FriendsOfFlarum Pwned Passwords

clarkwinkelmann

OrdinaryJellyfish would it show something like a warning prompt that says they should probably change their password

What I would suggest:

If we don't enforce the no-password-reuse, then show a banner like for email validation or new terms of use in Flagrow Terms. Make it dismissable or not depending on how ~~annoying~~ insistent you want to be.

If we enforce the no reuse, then redirect to a separate screen like for 2FA on most websites and ask to set a new password. Or more simply, lock the user and show a modal upon login, just like the terms extension (lot of similarities I realize).

A flag could be set on the user record during login to indicate whether the last password used for login was vulnerable, then use that to alter the UI or lock the user.

Or more radical, reject login and send a password reset email automatically.

Ralkage

clarkwinkelmann a custom alert? 🤔 not bad, not bad at all.

I assume you mean this peace, though 😀

OrdinaryJellyfish

clarkwinkelmann If we don't enforce the no-password-reuse, then show a banner like for email validation or new terms of use in Flagrow Terms

That sounds like what I'm going to do. Non-dismissable would probably annoy them enough to reset their password 😉

Ralkage I assume you mean this peace, though

You mean piece? 😛

OrdinaryJellyfish

0.3.0

Moved to FriendsOfFlarum
Add check on login (optional, of course!)
Fix password reset view

Updating

composer update fof/components
composer require fof/pwned-passwords

If migrating from ReFlar, disable & remove the ReFlar extension after enabling this one.

[deleted]

[deleted] Same here

luceos

try this:

composer require fof/pwned-passwords --update-with-dependencies

Nerd talk / how to dissect the composer log

composer output isn't really sorted based on what it finds first
it mentions as 4th entry that fof/pwned-passwords needs fof/components, but at least 0.1.1
it mentions as last entry that fof/components was requested, but it is locked at 0.1.0; that it is locked means that it already exists in the composer.lock; this means that either your composer.json requires it, or that one of the entries has it as a dependencies

As a result it tries to push fof/components to 0.1.1, but can't because the lock file tells composer it should install 0.1.0. As composer require is supposed to install new things matching your current configuration/dependencies, it cannot update fof/components. However the flag --update-with-dependencies does allow to update dependencies of just the one package we're installing.

[deleted]

luceos Fails with "Nerd Talk" switch enabled !

phenomlab@vps:~/forum.phenomlab.com$ composer require fof/pwned-passwords --update-with-dependencies
Using version ^0.3.0 for fof/pwned-passwords
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Can only install one of: fof/components[0.1.1, 0.1.0].
    - Can only install one of: fof/components[0.1.1, 0.1.0].
    - Can only install one of: fof/components[0.1.1, 0.1.0].
    - fof/pwned-passwords 0.3.0 requires fof/components >=0.1.1 -> satisfiable by fof/components[0.1.1].
    - Installation request for fof/pwned-passwords ^0.3.0 -> satisfiable by fof/pwned-passwords[0.3.0].
    - Installation request for fof/components (locked at 0.1.0) -> satisfiable by fof/components[0.1.0].


Installation failed, reverting ./composer.json to its original content.

datitisev

[deleted] [deleted] Could you run composer why fof/components so I can see which extension is causing the issue?

luceos

Last idea would be to use this:

composer require fof/pwned-passwords --update-with-all-dependencies

[deleted]

datitisev
fof/best-answer 0.1.4 requires fof/components (>=0.1.0) fof/formatting 0.1.4 requires fof/components (>=0.1.0) fof/stopforumspam 0.2.1 requires fof/components (>=0.1.0)

[deleted]

[deleted] #metoo

OrdinaryJellyfish

[deleted] [deleted] that's pretty odd. I was able to reproduce the issue by downgrading fof/components to 0.1.0. Like you said, luceo's suggested solutions didn't work for me either. I was able to fix it, however, by upgrading fof/components (composer update fof/components) and then installing pwned passwords. Not sure why composer doesn't want to update fof/components...

[deleted]

OrdinaryJellyfish Works fine for me !
Thanks

[deleted]

OrdinaryJellyfish Thanks.

YUX-IO

i'm getting this and i have to remove the extension. how can i fix this?
thanks!

Flarum encountered a boot error (ReflectionException)
Class FoF\PwnedPasswords\Listeners\AddMiddleware does not exist
thrown in /www/wwwroot/flarum/vendor/illuminate/container/Container.php on line 779

OrdinaryJellyfish

0.4.0

Added option to restrict pwned admin privileges
New PwnedPasswordDetected event
Now requires beta 12 or up

Updating

composer update fof/pwned-passwords

karaok

0.5.0

beta 14 ready 🥳

Updating

composer require fof/pwned-passwords
php flarum cache:clear

karaok

0.5.1

Allow guzzlehttp/guzzle v6.x or v7.x

IanM

0.6.0

Flarum beta 15 support

« Previous Page Next Page »