Improve error messages when password doesn't meet policy requirements. #12788
Replies: 26 comments 5 replies
-
One idea around this would be to add an element to the |
Beta Was this translation helpful? Give feedback.
-
This was actually my concern over at #8526 (comment) 🙈
We might need to change the exception thrown here: directus/api/src/services/users.ts Lines 92 to 99 in 9696212 so that we can translate the message on the app 🤔
Interesting idea! |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment has been hidden.
This comment has been hidden.
-
@azrikahar Adding a new "PasswordPolicyValidationException" would make the most sense to me. As for the translated message, I agree we can't just show "Password should match Adding a custom message would be nice, but would still require you to explain the regex you entered again. Technically speaking, we have all the information we need in the regex itself:
I'm wondering if we could pull a regex101.com, and basically come up with a human readable description of the given regex 🤔 |
Beta Was this translation helpful? Give feedback.
-
🧐 regex101.com does have a public API that could even be used to create a regex and then point the user to a URL that would include the This is where I thought a custom error message might come in handy... if you're the admin setting the password policy, you're going to want to communicate it to your users somehow, unless you're a BOFH in which case |
Beta Was this translation helpful? Give feedback.
-
Yeah I wouldn't want to actually point to regex101, I meant that it would be nice if we could do a similar trick where we auto-generate a human readable explanation 🙂 |
Beta Was this translation helpful? Give feedback.
-
@rijkvanzanten Yea that's what I had in mind as well. Might be the "MVP" approach in this case.
That's super interesting! But it is uncharted territory for me 😄 Maybe we can somehow do something with the AST we get after using regexp-tree? I've also stumbled upon this site: https://regexper.com/. The railroad diagram approach somewhat make things clearer from a technical perspective, but I also understand that this is no where near understandable for non-technical end users. |
Beta Was this translation helpful? Give feedback.
-
I keep questioning myself why do websites require to have special characters, uppercase, lowercase, numbers for passwords. About the regex, maybe we could use named groups somehow: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Groups_and_Ranges#using_named_groups |
Beta Was this translation helpful? Give feedback.
-
Might be interesting as well: https://github.com/VerbalExpressions/JSVerbalExpressions |
Beta Was this translation helpful? Give feedback.
-
All good stuff! I'd like to add the recommendation from @TonyLovesDevOps — let's add a
The input should be full width, and below the other two fields. |
Beta Was this translation helpful? Give feedback.
-
While a message like this is way better than |
Beta Was this translation helpful? Give feedback.
-
Why doesn't this direction solve for that? The placeholder value is only because it's not dynamic... but the admin would change it to a specific that matches the Policy/RegEx. So if they make some crazy policy, they can say:
To me, this adds the most freedom and avoids us building/integrating/maintaining a complex regex decoder. |
Beta Was this translation helpful? Give feedback.
-
True, should have read @TonyLovesDevOps proposal more carefully 🙈👍 |
Beta Was this translation helpful? Give feedback.
-
One thing to keep in mind with the custom error message is i18n... 😬 |
Beta Was this translation helpful? Give feedback.
-
True, but that will be a bigger task with the "string" approach... as we don't support it for the "Public Note" either. |
Beta Was this translation helpful? Give feedback.
-
You could also just break down the components of password complexity into configurable options in the UI. Realistically that should serve 90% of users, and you have fixed parameters to return a message by. E.g:
That would also allow for a nicer error interface à la: |
Beta Was this translation helpful? Give feedback.
-
@aidenfoxx @rijkvanzanten @paescuj do any of you have code brewing for this, or an idea of when you might spend time on it? Alternatively, I could take a stab at the |
Beta Was this translation helpful? Give feedback.
-
@TonyLovesDevOps Not from my side... Would love to see a PR from your side 😃❤️🔥 |
Beta Was this translation helpful? Give feedback.
-
Likewise, I don't have anything in works at the moment 👍🏻 |
Beta Was this translation helpful? Give feedback.
-
Nothing from me. Go for it! 👍 😄 |
Beta Was this translation helpful? Give feedback.
-
Cool, I opened a PR for this. I'd value reviews/input on the PR, especially if someone knows of a boilerplate unit test I can copy as a starting point for this - I didn't see any existing tests that set up an Here's what it looks like with a custom message when accepting an invite / changing a password: |
Beta Was this translation helpful? Give feedback.
-
So #8946 appears to be in PR purgatory. Is there anything I can do to help get it merged? I'd happily support a better alternative implementation but we'll soon need to consider the regrettable decision to fork so that our users have a better experience when accepting an email invite, as almost no one meets our policy requirements on the first try. |
Beta Was this translation helpful? Give feedback.
-
Heya! Thank you for taking the time to submit this request! It has been over 90 days, and this discussion has not received at least 15 votes from the community. This means that we don't feel like there's enough community interest to warrant further R&D into this topic at this time. 🧊 This request will now be closed to keep our discussions tidy. Please reach out if you have any questions! For more information, see our Feature Request Process. |
Beta Was this translation helpful? Give feedback.
-
For everybody stuck with the ambiguous error message (e.g. on Directus Cloud without options to fix it) I posted a CSS-only hack here |
Beta Was this translation helpful? Give feedback.
-
This all is an absolutely valid complaint (just as the: wrong payload message on double password creation -> discussion), and should be fixed since it seems reasonably simpel to do so! I too stumbled quite fast across this problem in our evaluation of directus. And for sure if you want to market this as headless cms those kind of things got to be in order since not everybody wants to program an API interface just to be able to add users .... |
Beta Was this translation helpful? Give feedback.
-
Preflight Checklist
Describe the Bug
Right now, when a user offers a password that doesn't meet the password complexity requirements, the error messages returned to the user could be more helpful.
For example, when accepting an invite, the user sees an
Unexpected Error
:And when resetting a password, they receive the much better but still not super clear
Value doesn't have the correct format
:To Reproduce
Scenario 1: Accept invite
Auth Password Policy
other thanNone
on the/admin/settings/project
page;Scenario 2: Reset password
Auth Password Policy
other thanNone
on the/admin/settings/project
page;Expected: User receives an error message stating that their password does not meet the password policy.
Actual: User receives
Unexpected Error
in scenario 1, andValue doesn't have the correct format
in scenario 2.In both cases, the directus logs contain messages showing
Provided password doesn't match password policy
-- can we return that to the user in both cases instead of the cryptic messages?What version of Directus are you using?
v9.0.0-rc.96
What version of Node.js are you using?
v16.10.0 (from directus/directus:9.0.0-rc.96 docker image)
What database are you using?
MariaDB 10.3.23
What browser are you using?
Chrome 94.0.4606.71
What operating system are you using?
macOS
How are you deploying Directus?
Docker
Beta Was this translation helpful? Give feedback.
All reactions