From 363ba03a55787af9cc26db8276268b09c0253f24 Mon Sep 17 00:00:00 2001 From: Milton Reder Date: Mon, 20 May 2024 14:30:48 -0400 Subject: [PATCH 1/2] Make password fully random --- auth.php | 60 +++++++++++++++++++++++++++++++------------------------- 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/auth.php b/auth.php index f2511c3..1dbc17d 100755 --- a/auth.php +++ b/auth.php @@ -19,6 +19,7 @@ * * @package auth_jwt * @author Trey Hayden + * Milt Reder * @license http://www.gnu.org/copyleft/gpl.html GNU Public License */ @@ -71,6 +72,36 @@ public function loginpage_hook() { $this->attempt_jwt_login(); } + private function generateRandomPassword($length = 12) { + $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+'; + $charactersLength = strlen($characters); + $randomPassword = ''; + for ($i = 0; $i < $length; $i++) { + $randomPassword .= $characters[random_int(0, $charactersLength - 1)]; + } + + // Ensure the password meets Moodle's requirements + // At least one lowercase letter + if (!preg_match('/[a-z]/', $randomPassword)) { + $randomPassword .= 'a'; + } + // At least one uppercase letter + if (!preg_match('/[A-Z]/', $randomPassword)) { + $randomPassword .= 'A'; + } + // At least one digit + if (!preg_match('/\d/', $randomPassword)) { + $randomPassword .= '1'; + } + // At least one special character + if (!preg_match('/[\W_]/', $randomPassword)) { + $randomPassword .= '!'; + } + + // Shuffle the password to ensure randomness + return str_shuffle($randomPassword); + } + private function attempt_jwt_login() { global $CFG, $DB; @@ -155,34 +186,9 @@ private function attempt_jwt_login() { if ($this->has_env_bool("MOODLE_JWT_ASSIGN_RANDOM_PASSWORD")) { /** - * The "salt" here will simply be a character block to satisfy password reqs. - * - * There are several fairly random properties to choose from, but we will leave - * the specification to the configuration folks. If not specified, then we will - * use JWT-standard properties in their place. + * Assign a random password that meets Moodle's requirements */ - $requirementSalt = "aA_12345678"; - - $envPropertyFirst = getenv("MOODLE_JWT_ASSIGN_RANDOM_PASSWORD_PROPERTY_FIRST"); - $envPropertySecond = getenv("MOODLE_JWT_ASSIGN_RANDOM_PASSWORD_PROPERTY_SECOND"); - - $firstChunk = $payload->sub; - $secondChunk = $payload->iss; - - if ($envPropertyFirst != false) { - if (property_exists($payload, $envPropertyFirst)) { - $firstChunk = $payload->$envPropertyFirst; - } - } - - if ($envPropertySecond != false) { - if (property_exists($payload, $envPropertySecond)) { - $secondChunk = $payload->$envPropertySecond; - } - } - - - $password = time() . $firstChunk . $secondChunk . $requirementSalt; + $password = $this->generateRandomPassword(); } $user = create_user_record($username, $password, "jwt"); From 24cbb131e0be4b2f7f6fce2485d6bc9cf2ba77f3 Mon Sep 17 00:00:00 2001 From: Milton Reder Date: Mon, 20 May 2024 14:38:42 -0400 Subject: [PATCH 2/2] added doc on random pass --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index baa760d..83d0bc9 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Aside from importing the release zip through the Moodle admin page, your Moodle - `MOODLE_JWT_ISSUER`: The authority issuing the expected JWTs. - `MOODLE_JWT_CHECK_CLIENT`: Whether to check the JWT's client. - `MOODLE_JWT_CLIENT`: The client ID for your SSO realm. +- `MOODLE_JWT_ASSIGN_RANDOM_PASSWORD`: If `true` will generate a random local password for the user, required by Moodle 4.3 and up. The plugin can also handle username assignment, but this is usually for special situation where you'd like a specific property to be used. Additionally, special characters can be removed through a regular expression.