ЕСОЗ - публічна документація

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Current »


Purpose

To protect system from fraud and to improve security policy the password policy must be improved.

Functional requirement

1. Complexity Validation

Validate complexity of user's password

  • has at least 12 characters long;
  • contains both upper- and lowercase letter and numbers (required), special characters (optional)

Must be controlled by regular expression: ^(?=.*[a-zа-яёїієґ])(?=.*[A-ZА-ЯЁЇIЄҐ])(?=.*\d)


  1. Validate upper, lowercase letter and numbers

In case of error - return 422 error (message: "Password does not meet complexity requirements")

{:error, [{%{
        description: "Password does not meet complexity requirements",
        params: [],
        rule: :invalid
      }, "$.password"}]}
    2. Validate password length (at least 12 characters long)

In case of error - return 422 error (message: "Password must be at least 12 characters long")

{:error, [{%{
        description: "Password must be at least 12 characters long",
        params: [],
        rule: :invalid
      }, "$.password"}]}
  • Add to mithril.users password_set_at = now()

2. Save passwords history

When $.decrypted_hash<>mihril.users.password (the user set up a new password)  -  add the row to mithril.user_passwords_history

Destination
Source
Description
id
Autogenerated
user_id$.user_idExtract user from token
password$.decrypted_hash
inserted_atTimestamp: now()Get current date-time

3. Not allow to use recently used passwords

While setting up a new password compare it with 3 previous passwords (saved decrypted_hash from mithril.user_passwords_history)

  • If $.decrypted_hash=mithril.user_passwords_history.password return 422 error (message: "This password has been used recently. Try another one")
{:error, [{%{
        description: "This password has been used recently. Try another one",
        params: [],
        rule: :invalid
      }, "$.password"}]}

4. Expire Passwords

Once a day fetch all records from mithril.users where now()>=mithril.users.password_set_at+config.password_lifetime

  • set expires_at=now() for all tokens where tokens.user_id=$user.id (--and tokens.name='refresh_token')

Don't send access_token in response on {{host}}/oauth/tokens  until the password will be changed. Show the message Error 401 "The password expired".

  • No labels