pawamoy / django-zxcvbn-password Goto Github PK

View Code? Open in Web Editor NEW

88.0 6.0 16.0 921 KB

Back-end and Front-end password validation with ZXCVBN

License: ISC License

JavaScript 20.58% Python 68.72% Shell 10.70%

django zxcvbn password validation

django-zxcvbn-password's Introduction

Django ZXCVBN Password

Warning ⚠️: This project is not maintained anymore. Feel free to reach out if you want to take over maintenance.

Back-end and Front-end password validation with ZXCVBN.

A combination of pirandig’s django-zxcvbn and aj-may’s django-password-strength Django apps. It combines back-end and front-end validation with strength meter display.

License

Software licensed under ISC license.

Installation

pip install django-zxcvbn-password

Requirements

The JavaScript code of this application uses JQuery, but JQuery is not bundled with it. Please install it separately. You might also want to use Bootstrap.

Usage

# settings.py

INSTALLED_APPS = [
    ...
    'zxcvbn_password',
    ...
]

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
    {
        'NAME': 'zxcvbn_password.ZXCVBNValidator',
        'OPTIONS': {
            'min_score': 3,
            'user_attributes': ('username', 'email', 'first_name', 'last_name')
        }
    }
]

# forms.py

from django import forms
from zxcvbn_password.fields import PasswordField, PasswordConfirmationField

class RegisterForm(forms.Form):
    password1 = PasswordField()
    password2 = PasswordConfirmationField(confirm_with=’password1’)

# views.py

if form.is_valid():
    user = User.objects.create_user(
        username=...,
        password=form.cleaned_data['password1']
    )

By default, other inputs won't be used to compute the score, but you can enforce it like this:

# forms.py

from django import forms
from zxcvbn_password import zxcvbn
from zxcvbn_password.fields import PasswordField, PasswordConfirmationField

class RegisterForm(forms.Form):
    password1 = PasswordField()
    password2 = PasswordConfirmationField(confirm_with=’password1’)

    def clean(self):
        password = self.cleaned_data.get('password1')
        other_field1 = ...
        other_field2 = ...

        if password:
            score = zxcvbn(password, [other_field1, other_field2])['score']
            # score is between 0 and 4
            # raise forms.ValidationError if needed

        return self.cleaned_data

Custom frequency lists

zxcvbn-python provides a feature to add custom frequency lists, you can specify your own custom frequency lists in the validator by adding frequency_lists to AUTH_PASSWORD_VALIDATORS, where dutch_words is a list of strings:

# settings.py

AUTH_PASSWORD_VALIDATORS = [
    ...
    {
        'NAME': 'zxcvbn_password.ZXCVBNValidator',
        'OPTIONS': {
            'frequency_lists': {
                'dutch': dutch_words,
            }
        }
    }
]

Screen-shot

Important

The password field's widget declares two JavaScript files that must be added to the HTML page. To do so, add {{ form.media }} in your template, something like:

<form role="form" action="my_url" method="post">
  {% csrf_token %}
  {{ form }}
</form>

{% block js %}
  {{ block.super }}
  {{ form.media }}
{% endblock %}

Note

If you are not using Bootstrap, the strength bar will not have colors. You can fix this with these three CSS rules:

.progress-bar-warning {
    background-color: yellow;
}

.progress-bar-danger {
    background-color: red;
}

.progress-bar-success {
    background-color: green;
}

Documentation

On ReadTheDocs

Development

To run all the tests: tox

Similar projects

You should check out django-zxcvbn-password-validator for backend validation only, but with a good UX and translated messages.

django-zxcvbn-password's People

Contributors

Stargazers

Watchers

Forkers

craigbennett1981 tanyunshi wadevries emelineclarke slinkymanbyday ypcrumble randlet pierre-sassoulas ramonakira coveraver jamesreinhold macbotxxx nijel yusufom noirpi

django-zxcvbn-password's Issues

Using deprecated dependency

Latest release on PyPi is still using zxcvbn-python, which is deprecated, as it changed name to zxcvbn. This raises a deprecation warning.

Bootstrap 4 classes

Bootstrap 4 has new classes for the progress bar background color.

I'd be happy to help with a PR for any of these fixes:

Updating this repo to support Bootstrap 4 and documenting that Bootstrap 3 users need to add the new Bootstrap 4 classes
Adding a BOOTSTRAP_VERSION variable that defaults to version 4 but allows the user to set it to version 3 if they're using the old version of bootstrap
Leaving it the way it is now and just documenting that Bootstrap 4 users need to add the old Bootstrap 3 classes as I've done

Thanks for building this!

Allow a customizable warning message with variables

What I'm looking for is rather than the text showing "Warning: This password would take {{ password_strength_time }} to crack", something like "Password Strength: {{ zxcvbn_score }}".

I'd use Django's render_to_string so that I could use template tags. This would allow me to do something like:

PASSWORD_STRENGTH_WARNING = "Password strength: {% if zxcvbn_score < 2 %}Weak{% else %}Strong{% endif %}"

Default implementation would be the current message so this would only apply to users who want to override the warning message.

