From 5d1e90d29cf1670af25661f82653268db131a3b7 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Tue, 8 Aug 2017 16:30:21 +0200
Subject: [PATCH] Expand verify password routine.

---
 app/Http/Requests/UserFormRequest.php         |  2 +-
 app/Http/Requests/UserRegistrationRequest.php | 11 ----
 app/Validation/FireflyValidator.php           | 16 +++--
 resources/lang/en_US/form.php                 |  1 +
 resources/views/auth/register.twig            | 58 ++++++++++++++++++-
 resources/views/profile/change-password.twig  |  2 +
 6 files changed, 69 insertions(+), 21 deletions(-)

diff --git a/app/Http/Requests/UserFormRequest.php b/app/Http/Requests/UserFormRequest.php
index 08a7076038..baba06cc63 100644
--- a/app/Http/Requests/UserFormRequest.php
+++ b/app/Http/Requests/UserFormRequest.php
@@ -51,7 +51,7 @@ class UserFormRequest extends Request
         return [
             'id'           => 'required|exists:users,id',
             'email'        => 'email|required',
-            'password'     => 'confirmed',
+            'password'     => 'confirmed|secure_password',
             'blocked_code' => 'between:0,30',
             'blocked'      => 'between:0,1|numeric',
         ];
diff --git a/app/Http/Requests/UserRegistrationRequest.php b/app/Http/Requests/UserRegistrationRequest.php
index db2f7bda8c..7875dc5358 100644
--- a/app/Http/Requests/UserRegistrationRequest.php
+++ b/app/Http/Requests/UserRegistrationRequest.php
@@ -28,17 +28,6 @@ class UserRegistrationRequest extends Request
         return true;
     }
 
-    /**
-     * @return array
-     */
-    public function getUserData(): array
-    {
-        return [
-            'email'    => $this->string('email'),
-            'password' => $this->string('password'),
-        ];
-    }
-
     /**
      * @return array
      */
diff --git a/app/Validation/FireflyValidator.php b/app/Validation/FireflyValidator.php
index a5ec19c29e..62f6747123 100644
--- a/app/Validation/FireflyValidator.php
+++ b/app/Validation/FireflyValidator.php
@@ -284,14 +284,18 @@ class FireflyValidator extends Validator
      */
     public function validateSecurePassword($attribute, $value, $parameters): bool
     {
-        $enabled = env('PASSWORD_SERVICE');
-        if (!$enabled) {
-            return true;
+        $verify = false;
+        if (isset($this->data['verify_password'])) {
+            $verify = intval($this->data['verify_password']) === 1;
         }
-        /** @var Verifier $service */
-        $service = app(Verifier::class);
+        if ($verify) {
+            /** @var Verifier $service */
+            $service = app(Verifier::class);
 
-        return $service->validPassword($value);
+            return $service->validPassword($value);
+        }
+
+        return true;
     }
 
     /**
diff --git a/resources/lang/en_US/form.php b/resources/lang/en_US/form.php
index 10a2aba64b..d06bc2c694 100644
--- a/resources/lang/en_US/form.php
+++ b/resources/lang/en_US/form.php
@@ -32,6 +32,7 @@ return [
     'journal_source_account_name'    => 'Revenue account (source)',
     'journal_source_account_id'      => 'Asset account (source)',
     'BIC'                            => 'BIC',
+    'verify_password'                => 'Verify password security',
     'account_from_id'                => 'From account',
     'account_to_id'                  => 'To account',
     'source_account'                 => 'Source account',
diff --git a/resources/views/auth/register.twig b/resources/views/auth/register.twig
index 30431d4763..b8621e4395 100644
--- a/resources/views/auth/register.twig
+++ b/resources/views/auth/register.twig
@@ -22,7 +22,7 @@
                 work for one (1) month.</p>
         {% endif %}
 
-        <form role="form" id="register" method="POST" action="{{ URL.to('/register') }}">
+        <form id="register" method="POST" action="{{ URL.to('/register') }}">
             <input type="hidden" name="_token" value="{{ csrf_token() }}">
 
             <div class="form-group has-feedback">
@@ -35,8 +35,16 @@
                 <input type="password" class="form-control" placeholder="Retype password" name="password_confirmation"/>
             </div>
             <div class="row">
-                <div class="col-xs-12">
-                    <button type="submit" class="btn btn-primary pull-right btn-flat">Register</button>
+                <div class="col-xs-8">
+                    <div class="checkbox">
+                        <label>
+                            <input type="checkbox" name="verify_password" value="1"> Verify password
+                            (<a data-toggle="modal" data-target="#passwordModal" href="#passwordModal">what's this?</a>)
+                        </label>
+                    </div>
+                </div>
+                <div class="col-xs-4">
+                    <button class="btn btn-primary pull-right btn-flat">Register</button>
                 </div>
                 <!-- /.col -->
             </div>
@@ -46,4 +54,48 @@
         <a href="{{ URL.to('/password/reset') }}">I forgot my password</a>
     </div><!-- /.form-box -->
 
+
+    <!-- Modal -->
+    <div class="modal fade" id="passwordModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
+        <div class="modal-dialog" role="document">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+                    <h4 class="modal-title" id="myModalLabel">How to choose a secure password</h4>
+                </div>
+                <div class="modal-body">
+                    <p>
+                        In August 2017 well known security researcher Troy Hunt released a list of 306 million stolen passwords.
+                        These passwords were stolen during breakins at companies like LinkedIn, Adobe and NeoPets (and many more).
+                    </p>
+                    <p>
+                        By checking the box, Firefly III will send the SHA1 hash of your password to
+                        <a href="https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/">the website of Troy Hunt</a>
+                        to see if it is on the list. This will stop you from using unsafe passwords as is recommended in the latest
+                        <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special Publication</a> on this subject.
+                    </p>
+                    <h4>But I thought SHA1 was broken?</h4>
+                    <p>
+                        Yes, but not in this context. As you can read on <a href="https://shattered.io/">the website detailing how they broke SHA1</a>, it is now
+                        slightly easier to find a "collision": another string that results in the same SHA1-hash. It now only takes 10,000 years using a single-GPU machine.
+                    </p>
+                    <p>
+                        This collision would not be equal to your password, nor would it be useful on (a site like) Firefly III. This application
+                        does not use SHA1 for password verification. So it is safe to check this box. Your password is hashed and sent over HTTPS.
+                    </p>
+                    <h4>Should I check the box?</h4>
+                    <p>
+                        If you just generated a long, single-use password for Firefly III using some kind of password generator: no.
+                    </p>
+                    <p>
+                        If you just entered the password you always use: <em>Christ yes</em>.
+                    </p>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
 {% endblock %}
diff --git a/resources/views/profile/change-password.twig b/resources/views/profile/change-password.twig
index 248c51b604..575c1e3722 100644
--- a/resources/views/profile/change-password.twig
+++ b/resources/views/profile/change-password.twig
@@ -52,6 +52,8 @@
                             </div>
                         </div>
 
+                        {{ ExpandedForm.checkbox('verify_password','1', false) }}
+
 
                     </div>
                     <div class="box-footer">