
+	if crate::password_is_bad (config_file.api_key.clone ()) {
+		panic! ("API key is too weak, server can't use it");
+	}
+	
 	let tripcode = base64::encode (blake3::hash (config_file.api_key.as_bytes ()).as_bytes ());
 	
 	println! ("Our tripcode is {}", tripcode);

todo.md

@@ -1,5 +1,3 @@
-- Error out if 2 servers have the same tripcode
-- Error out if a server has a weak password
 - ETag cache
 - Server-side hash?
 - Log / audit log?