From 7c09ce6b5c633eae79746fb2fa6d5bd1b5591ba1 Mon Sep 17 00:00:00 2001
From: MangosArentLiterature
 <58055358+MangosArentLiterature@users.noreply.github.com>
Date: Sat, 8 May 2021 21:15:16 -0500
Subject: [PATCH 1/3] Add password requirements

* Adds several configurable options for server owners to set requirements for passwords.
* This system can be enabled/disabled with the password_requirements option.
* Checks new and updated passwords against these requirements.
---
 bin/config_sample/config.ini    |  9 ++++++++
 include/aoclient.h              | 11 ++++++++++
 include/server.h                | 35 +++++++++++++++++++++++++++++++
 src/commands/authentication.cpp | 14 +++++++++++++
 src/commands/command_helper.cpp | 37 +++++++++++++++++++++++++++++++++
 src/server.cpp                  | 19 +++++++++++++++++
 6 files changed, 125 insertions(+)

diff --git a/bin/config_sample/config.ini b/bin/config_sample/config.ini
index 4f80324..a609083 100644
--- a/bin/config_sample/config.ini
+++ b/bin/config_sample/config.ini
@@ -29,3 +29,12 @@ max_dice=100
 webhook_enabled=false
 webhook_url=Your webhook url here.
 webhook_sendfile=false
+
+[Password]
+password_requirements = true
+pass_min_length = 8
+pass_max_length = 0
+pass_required_mix_case = true
+pass_required_numbers = true
+pass_required_special = true
+pass_contain_username = false
diff --git a/include/aoclient.h b/include/aoclient.h
index 8f6a16e..0b05d2f 100644
--- a/include/aoclient.h
+++ b/include/aoclient.h
@@ -1874,6 +1874,17 @@ class AOClient : public QObject {
      * @return IC-Message stored in the QVector.
      */
     QStringList playTestimony();
+
+    /**
+     * @brief Checks if a password meets the server's password requirements.
+     *
+     * @param username The chosen username.
+     *
+     * @param password The password to check.
+     *
+     * @return True if the password meets the requirements, otherwise false.
+     */
+    bool checkPasswordRequirements(QString username, QString password);
     ///@}
 
     /**
diff --git a/include/server.h b/include/server.h
index 3e610d2..c1e17e6 100644
--- a/include/server.h
+++ b/include/server.h
@@ -318,6 +318,41 @@ class Server : public QObject {
      */
     int message_floodguard;
 
+    /**
+     * @brief Whether password requirements are enabled.
+     */
+    bool password_requirements = true;
+
+    /**
+     * @brief The minimum length passwords can be.
+     */
+    int password_minimum_length;
+
+    /**
+     * @brief The maximum length passwords can be.
+     */
+    int password_maximum_length;
+
+    /**
+     * @brief Whether passwords must be mixed case.
+     */
+    bool password_require_mixed_case = true;
+
+    /**
+     * @brief Whether passwords must contain numbers.
+     */
+    bool password_require_numbers = true;
+
+    /**
+     * @brief Whether passwords must contain special characters.
+     */
+    bool password_require_special_characters = true;
+
+    /**
+     * @brief Whether passwords can contain the associated username.
+     */
+    bool password_can_contain_username = false;
+
   public slots:
     /**
      * @brief Handles a new connection.
diff --git a/src/commands/authentication.cpp b/src/commands/authentication.cpp
index afe97b3..203f306 100644
--- a/src/commands/authentication.cpp
+++ b/src/commands/authentication.cpp
@@ -57,6 +57,11 @@ void AOClient::cmdSetRootPass(int argc, QStringList argv)
     if (!change_auth_started)
         return;
 
+    if (!checkPasswordRequirements("root", argv[0])) {
+        sendServerMessage("Password does not meet server requirements.");
+        return;
+    }
+
     sendServerMessage("Changing auth type and setting root password.\nLogin again with /login root [password]");
     authenticated = false;
     QSettings settings("config/config.ini", QSettings::IniFormat);
@@ -79,6 +84,10 @@ void AOClient::cmdSetRootPass(int argc, QStringList argv)
 
 void AOClient::cmdAddUser(int argc, QStringList argv)
 {
+    if (!checkPasswordRequirements(argv[0], argv[1])) {
+        sendServerMessage("Password does not meet server requirements.");
+        return;
+    }
 #if QT_VERSION < QT_VERSION_CHECK(5, 10, 0)
     qsrand(QDateTime::currentMSecsSinceEpoch());
     quint32 upper_salt = qrand();
@@ -252,6 +261,11 @@ void AOClient::cmdChangePassword(int argc, QStringList argv)
         return;
     }
 
