core: Add optional password entropy checks

Cargo.toml

@@ -58,6 +58,7 @@ thiserror = "1.0.24"
 time = "0.3.7"
 trycmd = "0.15"
 url = "2.2.2"
+zxcvbn = "3.1.0"
 
 [package]
 name = "magic-wormhole"
@@ -100,6 +101,7 @@ thiserror = { workspace = true }
 futures = { workspace = true }
 url = { workspace = true, features = ["serde"] }
 percent-encoding = { workspace = true }
+zxcvbn = { workspace = true, optional = true }
 
 # Transit dependencies
 
@@ -143,6 +145,8 @@ eyre = { workspace = true }
 
 [features]
 
+# Check the entropy of custom codes. Will fail for any weak passwords.
+entropy = ["zxcvbn"]
 transfer = ["transit", "dep:tar", "dep:rmp-serde"]
 transit = [
     "dep:noise-rust-crypto",

cli/Cargo.toml

@@ -28,7 +28,7 @@ async-std = { workspace = true, features = ["attributes", "unstable"] }
 rand = { workspace = true }
 
 # CLI specific dependencies
-magic-wormhole = { path = "..", version = "0.7", features = ["all"] }
+magic-wormhole = { path = "..", version = "0.7", features = ["all", "entropy"] }
 clap = { workspace = true, features = ["cargo", "derive", "help"] }
 clap_complete = { workspace = true }
 env_logger = { workspace = true }
@@ -39,7 +39,9 @@ color-eyre = { workspace = true }
 number_prefix = { workspace = true }
 ctrlc = { workspace = true }
 qr2term = { workspace = true }
-arboard = { workspace = true, features = ["wayland-data-control"] } # Wayland by default, fallback to X11.
+arboard = { workspace = true, features = [
+    "wayland-data-control",
+] } # Wayland by default, fallback to X11.
 
 [dev-dependencies]
 trycmd = { workspace = true }

cli/src/main.rs

@@ -603,13 +603,26 @@ async fn parse_and_connect(
     }
 
     // TODO: Apply this change to all usages after an API break
-    // Check if an interactive terminal is connected
-    let code: Option<magic_wormhole::Code> = if std::io::stdin().is_terminal() {
-        // We accept a little breakage in non-interactive use, because this is a security issue
-        code.map(|c| c.parse()).transpose()?
-    } else {
-        // We run as a script. Only output an error
-        code.map(|c| c.into())
+    // https://github.com/magic-wormhole/magic-wormhole.rs/issues/193
+    // We accept a little breakage in non-interactive use, because this is a security issue
+    // Split the nameplate parsing from the code parsing to ensure we allow non-integer nameplates
+    // until the next breaking release
+    let res: Option<Result<magic_wormhole::Code, _>> = code.as_ref().map(|c| c.parse());
+    let code: Option<magic_wormhole::Code> = {
+        match res {
+            Some(Ok(code)) => Some(code),
+            // Check if an interactive terminal is connected
+            Some(Err(err)) if std::io::stdin().is_terminal() => {
+                // Only fail for the case where the password is < 4 characters.
+                // Anything else will just print an error for now.
+                return Err(err.into());
+            },
+            Some(Err(_)) => {
+                // The library crate already emits an error log for this.
+                code.map(|c| c.into())
+            },
+            None => None,
+        }
     };
 
     /* We need to track that information for when we generate a QR code */