Is this something you'd entertain? Thanks again for building and maintaining this library!

getting a syntax error on 2.1.0 with python 2.7.12

django is failing to work - throwing a Syntax Error on

raise ValidationError([_(msg) for msg in [*warnings, *suggestions]], code=self.code, params={})

  File "/path/to/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 364, in resolve
    for pattern in self.url_patterns:
  File "/path/to/local/lib/python2.7/site-packages/django/utils/functional.py", line 35, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/path/to/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 407, in url_patterns
    patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
  File "/path/to/local/lib/python2.7/site-packages/django/utils/functional.py", line 35, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/path/to/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 400, in urlconf_module
    return import_module(self.urlconf_name)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "./portal/urls.py", line 8, in <module>
    from users.views import logout_page
  File "./users/views.py", line 16, in <module>
    from users.forms import RegistrationForm
  File "./users/forms.py", line 4, in <module>
    from fields import PortalPasswordField, PortalPasswordConfirmationField
  File "./users/fields.py", line 1, in <module>
    from zxcvbn_password.fields import PasswordField, PasswordConfirmationField
  File "/path/to/local/lib/python2.7/site-packages/zxcvbn_password/__init__.py", line 13, in <module>
    from zxcvbn_password.fields import PasswordConfirmationField, PasswordField
  File "/path/to/local/lib/python2.7/site-packages/zxcvbn_password/fields.py", line 14, in <module>
    from zxcvbn_password.widgets import (
  File "/path/to/local/lib/python2.7/site-packages/zxcvbn_password/widgets.py", line 11, in <module>
    from .utils import zxcvbn_min_score
  File "/path/to/local/lib/python2.7/site-packages/zxcvbn_password/utils.py", line 3, in <module>
    from .validators import DEFAULT_MIN_SCORE
  File "/path/to/local/lib/python2.7/site-packages/zxcvbn_password/validators.py", line 60
    raise ValidationError([_(msg) for msg in [*warnings, *suggestions]], code=self.code, params={})
                                              ^
SyntaxError: invalid syntax

Documentation enhancements

I found it a bit challenging to get the static media wired up. Even though the docs suggesting seeing the upstream repos for more information, they weren't super helpful either.

So that staticfilesfinder can find the js assets, this must be added to INSTALLED_APPS:

'zxcvbn_password',

You refer to form.media, but that doesn't work because the example form in the docs doesn't have a Media: class. However, I think it's easier to just include JS in the template:

{% load static %}
...
<script src="{% static 'zxcvbn_password/js/zxcvbn.js' %}"></script>
<script src="{% static 'zxcvbn_password/js/password_strength.js' %}"></script>

With that done, it started working but the indicator bar never changed color. Had to add to my css:

.progress-bar-warning {
    background-color: yellow;
}

.progress-bar-danger {
    background-color: red;
}

.progress-bar-success {
    background-color: green;
}

Finally, a little guidance on processing a valid password would be helpful (since we don't see Django's set_password() all that often:

        if form.is_valid():
            user = request.user
            user.set_password(form.cleaned_data['password1'])
            user.save()

I'll do a PR if you approve of the idea.

Stop using client-side validation javascript code

To avoid discrepancies between the client-side and server-side validation, we should get rid of the client-side validation using javascript. Instead, we should simply send a request upon password field modification to validate the current input against the server. The view handling the request would return the warnings and feedback. Client-side HTML page would only display the progress bar.

This would also allow validation against custom dictionaries on the client side, not only server one.

See #95 (comment)

Color indicator

The strength meter should go green only if it has reached the required entropy.
The color is currently based on fixed values.

Confusing help_text

The Your password must be stronger. suggestion added as a rule under the New password field is very confusing for users. I think you misunderstood what get_help_text is for.

get_help_text(): provide a help text to explain the requirements to the user.

Initial Update

Hi 👊

This is my first visit to this fine repo, but it seems you have been working hard to keep all dependencies updated so far.

Once you have closed this issue, I'll create seperate pull requests for every update as soon as I find one.

That's it for now!

Happy merging! 🤖

JS code dictionaries

ZXCVBN js code should import dictionaries from files instead of hardcoding them. It would allow us to use dictionaries from other languages too (currently only english).
It would also be great to be able to choose which dicts are used when using the app.

Use updated zxcvbn python library.

I've worked to create an updated zxcvbn python library based on the newest JS codebase and to also support python3. My port is now listed as the suggested python port on the main zxcvbn repository readme. Since Django will soon not support python2 you may want to consider changing your dependency to my library. Let me know if I can help in any way.

https://github.com/dwolfhub/zxcvbn-python

Release 2.0.1 to pypi?

Hi,
It seems the v2.0.0 does not work with Django 2.1 (TypeError on render), however the latest github version does. Just wondering if there are any plans to release 2.0.1 to pypi anytime soon?

thanks.

Django 1.8 LTS

So 1.8 is on LTS support until at least April 2018. Is there any chance that we can get a 2.0.x release that supports 1.8?