Merge pull request #94 from isaacphysics/feature/zxcvbn-password-strength

zxcvbn Password Strength Warnings

Author: jsharkey13

src/IsaacAppTypes.tsx

@@ -387,3 +387,15 @@ export interface AppAssignmentProgress {
     incorrectQuestionPartsCount: number;
     notAttemptedPartResults: number[];
 }
+
+export interface ZxcvbnResult {
+    calc_time: number;
+    crack_times_display: { [key: string]: string };
+    crack_times_seconds: { [key: string]: number };
+    feedback: { [key: string]: any };
+    guesses: number;
+    guesses_log10: number;
+    password: string;
+    score: number;
+    sequence: any;
+}

src/app/components/elements/UserPassword.tsx

@@ -1,9 +1,10 @@
-import {Button, CardBody, Col, Form, FormFeedback, FormGroup, Input, Label, Row} from "reactstrap";
+import {Button, CardBody, Col, FormFeedback, FormGroup, Input, Label, Row} from "reactstrap";
 import React, {useState} from "react";
-import {LoggedInUser, ValidationUser} from "../../../IsaacAppTypes";
+import {ValidationUser, ZxcvbnResult} from "../../../IsaacAppTypes";
 import {UserAuthenticationSettingsDTO} from "../../../IsaacApiTypes";
-import {MINIMUM_PASSWORD_LENGTH, validateEmail, validatePassword} from "../../services/validation";
+import {MINIMUM_PASSWORD_LENGTH, validateEmail} from "../../services/validation";
 import {resetPassword} from "../../state/actions";
+import {loadZxcvbnIfNotPresent, passwordDebounce, passwordStrengthText} from "../../services/passwordStrength";
 
 interface UserPasswordProps {
     currentPassword?: string;
@@ -22,6 +23,7 @@ export const UserPassword = (
     {currentPassword, currentUserEmail, setCurrentPassword, myUser, setMyUser, isNewPasswordConfirmed, userAuthSettings, setNewPassword, setNewPasswordConfirm, newPasswordConfirm}: UserPasswordProps) => {
 
     const [passwordResetRequested, setPasswordResetRequested] = useState(false);
+    const [passwordFeedback, setPasswordFeedback] = useState<ZxcvbnResult | null>(null);
 
     const resetPasswordIfValidEmail = () => {
         if (currentUserEmail && validateEmail(currentUserEmail)) {
@@ -37,7 +39,7 @@ export const UserPassword = (
                     <Row>
                         <Col md={{size: 6, offset: 3}}>
                             <FormGroup>
-                                <Label htmlFor="password-current">Current Password</Label>
+                                <Label htmlFor="password-current">Current password</Label>
                                 <Input
                                     id="password-current" type="password" name="current-password"
                                     onChange={(e: React.ChangeEvent<HTMLInputElement>) =>
@@ -50,23 +52,36 @@ export const UserPassword = (
                     <Row>
                         <Col md={{size: 6, offset: 3}}>
                             <FormGroup>
-                                <Label htmlFor="new-password">New Password</Label>
+                                <Label htmlFor="new-password">New password</Label>
                                 <Input
                                     invalid={!!newPasswordConfirm && !isNewPasswordConfirmed}
                                     id="new-password" type="password" name="new-password"
                                     onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
                                         setNewPassword(e.target.value);
+                                        passwordDebounce(e.target.value, setPasswordFeedback);
                                     }}
+                                    onBlur={(e: React.ChangeEvent<HTMLInputElement>) => {
+                                        passwordDebounce(e.target.value, setPasswordFeedback);
+                                    }}
+                                    onFocus={loadZxcvbnIfNotPresent}
                                     aria-describedby="passwordValidationMessage"
                                     disabled={currentPassword == ""}
                                 />
+                                {passwordFeedback &&
+                                <span className='float-right small mt-1'>
+                                    <strong>Password strength: </strong>
+                                    <span id="password-strength-feedback">
+                                        {passwordStrengthText[(passwordFeedback as ZxcvbnResult).score]}
+                                    </span>
+                                </span>
+                                }
                             </FormGroup>
                         </Col>
                     </Row>
                     <Row>
                         <Col md={{size: 6, offset: 3}}>
                             <FormGroup>
-                                <Label htmlFor="password-confirm">Re-enter New Password</Label>
+                                <Label htmlFor="password-confirm">Re-enter new password</Label>
                                 <Input
                                     invalid={!!currentPassword && !isNewPasswordConfirmed}
                                     id="password-confirm"

