Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT][15.0][IMP] auth_password_pwned: check passwords against haveibeenpwned.com #645

Draft
wants to merge 2 commits into
base: 15.0
Choose a base branch
from
Draft

[DRAFT][15.0][IMP] auth_password_pwned: check passwords against haveibeenpwned.com #645

wants to merge 2 commits into from

Conversation

ap-wtioit
Copy link
Contributor

@ap-wtioit ap-wtioit commented May 8, 2024
edited
Loading

Adding a module that checks password hashes against the haveibeenpwned.com API to make sure publicly known passwords can not be set in Odoo and not used to login anymore. The user is forced to use password reset upon login if it is enabled, an email is sent to him (if auth_signup is installed) or he has to contact an admin to ensure a safe password change.

This is still work in progress. Feedback welcome.

Planned tasks (next week):

  • adding tests
  • remove password_security changes and move them into a seperate module (to be added later)
  • adding translation
  • fix license badge in README.rst

Further reading:

@ap-wtioit ap-wtioit marked this pull request as draft May 8, 2024 16:38
@pedrobaeza pedrobaeza added this to the 15.0 milestone May 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 8, 2024

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

@github-actions github-actions bot added the stale PR/Issue without recent activity, it'll be soon closed automatically. label Sep 8, 2024
amh-mw
amh-mw suggested changes Sep 11, 2024
View reviewed changes
Copy link

@amh-mw amh-mw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commit should be prefixed [ADD] not [IMP], since a new module has been created.

auth_password_pwned/controllers/main.py
request.env["ir.config_parameter"]
.sudo()
.get_param("auth_signup.reset_password")
== "True"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems aberrant to check for a string value to exactly equal True, but that does seem to match what the auth_signup module does.

auth_password_pwned/models/res_users.py Outdated

super()._set_password()

def _passswordshavebeenpwned(self, passwords):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Misspelled _passsword with third s?

@github-actions github-actions bot removed the stale PR/Issue without recent activity, it'll be soon closed automatically. label Sep 15, 2024
@ap-wtioit ap-wtioit force-pushed the 15.0-imp_auth_password_pwned branch 2 times, most recently from e8dd4be to 1089bdb Compare September 30, 2024 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amh-mw amh-mw amh-mw requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
15.0
Development

Successfully merging this pull request may close these issues.
3 participants
@ap-wtioit @amh-mw @pedrobaeza