Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.
Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!
This patch makes things consistent everywhere and clean up some code.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The move avoids a problem where many modules would gain
a dependency on C4::Auth just because C4::Members needs access
to hash_password().
This patch also adds a couple unit tests for the new password
hashing code.
To test:
[1] Verify that there are no regressions on the test plan for bug
9611.
[2] Verify that t/AuthUtils.t and t/db_dependent/Auth.t pass.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