src/app/components/handlers/PasswordResetHandler.tsx

@@ -1,8 +1,10 @@
 import React, {useEffect, useState} from 'react';
 import {connect} from "react-redux";
-import {verifyPasswordReset, handlePasswordReset} from "../../state/actions";
-import {Button, Container, FormFeedback, Input, Label, Card, CardBody, Form, FormGroup, CardFooter} from "reactstrap";
+import {handlePasswordReset, verifyPasswordReset} from "../../state/actions";
+import {Button, Card, CardBody, CardFooter, Container, Form, FormFeedback, FormGroup, Input, Label} from "reactstrap";
 import {AppState, ErrorState} from "../../state/reducers";
+import {ZxcvbnResult} from "../../../IsaacAppTypes";
+import {loadZxcvbnIfNotPresent, passwordDebounce, passwordStrengthText} from "../../services/passwordStrength";
 
 const stateToProps = (state: AppState, {match: {params: {token}}}: any) => ({
     errorMessage: state ? state.error : null,
@@ -25,6 +27,9 @@ const ResetPasswordHandlerComponent = ({urlToken, handleResetPassword, verifyPas
 
     const [isValidPassword, setValidPassword] = useState(true);
     const [currentPassword, setCurrentPassword] = useState("");
+    const [passwordFeedback, setPasswordFeedback] = useState<ZxcvbnResult | null>(null);
+
+    loadZxcvbnIfNotPresent();
 
     const validateAndSetPassword = (event: any) => {
         setValidPassword(
@@ -41,16 +46,31 @@ const ResetPasswordHandlerComponent = ({urlToken, handleResetPassword, verifyPas
 
     return <Container id="email-verification">
         <div>
-            <h3>Password Change</h3>
+            <h3>Password change</h3>
             <Card>
                 <CardBody>
                     <Form name="passwordReset">
                         <FormGroup>
-                            <Label htmlFor="password-input">New Password</Label>
-                            <Input id="password" type="password" name="password" required/>
+                            <Label htmlFor="password-input">New password</Label>
+                            <Input id="password" type="password" name="password"
+                                onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
+                                    passwordDebounce(e.target.value, setPasswordFeedback);
+                                }}
+                                onBlur={(e: React.ChangeEvent<HTMLInputElement>) => {
+                                    passwordDebounce(e.target.value, setPasswordFeedback);
+                                }}
+                                required/>
+                            {passwordFeedback &&
+                            <span className='float-right small mt-1'>
+                                <strong>Password strength: </strong>
+                                <span id="password-strength-feedback">
+                                    {passwordStrengthText[(passwordFeedback as ZxcvbnResult).score]}
+                                </span>
+                            </span>
+                            }
                         </FormGroup>
                         <FormGroup>
-                            <Label htmlFor="password-confirm">Re-enter New Password</Label>
+                            <Label htmlFor="password-confirm">Re-enter new password</Label>
                             <Input invalid={!isValidPassword} id="password-confirm" type="password" name="password" onBlur={(e: any) => {
                                 validateAndSetPassword(e);
                                 (e.target.value == (document.getElementById("password") as HTMLInputElement).value) ? setCurrentPassword(e.target.value) : null}

src/app/components/pages/Registration.tsx

@@ -16,14 +16,15 @@ import {
     Label,
     Row
 } from "reactstrap";
-import {LoggedInUser, LoggedInValidationUser, UserPreferencesDTO} from "../../../IsaacAppTypes";
+import {LoggedInUser, LoggedInValidationUser, UserPreferencesDTO, ZxcvbnResult} from "../../../IsaacAppTypes";
 import {AppState} from "../../state/reducers";
 import {updateCurrentUser} from "../../state/actions";
 import {history} from "../../services/history"
 import {isDobOverThirteen, validateEmail, validatePassword} from "../../services/validation";
 import {TitleAndBreadcrumb} from "../elements/TitleAndBreadcrumb";
 import * as persistence from "../../services/localStorage"
 import {KEY} from "../../services/localStorage"
+import {loadZxcvbnIfNotPresent, passwordDebounce, passwordStrengthText} from "../../services/passwordStrength"
 import {DateInput} from "../elements/DateInput";
 import {FIRST_LOGIN_STATE} from "../../services/firstLogin";
 import {Redirect} from "react-router";
@@ -60,9 +61,13 @@ const RegistrationPageComponent = ({user, updateCurrentUser, errorMessage, userE
             password: null,
         })
     );
+
+    loadZxcvbnIfNotPresent();
+
     const [unverifiedPassword, setUnverifiedPassword] = useState(userPassword);
     const [dobCheckboxChecked, setDobCheckboxChecked] = useState(false);
     const [attemptedSignUp, setAttemptedSignUp] = useState(false);
+    const [passwordFeedback, setPasswordFeedback] = useState<ZxcvbnResult | null>(null);
 
