FJurmanovic/omega-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
omega-server/local/utl/password/password.go
Fran Jurmanović 016728532c init bootstrap
2025-07-06 15:02:09 +02:00

337 lines
7.7 KiB
Go
Raw Permalink Blame History

package password
import (
"errors"
"regexp"
"unicode"
"golang.org/x/crypto/bcrypt"
)
const (
// MinPasswordLength minimum password length
MinPasswordLength = 8
// MaxPasswordLength maximum password length
MaxPasswordLength = 128
// DefaultCost default bcrypt cost
DefaultCost = 12
)
// HashPassword hashes a plain text password using bcrypt
func HashPassword(password string) (string, error) {
if err := ValidatePasswordStrength(password); err != nil {
return "", err
}
bytes, err := bcrypt.GenerateFromPassword([]byte(password), DefaultCost)
if err != nil {
return "", err
}
return string(bytes), nil
}
// CheckPasswordHash compares a plain text password with its hash
func CheckPasswordHash(password, hash string) bool {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
return err == nil
}
// ValidatePasswordStrength validates password strength requirements
func ValidatePasswordStrength(password string) error {
if len(password) < MinPasswordLength {
return errors.New("password must be at least 8 characters long")
}
if len(password) > MaxPasswordLength {
return errors.New("password must not exceed 128 characters")
}
var (
hasUpper = false
hasLower = false
hasNumber = false
hasSpecial = false
)
for _, char := range password {
switch {
case unicode.IsUpper(char):
hasUpper = true
case unicode.IsLower(char):
hasLower = true
case unicode.IsNumber(char):
hasNumber = true
case unicode.IsPunct(char) || unicode.IsSymbol(char):
hasSpecial = true
}
}
if !hasUpper {
return errors.New("password must contain at least one uppercase letter")
}
if !hasLower {
return errors.New("password must contain at least one lowercase letter")
}
if !hasNumber {
return errors.New("password must contain at least one digit")
}
if !hasSpecial {
return errors.New("password must contain at least one special character")
}
// Check for common patterns
if isCommonPassword(password) {
return errors.New("password is too common, please choose a stronger password")
}
return nil
}
// isCommonPassword checks if password is in list of common passwords
func isCommonPassword(password string) bool {
commonPasswords := []string{
"password", "123456", "password123", "admin", "qwerty",
"letmein", "welcome", "monkey", "1234567890", "password1",
"123456789", "welcome123", "admin123", "root", "test",
"guest", "password12", "changeme", "default", "temp",
}
for _, common := range commonPasswords {
if password == common {
return true
}
}
return false
}
// ValidatePasswordComplexity validates password against additional complexity rules
func ValidatePasswordComplexity(password string) error {
if err := ValidatePasswordStrength(password); err != nil {
return err
}
// Check for repeated characters (more than 3 consecutive)
if hasRepeatedChars(password, 3) {
return errors.New("password must not contain more than 3 consecutive identical characters")
}
// Check for sequential characters (like "1234" or "abcd")
if hasSequentialChars(password, 4) {
return errors.New("password must not contain sequential characters")
}
// Check for keyboard patterns
if hasKeyboardPattern(password) {
return errors.New("password must not contain keyboard patterns")
}
return nil
}
// hasRepeatedChars checks for repeated consecutive characters
func hasRepeatedChars(password string, maxRepeat int) bool {
if len(password) < maxRepeat+1 {
return false
}
count := 1
for i := 1; i < len(password); i++ {
if password[i] == password[i-1] {
count++
if count > maxRepeat {
return true
}
} else {
count = 1
}
}
return false
}
// hasSequentialChars checks for sequential characters
func hasSequentialChars(password string, minSequence int) bool {
