feat: Phase 4 - password validation, force password reset flow, account lockout, QR code for MFA

2026-05-07 17:53:16 +00:00
parent b5b975e7e5
commit cc1214a963
13 changed files with 889 additions and 68 deletions
--- a/crates/pm-web/src/routes/users.rs
+++ b/crates/pm-web/src/routes/users.rs
@ -16,6 +16,7 @@ use axum::{
    Router,
 };
 use pm_auth::{hash_password, rbac::AuthUser, session::force_logout, verify_password};
+use pm_auth::validate_password_strength;
 use pm_core::{
    audit::{log_event, AuditAction},
    models::{AdminResetPasswordRequest, ChangePasswordRequest, CreateUserRequest, UpdateUserRequest, User},
@ -77,6 +78,14 @@ async fn create_user(
        ));
    }

+    // Validate password strength
+    if let Err(msg) = validate_password_strength(&req.password) {
+        return Err((
+            StatusCode::BAD_REQUEST,
+            Json(json!({ "error": { "code": "weak_password", "message": msg } })),
+        ));
+    }
+
    let hash = hash_password(&req.password).map_err(|e| {
        (
            StatusCode::INTERNAL_SERVER_ERROR,
@ -371,6 +380,14 @@ async fn change_own_password(
        ));
    }

+    // Validate new password strength
+    if let Err(msg) = validate_password_strength(&req.new_password) {
+        return Err((
+            StatusCode::BAD_REQUEST,
+            Json(json!({ "error": { "code": "weak_password", "message": msg } })),
+        ));
+    }
+
    let new_hash = hash_password(&req.new_password).map_err(|e| {
        (
            StatusCode::INTERNAL_SERVER_ERROR,
@ -445,6 +462,14 @@ async fn admin_reset_password(
        ));
    }

+    // Validate new password strength
+    if let Err(msg) = validate_password_strength(&req.new_password) {
+        return Err((
+            StatusCode::BAD_REQUEST,
+            Json(json!({ "error": { "code": "weak_password", "message": msg } })),
+        ));
+    }
+
    let new_hash = hash_password(&req.new_password).map_err(|e| {
        (
            StatusCode::INTERNAL_SERVER_ERROR,