Page Comparison

Versions Compared

Old Version 1

changes.mady.by.user Bogdana Konovalenko (Unlicensed)

Saved on Dec 07, 2017

compared with

New Version Current

changes.mady.by.user Bogdana Konovalenko (Unlicensed)

Saved on Mar 12, 2018

Key

This line was added.
This line was removed.
Formatting was changed.

Table of Contents

Purpose

To protect system from fraud and to improve security policy the password policy must be improved.

Functional requirement

1. Complexity Validation

Validate complexity of user's password

has at least 12 characters long;
contains both upper- and lowercase letters, numbers, and special charactersletter and numbers (required), special characters (optional)

Must be controlled by regular expression: ^(?=.*[a-zа-яёїієґ])(?=.*[A-ZА-ЯЁЇIЄҐ])(?=.*\d){12}

Validate upper, lowercase letter and numbers

In case of error - return 422 error (message: "Password doest does not meet complexity requirements")

Code Block

language	erl

{:error, [{%{
        description: "Password doestdoes not meet complexity requirements",
        params: [],
        rule: :invalid
      }, "$.password"}]}

2. Validate password length (at least 12 characters long)

In case of error - return 422 error (message: "Password must be at least 12 characters long")

Code Block

language	erl

{:error, [{%{
        description: "Password must be at least 12 characters long",
        params: [],
        rule: :invalid
      }, "$.password"}]}

Add to mithril.users password_expiresset_at = now()+config.password_lifetime

2. Save passwords history

When $.decrypted_hash<>mihril.users.password (the user set up a new password) - add the row to mithril.user_passwords_history

Destination	Source	Description
id		Autogenerated
user_id	$.user_id	Extract user from token
password	$.decrypted_hash
inserted_at	Timestamp: now()	Get current date-time

3. Not allow to use recently used passwords

...

Code Block

language	erl

{:error, [{%{
        description: "This password has been used recently. Try another one",
        params: [],
        rule: :invalid
      }, "$.password"}]}

4

...

now()<=mithril.users.password_expires_at-config.password_to_change

...

.

...

Expire Passwords

Fetch Once a day fetch all records from mithril.users where now()>=mithril.users.password_expiresset_at+config.password_lifetime

set expires_at=now() for all tokens where tokens.name='refresh_token' and tokens.user_id=$user.iddon (--and tokens.name='refresh_token')

Don't

...

send access_token

...

in response on {{host}}/oauth/tokens until the password will be changed. Show the message Error 401 "The password expired".