Allow configuration of additional password validations #3732
Conversation
There was a problem hiding this comment.
Hope you don't mind @rrelmy but I noticed a couple of little things...
But it's a really nice implementation though! Can definitely see it coming in useful 😄
| | | ||
| */ | ||
|
|
||
| 'password_validation' => [], |
There was a problem hiding this comment.
I wonder if it might be worth adding in the default password validation rules here so the user knows what they are extending upon?
There was a problem hiding this comment.
I didn't want to do that because removing them could be catastrophically.
But I am open to suggestions :-)
Also the confirmed is not always needed
And adding something like min:6 what would make sense IMHO but could be a breaking change
There was a problem hiding this comment.
I didn't want to do that because removing them could be catastrophically.
What do you mean, as in, stuff would fail?
There was a problem hiding this comment.
I did not test if but removing confirmed could lead to user input errors and unknown passwords.
Removing required could lead to empty password being accepted I suppose
There was a problem hiding this comment.
Hmm, that's a good shout. I guess that's probably something for the Core Team to decide on...
| @@ -75,7 +75,7 @@ protected function rules() | |||
| return [ | |||
| 'token' => 'required', | |||
| 'email' => 'required|email', | |||
| 'password' => 'required|confirmed|min:8', | |||
| 'password' => array_merge(['required', 'confirmed'], config('statamic.users.password_validation', [])), | |||
There was a problem hiding this comment.
If you go down the route of adding the default password rules in the config, it means you'll no longer need the array_merge here anymore (or in the other places you're doing it).
You'll probably also want to fallback to the default rules, in case the user doesn't add the option to their config file.
'password' => config('statamic.users.password_validation', ['required', 'confirmed']),There was a problem hiding this comment.
Same as in the first comment, as confirmed is not be needed everywhere (see MakeUser command) I see little benefit in it.
IMHO it is safer and cleaner to have the hardcoded rules and adding additional rules.
I would rather drop support for PHP < 7.4 and be able to use 😂
['required', 'confirmed', ...config('statamic.users.password_validation')]There was a problem hiding this comment.
Yeah, I see where you're coming from... maybe it can just stay how it is 😎
There was a problem hiding this comment.
Laravel recently introduced default password rules.
https://laravel.com/docs/8.x/validation#defining-default-password-rules
I think it might be a good idea to leverage that.
Since it's only on Laravel 8, I think that's fine, and we can just fall back to the existing required|confirmed|min:8 if using <8.
|
I have to look into how such an implementation would look like. |
|
Here's an example where we check if Laravel is 7+. |
|
@jasonvarga With a fallback you mean something like: public static function getPasswordRules() {
if (version_compare(app()->version(), 8, '<') ) {
// fallback to the minimum on laravel < 8
return 'min:8';
}
return Password::defaults();
}
// ...
'password' => ['required', Something::getPasswordRules()],pseudocode, not test And on Laravel 8+ one can use the existing rules |
|
That's right. If you are using an older Laravel version, you are stuck with whatever password rules we have been using up until now. |
An update version of statamic#3732 utilising the suggestions from @jasonvarga Props to @rrelmy for much of the code / work on this one. - Opens up support for utilising Laravel's Password::defaults() function - Checks for the minimum framework version (8.43.0) - Behaviour is exactly the same for users on older versions - Behaviour is exactly the same for users who do not utilise this feature
|
Closing because of #3823 |
This is a basic implementation of custom validation rules for user passwords discussed in statamic/ideas#422
We need this to satisfy a government customer requiring more strict password rules
I replaced all occurrences of
required|confirmedon password validations, please check if all three are ok.It allows to add any validation to the optional config parameter
I did my best writing a description matching the pattern, feel free to give feedback on naming.
Edit: I additionally added the password validation to the MakeUser command, before the password was not validated at all. An empty password could be entered (did not work to login!)