From e0d9bca13c950ba34ff4edb127a89cdb9d8e1ca1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 16 Jul 2020 14:59:34 +0200
Subject: [PATCH] Add zxcvbn to NewPasswordForm

---
 com.woltlab.wcf/templates/newPassword.tpl       | 11 +++++++++++
 .../files/lib/form/NewPasswordForm.class.php    | 17 ++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/com.woltlab.wcf/templates/newPassword.tpl b/com.woltlab.wcf/templates/newPassword.tpl
index fd97591060..d8261c9c75 100644
--- a/com.woltlab.wcf/templates/newPassword.tpl
+++ b/com.woltlab.wcf/templates/newPassword.tpl
@@ -35,6 +35,17 @@
 		</dl>
 		
 		{event name='fields'}
+		
+		<script data-relocate="true">
+			require(['WoltLabSuite/Core/Ui/User/PasswordStrength'], function (PasswordStrength) {
+				new PasswordStrength(elById('newPassword'), {
+					staticDictionary: [
+						'{$user->username|encodeJS}',
+						'{$user->email|encodeJS}',
+					]
+				});
+			})
+		</script>
 	</div>
 	
 	{event name='sections'}
diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
index c6a7a85c2e..a48753cd9a 100644
--- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
@@ -5,10 +5,12 @@ use wcf\data\user\UserAction;
 use wcf\system\exception\IllegalLinkException;
 use wcf\system\exception\NamedUserException;
 use wcf\system\exception\PermissionDeniedException;
+use wcf\system\exception\SystemException;
 use wcf\system\exception\UserInputException;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\JSON;
 use wcf\util\StringUtil;
 use wcf\util\UserRegistrationUtil;
 
@@ -47,6 +49,11 @@ class NewPasswordForm extends AbstractForm {
 	 */
 	public $newPassword = '';
 	
+	/**
+	 * @var	mixed[]
+	 */
+	public $newPasswordStrengtVerdict = [];
+	
 	/**
 	 * confirmed new password
 	 * @var	string
@@ -102,6 +109,14 @@ class NewPasswordForm extends AbstractForm {
 		parent::readFormParameters();
 		
 		if (isset($_POST['newPassword'])) $this->newPassword = $_POST['newPassword'];
+		if (isset($_POST['newPassword_passwordStrengthVerdict'])) {
+			try {
+				$this->newPasswordStrengthVerdict = JSON::decode($_POST['newPassword_passwordStrengthVerdict']);
+			}
+			catch (SystemException $e) {
+				// ignore
+			}
+		}
 		if (isset($_POST['confirmNewPassword'])) $this->confirmNewPassword = $_POST['confirmNewPassword'];
 	}
 	
@@ -119,7 +134,7 @@ class NewPasswordForm extends AbstractForm {
 			throw new UserInputException('confirmNewPassword');
 		}
 		
-		if (!UserRegistrationUtil::isSecurePassword($this->newPassword)) {
+		if (($this->newPasswordStrengthVerdict['score'] ?? 4) < PASSWORD_MIN_SCORE) {
 			throw new UserInputException('newPassword', 'notSecure');
 		}
 		
-- 
2.20.1