+    if (!checkPasswordRequirements(username, password)) {
+        sendServerMessage("Password does not meet server requirements.");
+        return;
+    }
+
     if (server->db_manager->updatePassword(username, password)) {
         sendServerMessage("Successfully changed password.");
     }
diff --git a/src/commands/command_helper.cpp b/src/commands/command_helper.cpp
index 6fb8665..c526f7d 100644
--- a/src/commands/command_helper.cpp
+++ b/src/commands/command_helper.cpp
@@ -169,3 +169,40 @@ QString AOClient::getReprimand(bool positive)
         return server->reprimands_list[genRand(0, server->reprimands_list.size() - 1)];
         }
 }
+
+bool AOClient::checkPasswordRequirements(QString username, QString password)
+{
+    QString decoded_password = decodeMessage(password);
+    if (!server->password_requirements)
+        return true;
+
+    if (server->password_minimum_length > decoded_password.length())
+        return false;
+
+    if (server->password_maximum_length < decoded_password.length() && server->password_maximum_length != 0)
+        return false;
+
+    else if (server->password_require_mixed_case) {
+        if (decoded_password.toLower() == decoded_password)
+            return false;
+        if (decoded_password.toUpper() == decoded_password)
+            return false;
+    }
+    else if (server->password_require_numbers) {
+        QRegularExpression regex("[0123456789]");
+        QRegularExpressionMatch match = regex.match(decoded_password);
+        if (!match.hasMatch())
+            return false;
+    }
+    else if (server->password_require_special_characters) {
+        QRegularExpression regex("[~!@#$%^&*_-+=`|\\(){}\[]:;\"'<>,.?/]");
+        QRegularExpressionMatch match = regex.match(decoded_password);
+        if (!match.hasMatch())
+            return false;
+    }
+    else if (!server->password_can_contain_username) {
+        if (decoded_password.contains(username))
+            return false;
+    }
+    return true;
+}
diff --git a/src/server.cpp b/src/server.cpp
index 21bf840..dc33585 100644
--- a/src/server.cpp
+++ b/src/server.cpp
@@ -309,6 +309,25 @@ void Server::loadServerConfig()
     webhook_url = config.value("webhook_url", "Your webhook url here.").toString();
     webhook_sendfile = config.value("webhook_sendfile", false).toBool();
     config.endGroup();
+
+    //Load password configuration
+    config.beginGroup("Password");
+    password_requirements = config.value("password_requirements", "false").toBool();
+    if (password_requirements) {
+        bool password_minimum_length_conversion_success;
+        password_minimum_length = config.value("pass_min_length", "8").toInt(&password_minimum_length_conversion_success);
+        if (!password_minimum_length_conversion_success)
+            password_minimum_length = 8;
+        bool password_maximum_length_conversion_success;
+        password_maximum_length = config.value("pass_max_length", "16").toInt(&password_maximum_length_conversion_success);
+        if (!password_minimum_length_conversion_success)
+            password_maximum_length = 16;
+        password_require_mixed_case = config.value("pass_require_mix_case", "true").toBool();
+        password_require_numbers = config.value("pass_require_numbers", "true").toBool();
+        password_require_special_characters = config.value("pass_require_special", "true").toBool();
+        password_can_contain_username = config.value("pass_contain_username", "false").toBool();
+    }
+    config.endGroup();
 }
 
 void Server::allowMessage()

From 93de5d3860dc9d65c86dfa5530fab74cd494d911 Mon Sep 17 00:00:00 2001
From: Rebecca <58055358+MangosArentLiterature@users.noreply.github.com>
Date: Tue, 11 May 2021 18:17:13 -0500
Subject: [PATCH 2/3] Update bin/config_sample/config.ini

Co-authored-by: Rose <32779090+in1tiate@users.noreply.github.com>
---
 bin/config_sample/config.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/config_sample/config.ini b/bin/config_sample/config.ini
index a609083..5e103cb 100644
--- a/bin/config_sample/config.ini
+++ b/bin/config_sample/config.ini
@@ -37,4 +37,4 @@ pass_max_length = 0
 pass_required_mix_case = true
 pass_required_numbers = true
 pass_required_special = true
-pass_contain_username = false
+pass_can_contain_username = false

From ade32a9f4fb0a5fa1fa670a2aecdffb59e90b9ed Mon Sep 17 00:00:00 2001
From: Rebecca <58055358+MangosArentLiterature@users.noreply.github.com>
Date: Tue, 11 May 2021 18:17:23 -0500
Subject: [PATCH 3/3] Update src/server.cpp

Co-authored-by: Rose <32779090+in1tiate@users.noreply.github.com>
---
 src/server.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server.cpp b/src/server.cpp
index dc33585..c4562ec 100644
--- a/src/server.cpp
+++ b/src/server.cpp
@@ -325,7 +325,7 @@ void Server::loadServerConfig()
         password_require_mixed_case = config.value("pass_require_mix_case", "true").toBool();
         password_require_numbers = config.value("pass_require_numbers", "true").toBool();
         password_require_special_characters = config.value("pass_require_special", "true").toBool();
-        password_can_contain_username = config.value("pass_contain_username", "false").toBool();
+        password_can_contain_username = config.value("pass_can_contain_username", "false").toBool();
     }
     config.endGroup();
 }