# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1640181805 0
# Node ID caf7e88dc9e576fdba530b1ab52963fdd581b97c
# Parent  56eba4bca28f17402279f331b1147f2344c34e14
mod_password_policy: Add check that password doesn't contain username

diff -r 56eba4bca28f -r caf7e88dc9e5 mod_password_policy/mod_password_policy.lua
--- a/mod_password_policy/mod_password_policy.lua	Wed Dec 22 14:01:53 2021 +0000
+++ b/mod_password_policy/mod_password_policy.lua	Wed Dec 22 14:03:25 2021 +0000
@@ -13,13 +13,23 @@
 
 options = options or {};
 options.length = options.length or 8;
+if options.exclude_username == nil then
+	options.exclude_username = true;
+end
 
 local st = require "util.stanza";
 
-function check_password(password)
+function check_password(password, additional_info)
 	if #password < options.length then
 		return nil, ("Password is too short (minimum %d characters)"):format(options.length), "length";
 	end
+
+	if additional_info then
+		local username = additional_info.username;
+		if username and password:lower():find(username:lower(), 1, true) then
+			return nil, "Password must not include your username", "username";
+		end
+	end
 	return true;
 end
 
@@ -46,9 +56,13 @@
 
 		table.insert(passwords, query:get_child_text("password"));
 
+		local additional_info = {
+			username = origin.username;
+		};
+
 		for _,password in ipairs(passwords) do
 			if password then
-				local pw_ok, pw_err, pw_failed_policy = check_password(password);
+				local pw_ok, pw_err, pw_failed_policy = check_password(password, additional_info);
 				if not pw_ok then
 					module:log("debug", "Password failed check against '%s' policy", pw_failed_policy);
 					origin.send(st.error_reply(stanza, "cancel", "not-acceptable", pw_err));