ЕСОЗ - публічна документація

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »


Purpose

To protect system from fraud and to improve security policy the password policy must be improved.

Functional requirement

1. Complexity Validation

Validate complexity of user's password

  • has at least 12 characters long;
  • contains both upper- and lowercase letters, numbers, and special characters

Must be controlled by regular expression.

In case of error - return 422 error (message: "Password doest not meet complexity requirements")

{:error, [{%{
        description: "Password doest not meet complexity requirements",
        params: [],
        rule: :invalid
      }, "$.password"}]}
  • Add to mithril.users password_expires_at = now()+config.password_lifetime

2. Save passwords history

When $.decrypted_hash<>mihril.users.password (the user set up a new password)  -  add the row to mithril.user_passwords_history

Destination
Source
Description
id
Autogenerated
user_id$.user_idExtract user from token
password$.decrypted_hash
inserted_atTimestamp: now()Get current date-time

3. Not allow to use recently used passwords

While setting up a new password compare it with 3 previous passwords (saved decrypted_hash from mithril.user_passwords_history)

  • If $.decrypted_hash=mithril.user_passwords_history.password return 422 error (message: "This password has been used recently. Try another one")
{:error, [{%{
        description: "This password has been used recently. Try another one",
        params: [],
        rule: :invalid
      }, "$.password"}]}


4. Remind to change passwords

  • Each time when user login into system check condition:
    • now()<=mithril.users.password_expires_at-config.password_to_change
  • if condition=false
    • show message 'Your passwords expires soon. Please, change it to the new one.'

5. Expire Passwords

Fetch all records from mithril.users where now()>=mithril.users.password_expires_at

  • set expires_at=now() for all tokens where tokens.user_id=$user.id (--and tokens.name='refresh_token')
  • don't send access_token in response on {{host}}/oauth/tokens  until the password will be changed. Show the message "The password must be changed".
  • No labels