From 9e1bf0f94d4882922b271d078dd2cd6e8ce36fd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xose=20P=C3=A9rez?= <xose.perez@gmail.com>
Date: Sat, 31 Dec 2016 05:31:03 +0100
Subject: [PATCH] Enforce minimum password strength in web interface

---
 code/html/custom.js  | 37 ++++++++++++++++++++++++++++++++++---
 code/html/index.html |  4 +++-
 2 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/code/html/custom.js b/code/html/custom.js
index 4433d810..d721084b 100644
--- a/code/html/custom.js
+++ b/code/html/custom.js
@@ -1,10 +1,41 @@
 var websock;
 var password = false;
 
+// http://www.the-art-of-web.com/javascript/validate-password/
+function checkPassword(str) {
+    // at least one number, one lowercase and one uppercase letter
+    // at least eight characters that are letters, numbers or the underscore
+    var re = /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])\w{8,}$/;
+    return re.test(str);
+}
+
+function validateForm() {
+
+    var form = $("#formSave");
+
+    // password
+    var adminPass1 = $("input[name='adminPass1']", form).val();
+    if (adminPass1.length > 0 && !checkPassword(adminPass1)) {
+        alert("The password you have entered is not valid, it must have at least 8 characters, 1 lower and 1 uppercase and 1 number!");
+        return false;
+    }
+
+    var adminPass2 = $("input[name='adminPass2']", form).val();
+    if (adminPass1 != adminPass2) {
+        alert("Passwords are different!");
+        return false;
+    }
+
+    return true;
+
+}
+
 function doUpdate() {
-    var data = $("#formSave").serializeArray();
-    websock.send(JSON.stringify({'config': data}));
-    $(".powExpected").val(0);
+    if (validateForm()) {
+        var data = $("#formSave").serializeArray();
+        websock.send(JSON.stringify({'config': data}));
+        $(".powExpected").val(0);
+    }
     return false;
 }
 
diff --git a/code/html/index.html b/code/html/index.html
index c7b3cb69..2045e6c0 100644
--- a/code/html/index.html
+++ b/code/html/index.html
@@ -227,7 +227,9 @@
                                     <label class="pure-u-1 pure-u-md-1-4" for="adminPass1">Admin password</label>
                                     <input name="adminPass1" class="pure-u-1 pure-u-md-3-4" type="password" tabindex="3" />
                                     <div class="pure-u-0 pure-u-md-1-4">&nbsp;</div>
-                                    <div class="pure-u-1 pure-u-md-3-4 hint">The administrator password is used to access this web interface (user 'admin'), but also to connect to the device when in AP mode or to flash a new firmware over-the-air (OTA).</div>
+                                    <div class="pure-u-1 pure-u-md-3-4 hint">
+                                        The administrator password is used to access this web interface (user 'admin'), but also to connect to the device when in AP mode or to flash a new firmware over-the-air (OTA).<br />
+                                        It should have at least <strong>eight characters</strong> (letters, numbers or the underscore) and at least <strong>one number</strong>, <strong>one lowercase</strong> and <strong>one uppercase</strong> letter.</div>
                                 </div>
 
                                 <div class="pure-g">