Configurable password policy #863

michaelbromley · 2021-05-05T08:39:10Z

Is your feature request related to a problem? Please describe.
When using native auth, there is no server-side check on the password. So extremely weak passwords like "1" would be accepted when registering a customer account. While the storefront application can enforce some stronger policy, we should also be able to enforce it at the server level too.

Describe the solution you'd like
A new config option:

authOptions: {
  passwordPolicy: (password: string) => boolean | string;
}

This allows a custom function to be defined which can enforce min length and any other character-related requirements desired. Returning true allows the registration to proceed. Returning false or a string will prevent the operation and return an ErrorResult with any message returned by the function (or a generic one).

The text was updated successfully, but these errors were encountered:

Closes #863. The default policy is intentionally permissive to reduce the risk of backward-compatibility breaks.

michaelbromley added @vendure/core type: security 🔐 post v1.0 labels May 5, 2021

michaelbromley mentioned this issue May 5, 2021

Security Points to consider #134

Closed

michaelbromley added a commit that referenced this issue Feb 16, 2022

feat(core): Add PasswordValidationStrategy to enable password policies

dc4bc2d

Closes #863. The default policy is intentionally permissive to reduce the risk of backward-compatibility breaks.

michaelbromley closed this as completed Feb 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configurable password policy #863

Configurable password policy #863

michaelbromley commented May 5, 2021

Configurable password policy #863

Configurable password policy #863

Comments

michaelbromley commented May 5, 2021