[8.x] Adds password rule

[nunomaduro]

This pull request adds a new custom rule object to the framework that allows to replace existing password rules like so:

    public function store(Request $request)
    {
        $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
        //  'password' => 'required|string|confirmed|min:8',
            'password' => ['required', 'confirmed', Password::min(8)],
        ]);

In addition, this new custom rule object contains built-in methods that you may use to ensure strong passwords:

        $request->validate([

            // Makes the password require at least one uppercase and one lowercase letter.
            'password' =>  ['required', 'confirmed', Password::min(8)->mixedCase()],

             // Makes the password require at least one letter.
            'password' =>  ['required', 'confirmed', Password::min(8)->letters()],

            // Makes the password require at least one number.
            'password' =>  ['required', 'confirmed', Password::min(8)->numbers()],

            // Makes the password require at least one symbol.
            'password' =>  ['required', 'confirmed', Password::min(8)->symbols()],

            // Ensures the password has not been compromised in data leaks.
            'password' =>  ['required', 'confirmed', Password::min(8)->uncompromised()],
        ]);

Of course, you can always use them all combined like so:

    public function store(Request $request)
    {
        $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
            'password' => ['required', 'confirmed', Password::min(8)
                    ->mixedCase()
                    ->letters()
                    ->numbers()
                    ->symbols()
                    ->uncompromised(),
            ],
        ]);

Here is an example of the output:

[gocanto]

It would also be convenient if we could do something like:

$food->ensureNotCompromisedUsing(function () => {})

then, we could use custom verifiers for it.

[nunomaduro]

@gocanto You can already provide your own implementation here:

framework/src/Illuminate/Validation/ValidationServiceProvider.php

Line 65 in a1fc2aa

$this->app->singleton('validation.not_compromised', function ($app) {

.

[chris-ware]

Some interesting reading that may want to be considered as possible additions to the mechanics presented here: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

These suggestions are being utilised in the following package: https://github.com/langleyfoxall/laravel-nist-password-rules, which doesn't fully have Laravel 8 support, but some elements of this PR render elements of the package obsolete.

[taylorotwell]

@nunomaduro what about localization of these error messages? Should we be wrapping them in __()? Should keys be used that exist in the validation language file?

[JosephSilber]

Besides ensureNotCompromised, what's password-specific about this?

Wouldn't it make more sense to just have a general way of chaining rules like that?

[lk77]

Hello,

i think you could add a rule to ensure that any character is not repeated more than X times,
in a lot of banking apps you can only have the same letter/number twice

[taylorotwell]

Removed required and confirmed requirements...

Adjusted API slightly:

Password::min(8)->letters()->numbers()->uncompromised();

[JosephSilber]

BTW, this thread wouldn't feel complete without the obligatory XKCD comic:

[nunomaduro]

1. @taylorotwell Wondering if we should add "required" and "confirmed" methods so people can add password rule like so? Personally, I prefer not mixing string rules with object rules.

        $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
        //  'password' => ['required', 'confirmed', Password::min(8)->mixedCase()->uncompromised()],
            'password' =>  Password::min(8)->required()->confirmed()->mixedCase()->uncompromised(),

---

2. Also, any thoughts on the fact that we already have a "password" string rule? May this be somehow confusing? https://github.com/laravel/docs/blob/8.x/validation.md#password. Alternatively, we could equally use the "static factory pattern" here an have the same object creating two different rules:

        $request->validate([
            // Creates a normal password rule:
            'password' =>  Password::min(8)->required()->confirmed()->mixedCase()->uncompromised(),

            // Creates an authenticated guard password rule:
            'password' =>  Password::guard('api'),

[claudiodekker]

Looks good to me apart from a few minor things 👍

[lloricode]

Hi @nunomaduro @taylorotwell

since the uncompromised uses external API,
is the a way to mock this when in unit testing?

[maciek-szn]

I would really like to know how to localize/create custom error messages for this. There is no info in the docs and I can't find any hint in the code.

[mateusjunges]

@diverpl You can use the resources/lang/<your-locale>.json file to translate the messages.

For example, if your locale is pt-br, than create a new resources/lang/pt-br.json file in your project, and add these content to that file:

{
    "The :attribute must contain at least one letter.": "O campo :attribute deve conter pelo menos uma letra",
    "The :attribute must contain at least one number.": "O campo :attribute deve conter pelo menos um número.",
    "The :attribute must contain at least one symbol.": "O campo :attribute deve conter pelo menos um símbolo.",
    "The :attribute must contain at least one uppercase and one lowercase letter.": "O campo :attribute deve conter pelo menos uma letra maiúscula e uma minúscula.",
    "The given :attribute has appeared in a data leak. Please choose a different :attribute.": "O :attribute informado apareceu em um vazamento de dados. Por favor escolha uma :attribute diferente."
}

Note: I added the pt-br translations. You can do it with any locale you want to use.

