added client side check for trivial password policies (#32846)

* added client side check for trivial password policies fixes: #32845 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * changed to make use of template Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * nicer active policy structure Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-09-12 14:26:35 +02:00 · 2024-09-12 14:26:35 +02:00 · 22f9d2077e
commit 22f9d2077e
parent 0f97e4cb39
3 changed files with 99 additions and 1 deletions
--- a/themes/src/main/resources/theme/keycloak.v2/login/field.ftl
+++ b/themes/src/main/resources/theme/keycloak.v2/login/field.ftl
@ -14,6 +14,7 @@

  <#nested>

+  <div id="input-error-client-${name}"></div>
  <#if error?has_content>
    <div class="${properties.kcFormHelperTextClass}" aria-live="polite">
      <div class="${properties.kcInputHelperTextClass}">
--- a/themes/src/main/resources/theme/keycloak.v2/login/register.ftl
+++ b/themes/src/main/resources/theme/keycloak.v2/login/register.ftl
@ -13,7 +13,6 @@
        </#if>
    <#elseif section = "form">
        <form id="kc-register-form" class="${properties.kcFormClass!}" action="${url.registrationAction}" method="post" novalidate="novalidate">
-
            <@userProfileCommons.userProfileFormFields; callback, attribute>
                <#if callback = "afterField">
                <#-- render password fields just under the username or email (if used as username) -->
@ -46,5 +45,50 @@
            </div>

        </form>
+
+        <template id="errorTemplate">
+            <div class="${properties.kcFormHelperTextClass}" aria-live="polite">
+                <div class="${properties.kcInputHelperTextClass}">
+                    <div class="${properties.kcInputHelperTextItemClass} ${properties.kcError}">
+                        <ul class="${properties.kcInputErrorMessageClass}">
+                        </ul>
+                    </div>
+                </div>
+            </div>
+        </template>
+        <template id="errorItemTemplate">
+            <li></li>
+        </template>
+
+        <script type="module">
+            import { validatePassword } from "${url.resourcesPath}/js/password-policy.js";
+
+            const template = document.querySelector("#errorTemplate").content.cloneNode(true);
+
+            const activePolicies = [
+                { name: "length", policy: { value: ${passwordPolicies.length!-1}, error: "${msg('invalidPasswordMinLengthMessage')}"} },
+                { name: "maxLength", policy: { value: ${passwordPolicies.maxLength!-1}, error: "${msg('invalidPasswordMaxLengthMessage')}"} },
+                { name: "lowerCase", policy: { value: ${passwordPolicies.lowerCase!-1}, error: "${msg('invalidPasswordMinLowerCaseCharsMessage')}"} },
+                { name: "upperCase", policy: { value: ${passwordPolicies.upperCase!-1}, error: "${msg('invalidPasswordMinUpperCaseCharsMessage')}"} },
+                { name: "digits", policy: { value: ${passwordPolicies.digits!-1}, error: "${msg('invalidPasswordMinDigitsMessage')}"} },
+                { name: "specialChars", policy: { value: ${passwordPolicies.specialChars!-1}, error: "${msg('invalidPasswordMinSpecialCharsMessage')}"} }
+            ].filter(p => p.policy.value !== -1);
+
+            document.getElementById("password").addEventListener("change", (event) => {
+                const serverErrors = document.getElementById("input-error-password");
+                if (serverErrors) {
+                    serverErrors.remove();
+                }
+                const errors = validatePassword(event.target.value, activePolicies);
+                const errorList = template.querySelector("ul");
+                const htmlErrors = errors.forEach((e) => {
+                    const row = document.querySelector("#errorItemTemplate").content.cloneNode(true);
+                    const li = row.querySelector("li");
+                    li.textContent = e;
+                    errorList.appendChild(li);
+                });
+                document.getElementById("input-error-client-password").appendChild(template);
+            });
+        </script>
    </#if>
 </@layout.registrationLayout>
--- a/themes/src/main/resources/theme/keycloak.v2/login/resources/js/password-policy.js
+++ b/themes/src/main/resources/theme/keycloak.v2/login/resources/js/password-policy.js
@ -0,0 +1,53 @@
+const policies = {
+  length: (policy, value) => {
+    if (value.length < policy.value) {
+      return templateError(policy);
+    }
+  },
+  maxLength: (policy, value) => {
+    if (value.length > policy.value) {
+      return templateError(policy);
+    }
+  },
+  upperCase: (policy, value) => {
+    if (
+      value.split("").filter((char) => char !== char.toUpperCase()).length >
+      policy.value
+    ) {
+      return templateError(policy);
+    }
+  },
+  lowerCase: (policy, value) => {
+    if (
+      value.split("").filter((char) => char !== char.toLowerCase()).length >
+      policy.value
+    ) {
+      return templateError(policy);
+    }
+  },
+  digits: (policy, value) => {
+    const digits = value.split("").filter((char) => char.match(/\d/));
+    if (digits.length < policy.value) {
+      return templateError(policy);
+    }
+  },
+  specialChars: (policy, value) => {
+    let specialChars = value.split("").filter((char) => char.match(/\W/));
+    if (specialChars.length < policy.value) {
+      return templateError(policy);
+    }
+  },
+};
+
+const templateError = (policy) => policy.error.replace("{0}", policy.value);
+
+export function validatePassword(password, activePolicies) {
+  const errors = [];
+  for (const p of activePolicies) {
+    const validationError = policies[p.name](p.policy, password);
+    if (validationError) {
+      errors.push(validationError);
+    }
+  }
+  return errors;
+}