[MDL-61694] Create an extension point for adding extra password validation functionality - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.4, 3.6
Fix Version/s: 3.6
Component/s: Authentication
Labels:

Testing Instructions:
Hide

Create a "local" plugin that implements the <pluginname>_check_password_policy() function.

The plugin function should accept a single string argument; this should be the password that was entered.

The plugin function should output a single string value, this should be an error message if the password is invalid, or a blank string if it is ok.

Testing can be done by checking that the password is passed into the function correctly, that the return value is treated as an error message in the same way as existing password check errors.

You should also check that the existing password check mechanism continues to work as expected, per its own configuration.

The plugin should be called regardless of whether the primary password check is enabled or not, because plugins can be enabled separately.

I have also created a plugin of my own that implements this callback. You can find it here: https://github.com/Spudley/moodle-local_hibp. This is a 'real' plugin that implements the "HaveIBeenPwned" API as I mentioned in the original ticket description. Please feel free to use this plugin to test the callback as well.
Show
Create a "local" plugin that implements the <pluginname>_check_password_policy() function. The plugin function should accept a single string argument; this should be the password that was entered. The plugin function should output a single string value, this should be an error message if the password is invalid, or a blank string if it is ok. Testing can be done by checking that the password is passed into the function correctly, that the return value is treated as an error message in the same way as existing password check errors. You should also check that the existing password check mechanism continues to work as expected, per its own configuration. The plugin should be called regardless of whether the primary password check is enabled or not, because plugins can be enabled separately. I have also created a plugin of my own that implements this callback. You can find it here: https://github.com/Spudley/moodle-local_hibp . This is a 'real' plugin that implements the "HaveIBeenPwned" API as I mentioned in the original ticket description. Please feel free to use this plugin to test the callback as well.
Affected Branches:
MOODLE_34_STABLE, MOODLE_36_STABLE
Fixed Branches:
MOODLE_36_STABLE
Pull from Repository:
https://github.com/Spudley/moodle.git
Pull Master Branch:
wip-~~MDL-61694~~_Check_Password_Callback
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...Spudley:wip-MDL-61694_Check_Password_Callback

Description

Hi.

I have a requirement to add some new password validation to a variety of systems that I maintain.

Specifically, I need to integrate with the Have I Been Pwned API, which allows a system to check whether a newly entered password is known to be insecure because it has been previously found in a hacked database.

I have already written plugins for Joomla and Drupal to do this, and I now need to do so for Moodle as well.

Unfortunately, however, Moodle does not seem to provide the ability to easily do this; there is no extension point that hooks into the password validation. I tried working around it with an Auth plugin, using the user_update_password() method, but this method only gets called for the specific auth plugin that has been used to create the user account, which doesn't work for me; I need to continue using the existing auth types, and have my method get triggered for any of them that involve a password update.

I would therefore like to please request that an extension capability is added that will enable me to do this.

Many thanks.

Forum reference: https://moodle.org/mod/forum/discuss.php?d=367393

Attachments

Activity

People

Assignee:

Simon Champion

Reporter:

Simon Champion

Peer reviewer:

Mark Nelson

Integrator:

David Monllaó

Tester:

David Mudrák (@mudrd8mz)

Participants:

Andrew Nicols, CiBoT, David Monllaó, David Mudrák (@mudrd8mz), Eloy Lafuente (stronk7), Mark Johnson, Mark Nelson, Simon Champion

Component watchers:

Jake Dallimore, Jun Pataleta, Ryan Wyllie

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

21/Mar/18 1:27 AM

Updated:

08/Jun/18 9:38 AM

Resolved:

08/Jun/18 9:38 AM

Fix Release Date:

3/Dec/18