Make password fully random

README.md

@@ -17,6 +17,7 @@ Aside from importing the release zip through the Moodle admin page, your Moodle
 - `MOODLE_JWT_ISSUER`: The authority issuing the expected JWTs.
 - `MOODLE_JWT_CHECK_CLIENT`: Whether to check the JWT's client.
 - `MOODLE_JWT_CLIENT`: The client ID for your SSO realm.
+- `MOODLE_JWT_ASSIGN_RANDOM_PASSWORD`: If `true` will generate a random local password for the user, required by Moodle 4.3 and up.
 
 The plugin can also handle username assignment, but this is usually for special situation where you'd like a specific property to be used.  Additionally, special characters can be removed through a regular expression.
 

auth.php

@@ -19,6 +19,7 @@
  *
  * @package auth_jwt
  * @author Trey Hayden <[email protected]>
+ *         Milt Reder <[email protected]>
  * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
  */
 
@@ -71,6 +72,36 @@ public function loginpage_hook() {
         $this->attempt_jwt_login();
     }
 
+    private function generateRandomPassword($length = 12) {
+        $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+';
+        $charactersLength = strlen($characters);
+        $randomPassword = '';
+        for ($i = 0; $i < $length; $i++) {
+            $randomPassword .= $characters[random_int(0, $charactersLength - 1)];
+        }
+
+        // Ensure the password meets Moodle's requirements
+        // At least one lowercase letter
+        if (!preg_match('/[a-z]/', $randomPassword)) {
+            $randomPassword .= 'a';
+        }
+        // At least one uppercase letter
+        if (!preg_match('/[A-Z]/', $randomPassword)) {
+            $randomPassword .= 'A';
+        }
+        // At least one digit
+        if (!preg_match('/\d/', $randomPassword)) {
+            $randomPassword .= '1';
+        }
+        // At least one special character
+        if (!preg_match('/[\W_]/', $randomPassword)) {
+            $randomPassword .= '!';
+        }
+
+        // Shuffle the password to ensure randomness
+        return str_shuffle($randomPassword);
+    }
+
     private function attempt_jwt_login() {
         global $CFG, $DB;
 
@@ -155,34 +186,9 @@ private function attempt_jwt_login() {
             if ($this->has_env_bool("MOODLE_JWT_ASSIGN_RANDOM_PASSWORD")) {
 
                 /**
-                 * The "salt" here will simply be a character block to satisfy password reqs.
-                 * 
-                 * There are several fairly random properties to choose from, but we will leave
-                 * the specification to the configuration folks.  If not specified, then we will
-                 * use JWT-standard properties in their place.
+                 * Assign a random password that meets Moodle's requirements
                  */
-                $requirementSalt = "aA_12345678";
-
-                $envPropertyFirst = getenv("MOODLE_JWT_ASSIGN_RANDOM_PASSWORD_PROPERTY_FIRST");
-                $envPropertySecond = getenv("MOODLE_JWT_ASSIGN_RANDOM_PASSWORD_PROPERTY_SECOND");
-
-                $firstChunk = $payload->sub;
-                $secondChunk = $payload->iss;
-
-                if ($envPropertyFirst != false) {
-                    if (property_exists($payload, $envPropertyFirst)) {
-                        $firstChunk = $payload->$envPropertyFirst;
-                    }
-                }
-
-                if ($envPropertySecond != false) {
-                    if (property_exists($payload, $envPropertySecond)) {
-                        $secondChunk = $payload->$envPropertySecond;
-                    }
-                }
-
-
-                $password = time() . $firstChunk . $secondChunk . $requirementSalt;
+                $password = $this->generateRandomPassword();
             }
 
             $user = create_user_record($username, $password, "jwt");