From 233d4a52b1f53a63563aa3f3b72440bb11d718ca Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 16 Jul 2020 14:59:53 +0200
Subject: [PATCH] Add zxcvbn to AccountManagementForm

---
 com.woltlab.wcf/templates/accountManagement.tpl | 16 ++++++++++++++++
 .../lib/form/AccountManagementForm.class.php    | 17 ++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/com.woltlab.wcf/templates/accountManagement.tpl b/com.woltlab.wcf/templates/accountManagement.tpl
index 1d90843497..06dd3b3467 100644
--- a/com.woltlab.wcf/templates/accountManagement.tpl
+++ b/com.woltlab.wcf/templates/accountManagement.tpl
@@ -100,6 +100,22 @@
 			</dl>
 			
 			{event name='changePasswordFields'}
+			
+			<script data-relocate="true">
+				require(['WoltLabSuite/Core/Ui/User/PasswordStrength'], function (PasswordStrength) {
+					var relatedInputs = [];
+					if (elById('username')) relatedInputs.push(elById('username'));
+					if (elById('email')) relatedInputs.push(elById('email'));
+					
+					new PasswordStrength(elById('newPassword'), {
+						relatedInputs: relatedInputs,
+						staticDictionary: [
+							'{$__wcf->user->username|encodeJS}',
+							'{$__wcf->user->email|encodeJS}',
+						]
+					});
+				})
+			</script>
 		</section>
 	{/if}
 	
diff --git a/wcfsetup/install/files/lib/form/AccountManagementForm.class.php b/wcfsetup/install/files/lib/form/AccountManagementForm.class.php
index 286a59badf..88a246a47a 100644
--- a/wcfsetup/install/files/lib/form/AccountManagementForm.class.php
+++ b/wcfsetup/install/files/lib/form/AccountManagementForm.class.php
@@ -7,10 +7,12 @@ use wcf\system\email\mime\MimePartFacade;
 use wcf\system\email\mime\RecipientAwareTextMimePart;
 use wcf\system\email\Email;
 use wcf\system\email\UserMailbox;
+use wcf\system\exception\SystemException;
 use wcf\system\exception\UserInputException;
 use wcf\system\menu\user\UserMenu;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\JSON;
 use wcf\util\PasswordUtil;
 use wcf\util\StringUtil;
 use wcf\util\UserRegistrationUtil;
@@ -54,6 +56,11 @@ class AccountManagementForm extends AbstractForm {
 	 */
 	public $newPassword = '';
 	
+	/**
+	 * @var mixed[]
+	 */
+	public $newPasswordStrengthVerdict = [];
+	
 	/**
 	 * confirmed new password
 	 * @var	string
@@ -151,6 +158,14 @@ class AccountManagementForm extends AbstractForm {
 		if (isset($_POST['email'])) $this->email = $_POST['email'];
 		if (isset($_POST['confirmEmail'])) $this->confirmEmail = $_POST['confirmEmail'];
 		if (isset($_POST['newPassword'])) $this->newPassword = $_POST['newPassword'];
+		if (isset($_POST['newPassword_passwordStrengthVerdict'])) {
+			try {
+				$this->newPasswordStrengthVerdict = JSON::decode($_POST['newPassword_passwordStrengthVerdict']);
+			}
+			catch (SystemException $e) {
+				// ignore
+			}
+		}
 		if (isset($_POST['confirmNewPassword'])) $this->confirmNewPassword = $_POST['confirmNewPassword'];
 		if (isset($_POST['username'])) $this->username = StringUtil::trim($_POST['username']);
 		if (isset($_POST['quit'])) $this->quit = intval($_POST['quit']);
@@ -215,7 +230,7 @@ class AccountManagementForm extends AbstractForm {
 					throw new UserInputException('confirmNewPassword');
 				}
 				
-				if (!UserRegistrationUtil::isSecurePassword($this->newPassword)) {
+				if (($this->newPasswordStrengthVerdict['score'] ?? 4) < PASSWORD_MIN_SCORE) {
 					throw new UserInputException('newPassword', 'notSecure');
 				}
 				
-- 
2.20.1