CodeIgniter Forums
Myth Auth strong_password - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: Myth Auth strong_password (/showthread.php?tid=82591)

Myth Auth strong_password - superior - 07-27-2022

Hi,

I;m using MythAuth for my authentication, when changing the password i;m getting a personal information error that seems wrong to me. The error states the password '95*P$3+J`}&2"b[|qGWUqii&J)OiIU' contains personal information, don't know how because this is generated and seems nothing personal to me. Is there something going wrong within this validation?

RE: Myth Auth strong_password - manager - 07-27-2022

(07-27-2022, 12:06 PM)superior Wrote: Hi,

I;m using MythAuth for my authentication, when changing the password i;m getting a personal information error that seems wrong to me. The error states the password '95*P$3+J`}&2"b[|qGWUqii&J)OiIU' contains personal information, don't know how because this is generated and seems nothing personal to me. Is there something going wrong within this validation?

Hi. Can you  show your controller code which process change password method?
It would be really informative if you also include Myth:Auth and your php version too

RE: Myth Auth strong_password - superior - 07-28-2022

Controller has nothing to do with it because it's a rule set to validate; strong_password.

> https://github.com/lonnieezell/myth-auth#services

Latest version of MythAuth installed through composer, no modifications on that file.
PHP Version 8.0.14

RE: Myth Auth strong_password - manager - 07-28-2022

(07-28-2022, 12:09 AM)superior Wrote: Controller has nothing to do with it because it's a rule set to validate;  strong_password.

Do not agree with you. Change password request goes from user to the controller, but Myth AuthController.php don't have appropriate method to process this request, so i guess you added this code and maybe some extra validation. So there is no harm to have a look at this part of code too to eliminate that there is no problem. And please give the exact error message, used username and email values.

RE: Myth Auth strong_password - superior - 07-28-2022

(07-28-2022, 01:40 AM)manager Wrote:
(07-28-2022, 12:09 AM)superior Wrote: Controller has nothing to do with it because it's a rule set to validate;  strong_password.

Do not agree with you. Change password request goes from user to the controller, but Myth AuthController.php don't have appropriate method to process this request, so i guess you added this code and maybe some extra validation. So there is no harm to have a look at this part of code too to eliminate that there is no problem. And please give the exact error message, used username and email values.
Don't see how this would help because my Controller has nothing to do with it but ok...
The error message is translated from MythAuth on key 'errorPasswordPersonal', it's different by language.
See: https://github.com/lonnieezell/myth-auth/blob/develop/src/Language/en/Auth.php#L49


PHP Code:
public function postPassword()
    {
        $setRules = [
            'current' => [
                'label' => lang('Auth.password'),
                'rules' => 'required',
            ],
            'newpasswd' => [
                'label' => lang('Auth.newPassword'),
                'rules' => 'required|strong_password'// As said before, it's only this part `strong_password`
            ],
            'reppasswd' => [
                'label' => lang('Auth.repeatPassword'),
                'rules' => 'required|matches[newpasswd]',
            ]
        ];

        if( !$this->validate($setRules) )
        {
            return redirect()->tourl_to('change_password') )->with('errors'$this->validator->getErrors());
        }
        else {

            $userModel modelUserModel::class );

            if( $user $userModel->where("id"user_id())->first() )
            {
                if (! $this->auth->attempt(['username' => $user->username'password' => $this->request->getPost('current')], false)) {
                    return redirect()->tourl_to('change_password') )->with('errors', ['current' => lang('Auth.invalidCurrentPassword')]);
                }

                $user->password $this->request->getPost('newpasswd');
                
                if( !$userModel->save($user) ) {
                    return redirect()->tourl_to('change_password') )->with('errors'$userModel->errors());
                }

                return redirect()->tourl_to('change_password') )->with('message'lang('Auth.passwordChangeSuccess'));
            }
        }
    


RE: Myth Auth strong_password - manager - 07-28-2022

(07-28-2022, 01:40 AM)manager Wrote: And please give the exact error message, used username and email values.

and 'personal' fields defined in config with there values to reproduce the error.

NothingPersonalValidator only throws 'errorPasswordPersonal' key error.

RE: Myth Auth strong_password - superior - 07-28-2022

(07-28-2022, 03:13 AM)manager Wrote:
(07-28-2022, 01:40 AM)manager Wrote: And please give the exact error message, used username and email values.

and 'personal' fields defined in config with there values to reproduce the error.

NothingPersonalValidator only throws 'errorPasswordPersonal' key error.

PHP Code:
    public $personalFields = [
        'company_name''company_vat''company_coc''first_name''last_name'
        'address''number''extra_nr''zipcode''city''country''phone''comments'
    ]; 


RE: Myth Auth strong_password - manager - 07-28-2022

PHP Code:
    public $personalFields = [
        'company_name''company_vat''company_coc''first_name''last_name'
        'address''number''extra_nr''zipcode''city''country''phone''comments'
    ]; 

Really big list.
In your case validation goes thru NothingPersonalValidator.php class - isNotPersonal() method.
This method looks for personal information in a password. For example first of all it checks is your password equal to your username or email address or the reversed username.
If you have also filled $personalFields , then method will also get there values too to look for personal information. Considering 13 variables in your list there is really big chance that validation will fail.
For example: in "number" field you have a value "95". In this situation validation will fail.
Quick solution in your case is comment from $passwordValidators array nothingPersonalValidator class.

RE: Myth Auth strong_password - superior - 07-28-2022

(07-28-2022, 04:15 AM)manager Wrote:
PHP Code:
    public $personalFields = [
        'company_name''company_vat''company_coc''first_name''last_name'
        'address''number''extra_nr''zipcode''city''country''phone''comments'
    ]; 

Really big list.
In your case validation goes thru NothingPersonalValidator.php class - isNotPersonal() method.
This method looks for personal information in a password. For example first of all it checks is your password equal to your username or email address or the reversed username.
If you have also filled $personalFields , then method will also get there values too to look for personal information. Considering 13 variables in your list there is really big chance that validation will fail.
For example: in "number" field you have a value "95". In this situation validation will fail.
Quick solution in your case is comment from $passwordValidators array nothingPersonalValidator class.

Did that but alternatively i would like this activated, will remove some of the list that should not be so personal after all.
Thanks for thinking with me!

RE: Myth Auth strong_password - manager - 07-28-2022

Of course it would be a good idea to exclude some variables from your list. Luck!