feat: check history limit

2024-06-28 19:20:25 +12:00 · 2022-12-16 10:47:08 +00:00 · 2022-12-16 10:47:08 +00:00 · 0b1b7b8170
parent cfd5a91c43
commit 0b1b7b8170
3 changed files with 33 additions and 15 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -1509,24 +1509,33 @@ App::patch('/v1/account/password')
    ->param('oldPassword', '', new Password(), 'Current user password. Must be at least 8 chars.', true)
    ->inject('response')
    ->inject('user')
+    ->inject('project')
    ->inject('dbForProject')
    ->inject('events')
-    ->action(function (string $password, string $oldPassword, Response $response, Document $user, Database $dbForProject, Event $events) {
+    ->action(function (string $password, string $oldPassword, Response $response, Document $user, Document $project, Database $dbForProject, Event $events) {

        // Check old password only if its an existing user.
        if (!empty($user->getAttribute('passwordUpdate')) && !Auth::passwordVerify($oldPassword, $user->getAttribute('password'), $user->getAttribute('hash'), $user->getAttribute('hashOptions'))) { // Double check user password
            throw new Exception(Exception::USER_INVALID_CREDENTIALS);
        }

-        $history = $user->getAttribute('passwordHistory', []);
-        $newPassword = Auth::passwordHash($password, Auth::DEFAULT_ALGO, Auth::DEFAULT_ALGO_OPTIONS);
+        $historyLimit = $project->getAttribute('auths', [])['passwordHistory'] ?? 0;

-        if(in_array($newPassword, $history)) {
-            throw new Exception(Exception::USER_PASSWORD_RECENTLY_USED, 'The password was recently used', 409);
+        $history = [];
+        if($historyLimit > 0) {
+            $history = $user->getAttribute('passwordHistory', []);
+            $newPassword = Auth::passwordHash($password, Auth::DEFAULT_ALGO, Auth::DEFAULT_ALGO_OPTIONS);
+    
+            if(in_array($newPassword, $history)) {
+                throw new Exception(Exception::USER_PASSWORD_RECENTLY_USED, 'The password was recently used', 409);
+            }
+    
+            $history[] = $newPassword;
+            while(count($history) > $historyLimit) {
+                array_pop($history);
+            }
        }

-        $history[] = $newPassword;
-
        $user = $dbForProject->updateDocument('users', $user->getId(), $user
                ->setAttribute('passwordHistory', $history)
                ->setAttribute('password', $newPassword)
--- a/app/controllers/api/projects.php
+++ b/app/controllers/api/projects.php
@ -81,7 +81,7 @@ App::post('/v1/projects')
        }

        $auth = Config::getParam('auth', []);
-        $auths = ['limit' => 0, 'maxSessions' => APP_LIMIT_USER_SESSIONS_DEFAULT, 'duration' => Auth::TOKEN_EXPIRATION_LOGIN_LONG];
+        $auths = ['limit' => 0, 'maxSessions' => APP_LIMIT_USER_SESSIONS_DEFAULT, 'passwordHistory' => 0, 'duration' => Auth::TOKEN_EXPIRATION_LOGIN_LONG];
        foreach ($auth as $index => $method) {
            $auths[$method['key'] ?? ''] = true;
        }
--- a/app/controllers/api/users.php
+++ b/app/controllers/api/users.php
@ -783,9 +783,10 @@ App::patch('/v1/users/:userId/password')
    ->param('userId', '', new UID(), 'User ID.')
    ->param('password', '', new Password(), 'New user password. Must be at least 8 chars.')
    ->inject('response')
+    ->inject('project')
    ->inject('dbForProject')
    ->inject('events')
-    ->action(function (string $userId, string $password, Response $response, Database $dbForProject, Event $events) {
+    ->action(function (string $userId, string $password, Response $response, Document $project, Database $dbForProject, Event $events) {

        $user = $dbForProject->getDocument('users', $userId);

@ -793,15 +794,23 @@ App::patch('/v1/users/:userId/password')
            throw new Exception(Exception::USER_NOT_FOUND);
        }

-        $history = $user->getAttribute('passwordHistory', []);
-        $newPassword = Auth::passwordHash($password, Auth::DEFAULT_ALGO, Auth::DEFAULT_ALGO_OPTIONS);
+        $historyLimit = $project->getAttribute('auths', [])['passwordHistory'] ?? 0;

-        if(in_array($newPassword, $history)) {
-            throw new Exception(Exception::USER_PASSWORD_RECENTLY_USED, 'The password was recently used', 409);
+        $history = [];
+        if($historyLimit > 0) {
+            $history = $user->getAttribute('passwordHistory', []);
+            $newPassword = Auth::passwordHash($password, Auth::DEFAULT_ALGO, Auth::DEFAULT_ALGO_OPTIONS);
+    
+            if(in_array($newPassword, $history)) {
+                throw new Exception(Exception::USER_PASSWORD_RECENTLY_USED, 'The password was recently used', 409);
+            }
+    
+            $history[] = $newPassword;
+            while(count($history) > $historyLimit) {
+                array_pop($history);
+            }
        }

-        $history[] = $newPassword;
-
        $user
            ->setAttribute('passwordHistory', $history)
            ->setAttribute('password', $newPassword)