From 0158b1aa91f45c5ca69aafbc2783e605cbba5eaa Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 26 Mar 2018 12:55:15 -0400
Subject: [PATCH] Various password logic fixes on client and server-side

Fixes #6399
Fixes #6400
---
 public/language/en-GB/user.json            |  1 -
 public/src/client/account/edit/password.js |  4 +++-
 public/src/client/register.js              |  4 ++--
 public/src/client/reset_code.js            |  2 ++
 src/user/create.js                         | 12 ++++++++++--
 test/user.js                               |  2 +-
 6 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/public/language/en-GB/user.json b/public/language/en-GB/user.json
index 093179d80f..5a3c05ae15 100644
--- a/public/language/en-GB/user.json
+++ b/public/language/en-GB/user.json
@@ -56,7 +56,6 @@
 	"change_password": "Change Password",
 	"change_password_error": "Invalid Password!",
 	"change_password_error_wrong_current": "Your current password is not correct!",
-	"change_password_error_length": "Password too short!",
 	"change_password_error_match": "Passwords must match!",
 	"change_password_error_privileges": "You do not have the rights to change this password.",
 	"change_password_success": "Your password is updated!",
diff --git a/public/src/client/account/edit/password.js b/public/src/client/account/edit/password.js
index 6aa66a13d8..4f4353d6f8 100644
--- a/public/src/client/account/edit/password.js
+++ b/public/src/client/account/edit/password.js
@@ -23,7 +23,9 @@ define('forum/account/edit/password', ['forum/account/header', 'translator', 'zx
 			var passwordStrength = zxcvbn(password.val());
 			passwordvalid = false;
 			if (password.val().length < ajaxify.data.minimumPasswordLength) {
-				showError(password_notify, '[[user:change_password_error_length]]');
+				showError(password_notify, '[[reset_password:password_too_short]]');
+			} else if (password.val().length > 512) {
+				showError(password_notify, '[[error:password-too-long]]');
 			} else if (!utils.isPasswordValid(password.val())) {
 				showError(password_notify, '[[user:change_password_error]]');
 			} else if (password.val() === ajaxify.data.username) {
diff --git a/public/src/client/register.js b/public/src/client/register.js
index 5d1794e9d3..0423f543d3 100644
--- a/public/src/client/register.js
+++ b/public/src/client/register.js
@@ -178,8 +178,8 @@ define('forum/register', ['translator', 'zxcvbn'], function (translator, zxcvbn)
 		var passwordStrength = zxcvbn(password);
 
 		if (password.length < ajaxify.data.minimumPasswordLength) {
-			showError(password_notify, '[[user:change_password_error_length]]');
-		} else if (password.length > 4096) {
+			showError(password_notify, '[[reset_password:password_too_short]]');
+		} else if (password.length > 512) {
 			showError(password_notify, '[[error:password-too-long]]');
 		} else if (!utils.isPasswordValid(password)) {
 			showError(password_notify, '[[user:change_password_error]]');
diff --git a/public/src/client/reset_code.js b/public/src/client/reset_code.js
index 94fceca534..bc305147c7 100644
--- a/public/src/client/reset_code.js
+++ b/public/src/client/reset_code.js
@@ -15,6 +15,8 @@ define('forum/reset_code', ['zxcvbn'], function (zxcvbn) {
 			var strength = zxcvbn(password.val());
 			if (password.val().length < ajaxify.data.minimumPasswordLength) {
 				app.alertError('[[reset_password:password_too_short]]');
+			} else if (password.val().length > 512) {
+				app.alertError('[[error:password-too-long]]');
 			} else if (password.val() !== repeat.val()) {
 				app.alertError('[[reset_password:passwords_do_not_match]]');
 			} else if (strength.score < ajaxify.data.minimumPasswordStrength) {
diff --git a/src/user/create.js b/src/user/create.js
index 8b684cdacb..4352dd2d48 100644
--- a/src/user/create.js
+++ b/src/user/create.js
@@ -8,6 +8,8 @@ var plugins = require('../plugins');
 var groups = require('../groups');
 var meta = require('../meta');
 
+var zxcvbn = require('zxcvbn');
+
 module.exports = function (User) {
 	User.create = function (data, callback) {
 		data.username = data.username.trim();
@@ -179,18 +181,24 @@ module.exports = function (User) {
 	};
 
 	User.isPasswordValid = function (password, callback) {
+		// Sanity checks: Checks if defined and is string
 		if (!password || !utils.isPasswordValid(password)) {
 			return callback(new Error('[[error:invalid-password]]'));
 		}
 
 		if (password.length < meta.config.minimumPasswordLength) {
-			return callback(new Error('[[user:change_password_error_length]]'));
+			return callback(new Error('[[reset_password:password_too_short]]'));
 		}
 
-		if (password.length > 4096) {
+		if (password.length > 512) {
 			return callback(new Error('[[error:password-too-long]]'));
 		}
 
+		var strength = zxcvbn(password);
+		if (strength.score < meta.config.minimumPasswordStrength) {
+			return callback(new Error('[[user:weak_password]]'));
+		}
+
 		callback();
 	};
 
diff --git a/test/user.js b/test/user.js
index cc3097a228..f96205a5e4 100644
--- a/test/user.js
+++ b/test/user.js
@@ -71,7 +71,7 @@ describe('User', function () {
 
 		it('should error with invalid password', function (done) {
 			User.create({ username: 'test', password: '1' }, function (err) {
-				assert.equal(err.message, '[[user:change_password_error_length]]');
+				assert.equal(err.message, '[[reset_password:password_too_short]]');
 				done();
 			});
 		});