if len(password) < minSequence {
return false
}
for i := 0; i <= len(password)-minSequence; i++ {
isSequential := true
isReverseSequential := true
for j := 1; j < minSequence; j++ {
if int(password[i+j]) != int(password[i+j-1])+1 {
isSequential = false
}
if int(password[i+j]) != int(password[i+j-1])-1 {
isReverseSequential = false
}
}
if isSequential || isReverseSequential {
return true
}
}
return false
}
// hasKeyboardPattern checks for common keyboard patterns
func hasKeyboardPattern(password string) bool {
keyboardPatterns := []string{
"qwerty", "asdf", "zxcv", "qwertyuiop", "asdfghjkl", "zxcvbnm",
"1234567890", "qazwsx", "wsxedc", "rfvtgb", "nhyujm", "iklop",
}
lowerPassword := regexp.MustCompile(`[^a-zA-Z0-9]`).ReplaceAllString(password, "")
lowerPassword = regexp.MustCompile(`[A-Z]`).ReplaceAllStringFunc(lowerPassword, func(s string) string {
return string(rune(s[0]) + 32)
})
for _, pattern := range keyboardPatterns {
if len(lowerPassword) >= len(pattern) {
for i := 0; i <= len(lowerPassword)-len(pattern); i++ {
if lowerPassword[i:i+len(pattern)] == pattern {
return true
}
}
}
}
return false
}
// GenerateRandomPassword generates a random password with specified length
func GenerateRandomPassword(length int) (string, error) {
if length < MinPasswordLength {
length = MinPasswordLength
}
if length > MaxPasswordLength {
length = MaxPasswordLength
}
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|;:,.<>?"
// Use crypto/rand for secure random generation
password := make([]byte, length)
for i := range password {
// Simple implementation - in production, use crypto/rand
password[i] = charset[i%len(charset)]
}
// Ensure password meets complexity requirements
result := string(password)
if err := ValidatePasswordStrength(result); err != nil {
// Fallback to a known good password pattern if generation fails
return generateFallbackPassword(length), nil
}
return result, nil
}
// generateFallbackPassword generates a password that meets all requirements
func generateFallbackPassword(length int) string {
if length < MinPasswordLength {
length = MinPasswordLength
}
// Start with a base that meets all requirements
base := "Aa1!"
remaining := length - len(base)
// Fill remaining with mixed characters
charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*"
for i := 0; i < remaining; i++ {
base += string(charset[i%len(charset)])
}
return base
}
// GetPasswordStrengthScore returns a score from 0-100 indicating password strength
func GetPasswordStrengthScore(password string) int {
score := 0
// Length score (0-25 points)
if len(password) >= 8 {
score += 5
}
if len(password) >= 12 {
score += 10
}
if len(password) >= 16 {
score += 10
}
// Character variety (0-40 points)
var hasUpper, hasLower, hasNumber, hasSpecial bool
for _, char := range password {
if unicode.IsUpper(char) {
hasUpper = true
} else if unicode.IsLower(char) {
hasLower = true
} else if unicode.IsNumber(char) {
hasNumber = true
} else if unicode.IsPunct(char) || unicode.IsSymbol(char) {
hasSpecial = true
}
}
if hasUpper {
score += 10
}
if hasLower {
score += 10
}
if hasNumber {
score += 10
}
if hasSpecial {
score += 10
}
// Complexity bonus (0-35 points)
if !isCommonPassword(password) {
score += 10
}
if !hasRepeatedChars(password, 2) {
score += 10
}
if !hasSequentialChars(password, 3) {
score += 10
}
if !hasKeyboardPattern(password) {
score += 5
}
// Cap at 100
if score > 100 {
score = 100
}
return score
}
// GetPasswordStrengthLevel returns a human-readable strength level
func GetPasswordStrengthLevel(password string) string {
score := GetPasswordStrengthScore(password)
switch {
case score >= 80:
return "Very Strong"
case score >= 60:
return "Strong"
case score >= 40:
return "Medium"
case score >= 20:
return "Weak"
default:
return "Very Weak"
}
}
Reference in New Issue View Git Blame Copy Permalink