增加密码强度校验规则

2026-01-25 07:46:40 +08:00 · 2023-12-01 22:13:23 +08:00
parent 51ac3f8ff8
commit 0d605d002d
4 changed files with 38 additions and 6 deletions
--- a/pom.xml
+++ b/pom.xml
@@ -65,6 +65,12 @@
            <artifactId>spring-boot-starter-websocket</artifactId>
        </dependency>

+        <dependency>
+            <groupId>com.nulab-inc</groupId>
+            <artifactId>zxcvbn</artifactId>
+            <version>1.8.2</version>
+        </dependency>
+
        <dependency>
            <groupId>com.aliyun.oss</groupId>
            <artifactId>aliyun-sdk-oss</artifactId>
--- a/src/main/java/cn/lihongjie/coal/common/Constants.java
+++ b/src/main/java/cn/lihongjie/coal/common/Constants.java
@@ -40,6 +40,7 @@ public class Constants {
    public static String SYSCONFIG_ACCOUNT_MAX_ONLINE = "account_max_online";
    public static String SYSCONFIG_RESETPWD_ENABLE = "resetpwd_enable";
    public static String SYSCONFIG_PASSWORD_DICT_DETECT = "password_dict_detect";
+    public static String SYSCONFIG_PASSWORD_STRENGTH_MIN = "password_strength_min";
    public static String SYSCONFIG_RESETPWD_TIMEOUT = "resetpwd_timeout";
    public static String SYSCONFIG_RESETPWD_MAX_FAIL_COUNT = "resetpwd_max_fail_count";
    public static String SYSCONFIG_SESSION_GLOBAL_RATE_LIMIT_PER_MIN = "session_global_rate_limit_per_min";
--- a/src/main/java/cn/lihongjie/coal/sysconfig/service/SysConfigService.java
+++ b/src/main/java/cn/lihongjie/coal/sysconfig/service/SysConfigService.java
@@ -174,7 +174,13 @@ public class SysConfigService extends BaseService<SysConfigEntity, SysConfigRepo


        addDictConfig(all, Constants.SYSCONFIG_PASSWORD_DICT_DETECT, "密码字典检测", "1", "status.type");
-
+        addNumberConfig(
+                all,
+                Constants.SYSCONFIG_PASSWORD_STRENGTH_MIN,
+                "密码强度最小值(0不校验)",
+                2+"",
+                0L,
+                Integer.MAX_VALUE);
    }

    private void addNumberConfig(
--- a/src/main/java/cn/lihongjie/coal/user/service/UserService.java
+++ b/src/main/java/cn/lihongjie/coal/user/service/UserService.java
@@ -25,6 +25,9 @@ import cn.lihongjie.coal.user.entity.UserEntity;
 import cn.lihongjie.coal.user.mapper.UserMapper;
 import cn.lihongjie.coal.user.repository.UserRepository;

+import com.nulabinc.zxcvbn.Strength;
+import com.nulabinc.zxcvbn.Zxcvbn;
+
 import io.vavr.collection.Stream;

 import jakarta.annotation.PostConstruct;
@@ -99,7 +102,7 @@ public class UserService extends BaseService<UserEntity, UserRepository> {
            stopWatch.start("encode");
            String password = request.getPassword();

-            checkPassDict(password);
+            checkPassword(password);

            request.setPassword(passwordEncoder.encode(password));
            stopWatch.stop();
@@ -117,12 +120,28 @@ public class UserService extends BaseService<UserEntity, UserRepository> {
        }
    }

-    private void checkPassDict(String password) {
+    private void checkPassword(String password) {
        if (sysConfigService.isEnable(Constants.SYSCONFIG_PASSWORD_DICT_DETECT)) {
            if (passwordDictService.isInDict(password)) {
                throw new BizException("当前密码为常见密码，请重新设置");
            }
        }
+
+        Integer strength = passwordStrength(password);
+        int strength_min =
+                Integer.parseInt(
+                        sysConfigService.getConfigVal(Constants.SYSCONFIG_PASSWORD_STRENGTH_MIN));
+        log.info("密码强度校验，当前密码强度为 {}，最低要求为 {}", strength, strength_min);
+        if (strength_min > strength) {
+            throw new BizException("密码强度过低，请重新设置");
+        }
+    }
+
+    public Integer passwordStrength(String password) {
+
+        Zxcvbn zxcvbn = new Zxcvbn();
+        Strength strength = zxcvbn.measure(password);
+        return strength.getScore();
    }

    private void checkDuplicateUserName(String username) {
@@ -136,7 +155,7 @@ public class UserService extends BaseService<UserEntity, UserRepository> {

        StopWatch stopWatch = new StopWatch();
        checkDuplicateUserName(request.getUsername());
-        checkPassDict(request.getPassword());
+        checkPassword(request.getPassword());
        try {
            stopWatch.start("encode");
            request.setPassword(passwordEncoder.encode(request.getPassword()));
@@ -199,7 +218,7 @@ public class UserService extends BaseService<UserEntity, UserRepository> {
            throw new BizException("两次输入的密码不一致");
        }

-        checkPassDict(request.getNewPassword());
+        checkPassword(request.getNewPassword());

        user.setPassword(passwordEncoder.encode(request.getNewPassword()));

@@ -211,7 +230,7 @@ public class UserService extends BaseService<UserEntity, UserRepository> {
    public void resetPwd(String userId, String password) {

        UserEntity user = repository.findById(userId).orElseThrow(() -> new BizException("用户不存在"));
-        checkPassDict(password);
+        checkPassword(password);
        user.setPassword(passwordEncoder.encode(password));

        repository.save(user);