Support new minimum password length parameter #1472
Conversation
| @@ -88,6 +88,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "auth0-js": "^9.7.3", | |||
| "auth0-password-policies": "auth0/auth0-password-policies#v1.0.1", | |||
There was a problem hiding this comment.
I'd trust more on password-sheriff than this repo. Sheriff already defines them here: https://github.com/auth0/password-sheriff/blob/4a17c9cba614ed8b75affc7c53ff0d4ba31a5b30/index.js. If this is not possible, then please copy that file and keep it here on this repo.
There was a problem hiding this comment.
our change password widget also uses this repo. This is fine
| const result = initClient(Immutable.fromJS({}), client).toJS(); | ||
| expect(result.client.connections.database[0].passwordPolicy).toMatchObject({ | ||
| length: { | ||
| minLength: 6 |
There was a problem hiding this comment.
Please add the same tests for the remaining policies.
There was a problem hiding this comment.
That would be just a test for an external resource, not sure that's needed.
There was a problem hiding this comment.
How can I trust that your code will behave the same when the policy used is other than low? Please add them.
| if (!policy) { | ||
| return true; | ||
| } | ||
| return new PasswordPolicy(policy.toJS()).check(password); |
There was a problem hiding this comment.
Shouldn't this be safer, e.g. checking that if policy == undefined then none policy is still applied? https://github.com/auth0/password-sheriff/blob/master/index.js#L57 Now it will work since none is just length > 0 but if that changes this code will need to be changed as well. Let's reference this to the none policy instead.
There was a problem hiding this comment.
policy is only undefined when it's a login, which we don't validate passwords.
| import util from 'util'; | ||
|
|
||
| export default class PasswordStrength extends React.Component { | ||
| render() { | ||
| const { password, policy, messages } = this.props; | ||
| const analysis = createPolicy(policy).missing(password); | ||
| const analysis = new PasswordPolicy(policy.toJS()).missing(password); |
There was a problem hiding this comment.
I think the same applies here
There was a problem hiding this comment.
this only runs on signup, so we're fine
No description provided.