Validate password strength for internal users

Gemfile

@@ -49,6 +49,7 @@ gem 'telegraf'
 gem 'tubesock'
 gem 'turbolinks'
 gem 'whenever', require: false
+gem 'zxcvbn-ruby', require: 'zxcvbn'
 
 # Error Tracing
 gem 'mnemosyne-ruby'

Gemfile.lock

@@ -540,6 +540,7 @@ GEM
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.6.0)
+    zxcvbn-ruby (1.2.0)
 
 PLATFORMS
   ruby
@@ -623,6 +624,7 @@ DEPENDENCIES
   web-console
   webmock
   whenever
+  zxcvbn-ruby
 
 BUNDLED WITH
    2.3.17

app/models/internal_user.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'zxcvbn'
+
 class InternalUser < User
   authenticates_with_sorcery!
 
@@ -7,6 +9,7 @@ class InternalUser < User
 
   validates :email, presence: true, uniqueness: true
   validates :password, confirmation: true, if: -> { password_void? && validate_password? }, on: :update, presence: true
+  validate :password_strength, if: -> { password_void? && validate_password? }, on: :update
   validates :role, inclusion: {in: ROLES}
 
   def activated?
@@ -25,6 +28,11 @@ class InternalUser < User
   end
   private :validate_password?
 
+  def password_strength
+    result = Zxcvbn.test(password, [email, name, 'CodeOcean'])
+    errors.add(:password, :weak) if result.score < 4
+  end
+
   def teacher?
     role == 'teacher'
   end

config/locales/de.yml

@@ -238,6 +238,10 @@ de:
           at_most_one_main_file: dürfen höchstens eine Hauptdatei enthalten
           late_submission_deadline_not_alone: darf nicht ohne eine reguläre Abgabefrist verwendet werden
           late_submission_deadline_not_before_submission_deadline: darf nicht vor der reguläre Abgabefrist liegen
+        internal_user:
+          attributes:
+            password:
+              weak: ist zu schwach. Versuchen Sie es mit einem  langen Passwort, welches Groß-, Kleinbuchstaben, Zahlen und Sonderzeichen enthält.
   admin:
     dashboard:
       show:

config/locales/en.yml

@@ -238,6 +238,10 @@ en:
           at_most_one_main_file: must include at most one main file
           late_submission_deadline_not_alone: must not be used without a regular submission deadline
           late_submission_deadline_not_before_submission_deadline: must not be before the submission deadline passed
+        internal_user:
+          attributes:
+            password:
+              weak: is too weak. Try to use a long password with upper and lower case letters, numbers and special characters.
   admin:
     dashboard:
       show:

spec/controllers/internal_users_controller_spec.rb

@@ -282,11 +282,28 @@ describe InternalUsersController do
 
         expect_assigns(user: :user)
 
-        it 'changes the password' do
-          expect(InternalUser.authenticate(user.email, password)).to eq(user)
+        context 'with a weak password' do
+          let(:password) { 'foo' }
+
+          it 'does not change the password' do
+            expect { perform_request.call }.not_to change { user.reload.crypted_password }
+            expect(InternalUser.authenticate(user.email, password)).not_to eq(user)
+          end
+
+          expect_http_status(:ok)
+          expect_template(:reset_password)
         end
 
-        expect_redirect(:sign_in)
+        context 'with a strong password' do
+          let(:password) { SecureRandom.hex(128) }
+
+          it 'changes the password' do
+            expect { perform_request.call }.not_to change { user.reload.crypted_password }
+            expect(InternalUser.authenticate(user.email, password)).to eq(user)
+          end
+
+          expect_redirect(:sign_in)
+        end
       end
 
       context 'without a matching password confirmation' do