Various password logic fixes on client and server-side

Fixes #6399
Fixes #6400

public/language/en-GB/user.json

@@ -56,7 +56,6 @@
 	"change_password": "Change Password",
 	"change_password_error": "Invalid Password!",
 	"change_password_error_wrong_current": "Your current password is not correct!",
-	"change_password_error_length": "Password too short!",
 	"change_password_error_match": "Passwords must match!",
 	"change_password_error_privileges": "You do not have the rights to change this password.",
 	"change_password_success": "Your password is updated!",

public/src/client/account/edit/password.js

@@ -23,7 +23,9 @@ define('forum/account/edit/password', ['forum/account/header', 'translator', 'zx
 			var passwordStrength = zxcvbn(password.val());
 			passwordvalid = false;
 			if (password.val().length < ajaxify.data.minimumPasswordLength) {
-				showError(password_notify, '[[user:change_password_error_length]]');
+				showError(password_notify, '[[reset_password:password_too_short]]');
+			} else if (password.val().length > 512) {
+				showError(password_notify, '[[error:password-too-long]]');
 			} else if (!utils.isPasswordValid(password.val())) {
 				showError(password_notify, '[[user:change_password_error]]');
 			} else if (password.val() === ajaxify.data.username) {

public/src/client/register.js

@@ -178,8 +178,8 @@ define('forum/register', ['translator', 'zxcvbn'], function (translator, zxcvbn)
 		var passwordStrength = zxcvbn(password);
 
 		if (password.length < ajaxify.data.minimumPasswordLength) {
-			showError(password_notify, '[[user:change_password_error_length]]');
+			showError(password_notify, '[[reset_password:password_too_short]]');
-		} else if (password.length > 4096) {
+		} else if (password.length > 512) {
 			showError(password_notify, '[[error:password-too-long]]');
 		} else if (!utils.isPasswordValid(password)) {
 			showError(password_notify, '[[user:change_password_error]]');

public/src/client/reset_code.js

@@ -15,6 +15,8 @@ define('forum/reset_code', ['zxcvbn'], function (zxcvbn) {
 			var strength = zxcvbn(password.val());
 			if (password.val().length < ajaxify.data.minimumPasswordLength) {
 				app.alertError('[[reset_password:password_too_short]]');
+			} else if (password.val().length > 512) {
+				app.alertError('[[error:password-too-long]]');
 			} else if (password.val() !== repeat.val()) {
 				app.alertError('[[reset_password:passwords_do_not_match]]');
 			} else if (strength.score < ajaxify.data.minimumPasswordStrength) {

src/user/create.js

@@ -8,6 +8,8 @@ var plugins = require('../plugins');
 var groups = require('../groups');
 var meta = require('../meta');
 
+var zxcvbn = require('zxcvbn');
+
 module.exports = function (User) {
 	User.create = function (data, callback) {
 		data.username = data.username.trim();
@@ -179,18 +181,24 @@ module.exports = function (User) {
 	};
 
 	User.isPasswordValid = function (password, callback) {
+		// Sanity checks: Checks if defined and is string
 		if (!password || !utils.isPasswordValid(password)) {
 			return callback(new Error('[[error:invalid-password]]'));
 		}
 
 		if (password.length < meta.config.minimumPasswordLength) {
-			return callback(new Error('[[user:change_password_error_length]]'));
+			return callback(new Error('[[reset_password:password_too_short]]'));
 		}
 
-		if (password.length > 4096) {
+		if (password.length > 512) {
 			return callback(new Error('[[error:password-too-long]]'));
 		}
 
+		var strength = zxcvbn(password);
+		if (strength.score < meta.config.minimumPasswordStrength) {
+			return callback(new Error('[[user:weak_password]]'));
+		}
+
 		callback();
 	};
 

test/user.js

@@ -71,7 +71,7 @@ describe('User', function () {
 
 		it('should error with invalid password', function (done) {
 			User.create({ username: 'test', password: '1' }, function (err) {
-				assert.equal(err.message, '[[user:change_password_error_length]]');
+				assert.equal(err.message, '[[reset_password:password_too_short]]');
 				done();
 			});
 		});