1
0
forked from baron/baron-sso

비밀번호 정책 유효성 검사 이슈

This commit is contained in:
2026-01-27 15:37:55 +09:00
parent 920c98a8f8
commit 1f7835f5a9

View File

@@ -749,44 +749,6 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
ale.Log(slog.LevelInfo, "Attempting to login") ale.Log(slog.LevelInfo, "Attempting to login")
// Validate password complexity before sending to Descope
password := req.Password
if len(password) < 8 {
ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime)
ale.DescopeError = "Password must be at least 8 characters long"
ale.Log(slog.LevelWarn, "Validation failed: password too short")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 8 characters long"})
}
if ok, _ := regexp.MatchString(`[a-z]`, password); !ok {
ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime)
ale.DescopeError = "Password must contain at least one lowercase letter"
ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"})
}
if ok, _ := regexp.MatchString(`[A-Z]`, password); !ok {
ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime)
ale.DescopeError = "Password must contain at least one uppercase letter"
ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"})
}
if ok, _ := regexp.MatchString(`[0-9]`, password); !ok {
ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime)
ale.DescopeError = "Password must contain at least one number"
ale.Log(slog.LevelWarn, "Validation failed: no number")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"})
}
if ok, _ := regexp.MatchString(`[\W_]`, password); !ok {
ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime)
ale.DescopeError = "Password must contain at least one special character"
ale.Log(slog.LevelWarn, "Validation failed: no special character")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
}
if h.DescopeClient == nil { if h.DescopeClient == nil {
ale.Status = fiber.StatusInternalServerError ale.Status = fiber.StatusInternalServerError
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
@@ -1076,14 +1038,20 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
// 디버깅을 위해 요청된 새 비밀번호를 로그로 출력 // 디버깅을 위해 요청된 새 비밀번호를 로그로 출력
ale.Log(slog.LevelInfo, "Received new password for reset") ale.Log(slog.LevelInfo, "Received new password for reset")
// Validate password complexity // Validate password complexity dynamically based on Descope policy
if len(req.NewPassword) < 8 { policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
if err != nil {
// If policy fetch fails, log warning and proceed (or fallback to basic check)
ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error())
} else {
if len(req.NewPassword) < int(policy.MinLength) {
ale.Status = fiber.StatusBadRequest ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
ale.DescopeError = "Password must be at least 8 characters long" ale.DescopeError = fmt.Sprintf("Password must be at least %d characters long", policy.MinLength)
ale.Log(slog.LevelWarn, "Validation failed: password too short") ale.Log(slog.LevelWarn, "Validation failed: password too short")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 8 characters long"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": ale.DescopeError})
} }
if policy.Lowercase {
if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok { if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok {
ale.Status = fiber.StatusBadRequest ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
@@ -1091,6 +1059,8 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter") ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"})
} }
}
if policy.Uppercase {
if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok { if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok {
ale.Status = fiber.StatusBadRequest ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
@@ -1098,6 +1068,8 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter") ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"})
} }
}
if policy.Number {
if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok { if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok {
ale.Status = fiber.StatusBadRequest ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
@@ -1105,6 +1077,8 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
ale.Log(slog.LevelWarn, "Validation failed: no number") ale.Log(slog.LevelWarn, "Validation failed: no number")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"})
} }
}
if policy.NonAlphanumeric {
if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok { if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok {
ale.Status = fiber.StatusBadRequest ale.Status = fiber.StatusBadRequest
ale.LatencyMs = time.Since(startTime) ale.LatencyMs = time.Since(startTime)
@@ -1112,6 +1086,8 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
ale.Log(slog.LevelWarn, "Validation failed: no special character") ale.Log(slog.LevelWarn, "Validation failed: no special character")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
} }
}
}
ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API") ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API")