 
     // Values derived from inputs (props and state)
@@ -165,8 +170,20 @@ const RegistrationPageComponent = ({user, updateCurrentUser, errorMessage, userE
                                     defaultValue={userPassword}
                                     onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
                                         setUnverifiedPassword(e.target.value);
+                                        passwordDebounce(e.target.value, setPasswordFeedback);
+                                    }}
+                                    onBlur={(e: React.ChangeEvent<HTMLInputElement>) => {
+                                        passwordDebounce(e.target.value, setPasswordFeedback);
                                     }}
                                 />
+                                {passwordFeedback &&
+                                    <span className='float-right small mt-1'>
+                                        <strong>Password strength: </strong>
+                                        <span id="password-strength-feedback">
+                                            {passwordStrengthText[(passwordFeedback as ZxcvbnResult).score]}
+                                        </span>
+                                    </span>
+                                }
                             </FormGroup>
                         </Col>
                         <Col md={6}>

src/app/services/passwordStrength.ts

@@ -0,0 +1,51 @@
+import {ZxcvbnResult} from "../../IsaacAppTypes";
+
+export const passwordStrengthText: {[score: number]: string} = {
+    0: "Very Weak",
+    1: "Weak",
+    2: "Fair",
+    3: "Strong",
+    4: "Very Strong"
+};
+
+
+export function loadZxcvbnIfNotPresent() {
+    // Since zxcvbn.js is ~1MB we only want to load it when it is genuinely required.
+    // We also don't want to load it if we already have:
+    let zxcvbnScriptId = "zxcvbn-script";
+    if (!('zxcvbn' in window) && !document.getElementById(zxcvbnScriptId)) {
+        let zxcvbnScript = document.createElement('script');
+        zxcvbnScript.id = zxcvbnScriptId;
+        zxcvbnScript.src = 'https://cdn.isaaccomputerscience.org/vendor/dropbox/zxcvbn-isaac.js';
+        zxcvbnScript.type = 'text/javascript';
+        zxcvbnScript.async = true;
+        document.head.appendChild(zxcvbnScript);
+    }
+}
+
+const maxPasswordCheckChars = 50;  // Check only the first maxPasswordCheckChars of a password.
+
+function calculatePasswordStrength(password: string, firstName?: string, lastName?: string, email?: string) {
+    if (!password || !('zxcvbn' in window)) {
+        // Fail fast on empty input or if library not loaded!
+        return null;
+    }
+    let isaacTerms = ["Isaac Computer Science", "Isaac", "IsaacComputerScience", "isaaccomputerscience.org",
+        "Isaac Computer", "Isaac CS", "IsaacCS", "ICS",
+        "ComputerScience", "Computer Science", "Computer", "Science", "CompSci", "Computing",
+        "A Level", "ALevel", "A-Level", "Homework", "Classroom", "School", "College", "Lesson",
+        "http", "https", "https://", firstName, lastName, email];
+    let passwordToCheck = password.substring(0, maxPasswordCheckChars).replace(/\s/g, "");
+    let feedback: ZxcvbnResult = (window as any)['zxcvbn'](passwordToCheck, isaacTerms);
+    return feedback;
+}
+
+
+let timer: any = null;
+
+export function passwordDebounce(password: string, callback: (feedback: ZxcvbnResult|null) => void) {
+    if (timer !== null) {
+        clearTimeout(timer);
+    }
+    timer = setTimeout(() => callback(calculatePasswordStrength(password)), 300);
+}