Merge pull request #2515 from sbwalker/dev

fix #2512 - provide guidance about password complexity policy during install, and ensure modified passwords meet complexity policy

Oqtane.Client/Modules/Admin/UserProfile/Index.razor

@@ -337,7 +337,9 @@ else
 						photo = null;
 					}
 
-                    await UserService.UpdateUserAsync(user);
+					user = await UserService.UpdateUserAsync(user);
+					if (user != null)
+					{
 						await SettingService.UpdateUserSettingsAsync(settings, PageState.User.UserId);
 						await logger.LogInformation("User Profile Saved");
 
@@ -345,6 +347,11 @@ else
 						StateHasChanged();
 					}
 					else
+					{
+						AddModuleMessage(Localizer["Message.Password.Complexity"], MessageType.Error);						
+					}
+				}
+                else
                 {
                     AddModuleMessage(Localizer["Message.Password.Invalid"], MessageType.Warning);
                 }

Oqtane.Client/Modules/Admin/Users/Edit.razor

@@ -249,12 +249,18 @@ else
 					user.IsDeleted = (isdeleted == null ? true : Boolean.Parse(isdeleted));
 
 					user = await UserService.UpdateUserAsync(user);
+					if (user != null)
+					{
 						await SettingService.UpdateUserSettingsAsync(settings, user.UserId);
 						await logger.LogInformation("User Saved {User}", user);
-
 						NavigationManager.NavigateTo(NavigateUrl());
 					}
 					else
+					{
+						AddModuleMessage(Localizer["Message.Password.Complexity"], MessageType.Error);
+					}
+                }
+                else
                 {
                     AddModuleMessage(Localizer["Message.Password.NoMatch"], MessageType.Warning);
                 }

Oqtane.Client/Resources/Installer/Installer.resx

@@ -136,7 +136,7 @@
     <value>Please Enter All Required Fields. Ensure Passwords Match And Email Address Provided Is Valid.</value>
   </data>
   <data name="Message.Password.Invalid" xml:space="preserve">
-    <value>The Password Provided Does Not Meet The Password Policy. Please Verify The Minimum Password Length And Complexity Requirements.</value>
+    <value>The Password Provided Does Not Meet The Complexity Policy. Passwords Must Be At Least 6 Characters In Length And Contain Uppercase, Lowercase, Numeric, And Punctuation Characters.</value>
   </data>
   <data name="Register" xml:space="preserve">
     <value>Please Register Me For Major Product Updates And Security Bulletins</value>

Oqtane.Client/Resources/Modules/Admin/UserProfile/Index.resx

@@ -120,6 +120,9 @@
   <data name="Message.Password.Invalid" xml:space="preserve">
     <value>Passwords Entered Do Not Match</value>
   </data>
+  <data name="Message.Password.Complexity" xml:space="preserve">
+    <value>Password Provided Does Not Meet The Complexity Policy</value>
+  </data>
   <data name="From" xml:space="preserve">
     <value>From</value>
   </data>

Oqtane.Client/Resources/Modules/Admin/Users/Edit.resx

@@ -120,6 +120,9 @@
   <data name="Message.Password.NoMatch" xml:space="preserve">
     <value>Passwords Entered Do Not Match</value>
   </data>
+  <data name="Message.Password.Complexity" xml:space="preserve">
+    <value>Password Provided Does Not Meet The Complexity Policy</value>
+  </data>
   <data name="Identity.Name" xml:space="preserve">
     <value>Identity</value>
   </data>

Oqtane.Server/Controllers/UserController.cs

@@ -247,12 +247,21 @@ namespace Oqtane.Controllers
                 if (identityuser != null)
                 {
                     identityuser.Email = user.Email;
+                    var valid = true;
                     if (user.Password != "")
+                    {
+                        var validator = new PasswordValidator<IdentityUser>();
+                        var result = await validator.ValidateAsync(_identityUserManager, null, user.Password);
+                        valid = result.Succeeded;
+                        if (valid)
                         {
                             identityuser.PasswordHash = _identityUserManager.PasswordHasher.HashPassword(identityuser, user.Password);
                         }
-                    await _identityUserManager.UpdateAsync(identityuser);
                     }
+                    if (valid)
+                    {
+                        await _identityUserManager.UpdateAsync(identityuser);
+
                         user = _users.UpdateUser(user);
                         _syncManager.AddSyncEvent(_tenantManager.GetAlias().TenantId, EntityNames.User, user.UserId, SyncEventActions.Update);
                         _syncManager.AddSyncEvent(_tenantManager.GetAlias().TenantId, EntityNames.User, user.UserId, SyncEventActions.Refresh);
@@ -260,6 +269,13 @@ namespace Oqtane.Controllers
                         _logger.Log(LogLevel.Information, this, LogFunction.Update, "User Updated {User}", user);
                     }
                     else
+                    {
+                        _logger.Log(user.SiteId, LogLevel.Error, this, LogFunction.Update, "Unable To Update User {Username}. Password Does Not Meet Complexity Requirements.", user.Username);
+                        user = null;
+                    }
+                }
+            }
+            else
             {
                 user.Password = ""; // remove sensitive information
                 _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Post Attempt {User}", user);