zxcvbn-api's Introduction

Web API built with Node and Express. It wraps Dropbox's zxcvbn library just in case you need to verify a password's strength on both the client and server with a guarantee of the same result from both.

Environmental config

Node.js must be installed.

Optionally, Docker and/or cURL

Initial app config

npm install

Testing

npm test

Starting app

For normal people

npm start

npm run start:dev for automatic node restart when code changes.

For studs

npm run docker:start

Available API's

POST is required for security reasons. Think of the call as a request to create a strength estimation. API assumes SSL protocol.

POST `/zxcvbn`

Request body

{
    "password": "horsebatterystaple"
}

Returns

zxcvbn result described here

POST `/zxcvbn/score`

Request body

{
    "password": "horsebatterystaple"
}

Returns

{
    "score": [0-4]
}

Testing

curl -H "Content-Type: application/json" -X POST -d '{"password":"asdfghgfd"}' http://localhost:3000/zxcvbn/score

Stopping app

Ctrl-c if started with npm start or npm run start:dev

npm run docker:stop if started with npm run docker:start

Additional resources

Docker image

Why a strength estimator?

Looking for a PHP client?

zxcvbn-api's People

Contributors

Stargazers

Watchers

zxcvbn-api's Issues

Enhancements

If the intent is to really turn this into a backing service, should probably add the following.

Add CORS support (cross origin)
Size limit for body parser (5kb should be way more than enough), will prevent some flooding/injection attacks
Add error handler to return JSON, good for all API interfaces to return errors in the common format used by the API itself. Errors should return an object, with a single error property, with at least a code (corresponding to http status code, and message, containing error text, and optionally other error properties).

{ // single object response, with single property of "error"
  error: {
    code: 400 //invalid input, or 5xx for other errors
    ,message: error.message // original or custom error message
    ,...error // other properties from error, message is part of inheritance and doesn't serialize
  }
}

Possible value-adds:

Wrap zxcvbn request processing into a pool limited to PROCESSOR_COUNT instances, so that you can avert some flooding scenarios.
Add xdomain proxy.html so that xdomain can be used with old IE in order to use the service.

Recommend Projects