Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61694

Create an extension point for adding extra password validation functionality

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Create a "local" plugin that implements the <pluginname>_check_password_policy() function.
      2. The plugin function should accept a single string argument; this should be the password that was entered.
      3. The plugin function should output a single string value, this should be an error message if the password is invalid, or a blank string if it is ok.
      4. Testing can be done by checking that the password is passed into the function correctly, that the return value is treated as an error message in the same way as existing password check errors.
      5. You should also check that the existing password check mechanism continues to work as expected, per its own configuration.
      6. The plugin should be called regardless of whether the primary password check is enabled or not, because plugins can be enabled separately.
      7. I have also created a plugin of my own that implements this callback. You can find it here: https://github.com/Spudley/moodle-local_hibp. This is a 'real' plugin that implements the "HaveIBeenPwned" API as I mentioned in the original ticket description. Please feel free to use this plugin to test the callback as well.
      Show
      Create a "local" plugin that implements the <pluginname>_check_password_policy() function. The plugin function should accept a single string argument; this should be the password that was entered. The plugin function should output a single string value, this should be an error message if the password is invalid, or a blank string if it is ok. Testing can be done by checking that the password is passed into the function correctly, that the return value is treated as an error message in the same way as existing password check errors. You should also check that the existing password check mechanism continues to work as expected, per its own configuration. The plugin should be called regardless of whether the primary password check is enabled or not, because plugins can be enabled separately. I have also created a plugin of my own that implements this callback. You can find it here: https://github.com/Spudley/moodle-local_hibp . This is a 'real' plugin that implements the "HaveIBeenPwned" API as I mentioned in the original ticket description. Please feel free to use this plugin to test the callback as well.
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_36_STABLE
    • Pull Master Branch:
      wip-MDL-61694_Check_Password_Callback

      Description

      Hi.

      I have a requirement to add some new password validation to a variety of systems that I maintain.

      Specifically, I need to integrate with the Have I Been Pwned API, which allows a system to check whether a newly entered password is known to be insecure because it has been previously found in a hacked database.

      I have already written plugins for Joomla and Drupal to do this, and I now need to do so for Moodle as well.

      Unfortunately, however, Moodle does not seem to provide the ability to easily do this; there is no extension point that hooks into the password validation. I tried working around it with an Auth plugin, using the user_update_password() method, but this method only gets called for the specific auth plugin that has been used to create the user account, which doesn't work for me; I need to continue using the existing auth types, and have my method get triggered for any of them that involve a password update.

      I would therefore like to please request that an extension capability is added that will enable me to do this.

      Many thanks.

       

      Forum reference: https://moodle.org/mod/forum/discuss.php?d=367393

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                3/Dec/18