Open Closed

Password length in appsettings #10342


0
outdoored created

10.3 MVC .net Core

Testing out the latest version to work out upgrading from 8.5. I am trying toi minimize the amoubnt of custom coding I need to do to make it easier to update future versions. One thing that is still set still hardcoded in the app is password length of 3 which is of course not an acceptable value. It would be really great if this essential security element could be set in appsettings rather than having to redo the code every time.


3 Answer(s)
  • 0
    musa.demir created
    Support Team

    Hi @outdoored

    Can you please point me the place where that 3 length password is?

    https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Mvc/appsettings.json

  • 0
    outdoored created

    Here is a screen shot of 10.3 Net Core 5 Jquery showing the hardcoded value of 3. The initial install has no value for password length in the AbpSettings table. The first time you edit something on the Settings\Security page values get written to the AbpSettings table but then I can even set the password length to 1

    16 2021-05-25 21:24:46.9635847 2 2021-05-25 21:27:40.7215188 2 Abp.Zero.UserManagement.PasswordComplexity.RequiredLength 1 NULL 1

    The code is in \Admin\Controllers\UsersController.cs starting at line 79

    I think this is the 10.3 code

        public async Task<PartialViewResult> CreateOrEditModal(long? id)
        {
            var output = await _userAppService.GetUserForEdit(new NullableIdDto<long> {Id = id});
            var viewModel = ObjectMapper.Map<CreateOrEditUserModalViewModel>(output);
            viewModel.PasswordComplexitySetting = await _passwordComplexitySettingStore.GetSettingsAsync();
    
            return PartialView("_CreateOrEditModal", viewModel);
        }
        
    

    This is the code from 8.5 and where we added the password length to the viewmodel \Admin\Controllers\UsersController.cs starting at line 77

        [AbpMvcAuthorize(AppPermissions.Pages_Administration_Users_Create, AppPermissions.Pages_Administration_Users_Edit)]
        public async Task<PartialViewResult> CreateOrEditModal(long? id)
        {
            var output = await _userAppService.GetUserForEdit(new NullableIdDto<long> { Id = id });
            var viewModel = ObjectMapper.Map<CreateOrEditUserModalViewModel>(output);
            viewModel.PasswordComplexitySetting = await _passwordComplexitySettingStore.GetSettingsAsync();
    

    ** viewModel.PasswordComplexitySetting.RequiredLength = 12;**

            return PartialView("_CreateOrEditModal", viewModel);
        }
        
        
    

    A sloppy Tenant can create an incredibly unsafe site with these defaults. There should be a default minimum length should be something that can be edited in appsettings rather than having to rewrite core code to prevent Users from saving an unsafe password length to the database.

  • 0
    musa.demir created
    Support Team

    Hi @outdoored

    The reason why do dont see any data in db untill you make any change is it is how it work. It uses default value if there is no override in the db. And its default value is 3. We may change it. You can also change settings page and related server endpoint to force user to use min x charater in password.

    An issue is created about it https://github.com/aspnetzero/aspnet-zero-core/issues/3935