-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support new minimum password length parameter #1472
Conversation
@@ -88,6 +88,7 @@ | |||
}, | |||
"dependencies": { | |||
"auth0-js": "^9.7.3", | |||
"auth0-password-policies": "auth0/auth0-password-policies#v1.0.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd trust more on password-sheriff than this repo. Sheriff already defines them here: https://github.com/auth0/password-sheriff/blob/4a17c9cba614ed8b75affc7c53ff0d4ba31a5b30/index.js. If this is not possible, then please copy that file and keep it here on this repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
our change password widget also uses this repo. This is fine
const result = initClient(Immutable.fromJS({}), client).toJS(); | ||
expect(result.client.connections.database[0].passwordPolicy).toMatchObject({ | ||
length: { | ||
minLength: 6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the same tests for the remaining policies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be just a test for an external resource, not sure that's needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can I trust that your code will behave the same when the policy used is other than low
? Please add them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pushed
if (!policy) { | ||
return true; | ||
} | ||
return new PasswordPolicy(policy.toJS()).check(password); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be safer, e.g. checking that if policy == undefined
then none
policy is still applied? https://github.com/auth0/password-sheriff/blob/master/index.js#L57 Now it will work since none
is just length > 0
but if that changes this code will need to be changed as well. Let's reference this to the none
policy instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
policy is only undefined when it's a login, which we don't validate passwords.
import util from 'util'; | ||
|
||
export default class PasswordStrength extends React.Component { | ||
render() { | ||
const { password, policy, messages } = this.props; | ||
const analysis = createPolicy(policy).missing(password); | ||
const analysis = new PasswordPolicy(policy.toJS()).missing(password); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the same applies here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this only runs on signup, so we're fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
No description provided.