[stefnats]

@lloricode

Hi @nunomaduro @taylorotwell

since the uncompromised uses external API,
is the a way to mock this when in unit testing?

Take a look at the file ValidationNotPwnedVerifierTest.php - it should show you how to mock it for tests.

[lloricode]

@lloricode

Hi @nunomaduro @taylorotwell
since the uncompromised uses external API,
is the a way to mock this when in unit testing?

Take a look at the file ValidationNotPwnedVerifierTest.php - it should show you how to mock it for tests.

thanks will check now

[JosephSilber]

Oh, and this thread wouldn't feel complete without this either:

passwords.mp4

[bebetoalves]

I would really like to know how to localize/create custom error messages for this. There is no info in the docs and I can't find any hint in the code.

Waiting for this too :)

[ghost]

Hello, excuse my ignorance, but how do I customize the validation messages, that is, I want to pass them to Spanish, I know how to do it normally, but with this function I have not been able to do it, eye I do not want to touch the Password.php file. Thanks.

[ordago]

@alex-gil-1981 you have to add the translation strings in the json file as mateusjunges explained here:

@diverpl You can use the resources/lang/<your-locale>.json file to translate the messages.

For example, if your locale is pt-br, than create a new resources/lang/pt-br.json file in your project, and add these content to that file:

{
    "The :attribute must contain at least one letter.": "O campo :attribute deve conter pelo menos uma letra",
    "The :attribute must contain at least one number.": "O campo :attribute deve conter pelo menos um número.",
    "The :attribute must contain at least one symbol.": "O campo :attribute deve conter pelo menos um símbolo.",
    "The :attribute must contain at least one uppercase and one lowercase letter.": "O campo :attribute deve conter pelo menos uma letra maiúscula e uma minúscula.",
    "The given :attribute has appeared in a data leak. Please choose a different :attribute.": "O :attribute informado apareceu em um vazamento de dados. Por favor escolha uma :attribute diferente."
}

Note: I added the pt-br translations. You can do it with any locale you want to use.

[Jxckaroo]

Hey, awesome feature! 😄

One question though... what is the use case for the threshold? As surely if a password appears once, it is compromised and increasing the threshold would be promoting bad practice?

[retosteffen]

This is awesome!
My two cents:
I'm using" use Illuminate\Support\Facades\Password;" to send reset links over an api and the fact that both are called "Password" isn't ideal in my opinion.
I know I can " use.... as ..."

But awesome feature!

[ghost]

@ordago Excellent thank you very much!

[lorimay21]

@diverpl You can use the resources/lang/<your-locale>.json file to translate the messages.

For example, if your locale is pt-br, than create a new resources/lang/pt-br.json file in your project, and add these content to that file:

{
    "The :attribute must contain at least one letter.": "O campo :attribute deve conter pelo menos uma letra",
    "The :attribute must contain at least one number.": "O campo :attribute deve conter pelo menos um número.",
    "The :attribute must contain at least one symbol.": "O campo :attribute deve conter pelo menos um símbolo.",
    "The :attribute must contain at least one uppercase and one lowercase letter.": "O campo :attribute deve conter pelo menos uma letra maiúscula e uma minúscula.",
    "The given :attribute has appeared in a data leak. Please choose a different :attribute.": "O :attribute informado apareceu em um vazamento de dados. Por favor escolha uma :attribute diferente."
}

Note: I added the pt-br translations. You can do it with any locale you want to use.

@mateusjunges Thank you very much!!! This comment was very helpful~

[lorimay21]

I think it would be great to add an additional validation Password::max().
Some systems require passwords to be like 6-100 characters only.

But still, thanks a lot for this new feature!!

[andrey-helldar]

@lorimay21, just use the laravel-lang/publisher package.

[kicker10BOG]

Is there a way to just require any 3 of the 4?

[georgefromohio]

Is there a way to just require any 3 of the 4?

Sending another vote for this, with the following suggestion of a magic method

Password::withAny(); // OR
Password::applyAny();

e.g.

'password' =>  ['required', 'confirmed', Password::withAny()->min(8)->mixedCase()->letters()],
'password' =>  ['required', 'confirmed', Password::withAnyTwo()->min(8)->mixedCase()->letters()->numbers()],
'password' =>  ['required', 'confirmed', Password::withAnyThree()->min(8)->mixedCase()->letters()->symbols()],

[Nimash68]

Hi there,
Is there a way to get a response as a string? I mean for example when we use the Password::min(8), we get it like 'min:8'?

[ivqonsanada]

is there a way to change the uncompromised message?

        Password::defaults(function () {
            return Password::min(8)
                           ->uncompromised();
        });

        $rules = [
            'password' => ['required', Password::defaults()],
        ];

        $messages = [
            'password.uncompromised' => 'test 123',
        ];

        $request->validate($rules, $messages);

i tried that, but seems doesnt work

[begueradj]

Customizing the error messages of the built-in methods does not work the classic way.
The documentation does not cover this either.