lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: reject common passwords in SetupRequest

Browse Source 
- Add ~75 common plaintext passwords to setup.py validator
- Check case-insensitively; passes complexity but blocked
- Add tests: reject common, accept unique, short common fail on length
- Update Security.md docs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-05-03 18:25:17 +02:00
parent 96525573fa
commit c96b87ee8b
3 changed files with 30 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Docs/Security.md
View File

@@ -88,6 +88,7 @@ See `backend/app/middleware/csrf.py` and `backend/app/middleware/rate_limit.py`
- Passwords are hashed with SHA256 on the frontend before transmission
- The backend never stores plain-text passwords
- See `backend/app/services/auth.py` for authentication implementation
- **Common password prevention:** The setup validator rejects a list of ~75 common plaintext passwords that pass structural complexity checks (e.g., `Password1!`). The list is embedded in `backend/app/models/setup.py` and is checked case-insensitively.
---