This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve error messages when password doesn't meet policy requirements. #8661
Comments
One idea around this would be to add an element to the |
This was actually my concern over at #8526 (comment) 🙈
We might need to change the exception thrown here: directus/api/src/services/users.ts Lines 92 to 99 in 9696212
so that we can translate the message on the app 🤔
Interesting idea! |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@azrikahar Adding a new "PasswordPolicyValidationException" would make the most sense to me. As for the translated message, I agree we can't just show "Password should match Adding a custom message would be nice, but would still require you to explain the regex you entered again. Technically speaking, we have all the information we need in the regex itself:
I'm wondering if we could pull a regex101.com, and basically come up with a human readable description of the given regex 🤔 |
🧐 regex101.com does have a public API that could even be used to create a regex and then point the user to a URL that would include the This is where I thought a custom error message might come in handy... if you're the admin setting the password policy, you're going to want to communicate it to your users somehow, unless you're a BOFH in which case |
Yeah I wouldn't want to actually point to regex101, I meant that it would be nice if we could do a similar trick where we auto-generate a human readable explanation 🙂 |
@rijkvanzanten Yea that's what I had in mind as well. Might be the "MVP" approach in this case.
That's super interesting! But it is uncharted territory for me 😄 Maybe we can somehow do something with the AST we get after using regexp-tree? I've also stumbled upon this site: https://regexper.com/. The railroad diagram approach somewhat make things clearer from a technical perspective, but I also understand that this is no where near understandable for non-technical end users. |
I keep questioning myself why do websites require to have special characters, uppercase, lowercase, numbers for passwords. About the regex, maybe we could use named groups somehow: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Groups_and_Ranges#using_named_groups |
Might be interesting as well: https://github.com/VerbalExpressions/JSVerbalExpressions |
All good stuff! I'd like to add the recommendation from @TonyLovesDevOps — let's add a
The input should be full width, and below the other two fields. |
While a message like this is way better than |
Why doesn't this direction solve for that? The placeholder value is only because it's not dynamic... but the admin would change it to a specific that matches the Policy/RegEx. So if they make some crazy policy, they can say:
To me, this adds the most freedom and avoids us building/integrating/maintaining a complex regex decoder. |
True, should have read @TonyLovesDevOps proposal more carefully 🙈👍 |
One thing to keep in mind with the custom error message is i18n... 😬 |
True, but that will be a bigger task with the "string" approach... as we don't support it for the "Public Note" either. |
You could also just break down the components of password complexity into configurable options in the UI. Realistically that should serve 90% of users, and you have fixed parameters to return a message by. E.g:
That would also allow for a nicer error interface à la: |
@aidenfoxx @rijkvanzanten @paescuj do any of you have code brewing for this, or an idea of when you might spend time on it? Alternatively, I could take a stab at the |
@TonyLovesDevOps Not from my side... Would love to see a PR from your side 😃❤️🔥 |
Likewise, I don't have anything in works at the moment 👍🏻 |
Nothing from me. Go for it! 👍 😄 |
Cool, I opened a PR for this. I'd value reviews/input on the PR, especially if someone knows of a boilerplate unit test I can copy as a starting point for this - I didn't see any existing tests that set up an Here's what it looks like with a custom message when accepting an invite / changing a password: |
So #8946 appears to be in PR purgatory. Is there anything I can do to help get it merged? I'd happily support a better alternative implementation but we'll soon need to consider the regrettable decision to fork so that our users have a better experience when accepting an email invite, as almost no one meets our policy requirements on the first try. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Preflight Checklist
Describe the Bug
Right now, when a user offers a password that doesn't meet the password complexity requirements, the error messages returned to the user could be more helpful.
For example, when accepting an invite, the user sees an
Unexpected Error
:And when resetting a password, they receive the much better but still not super clear
Value doesn't have the correct format
:To Reproduce
Scenario 1: Accept invite
Auth Password Policy
other thanNone
on the/admin/settings/project
page;Scenario 2: Reset password
Auth Password Policy
other thanNone
on the/admin/settings/project
page;Expected: User receives an error message stating that their password does not meet the password policy.
Actual: User receives
Unexpected Error
in scenario 1, andValue doesn't have the correct format
in scenario 2.In both cases, the directus logs contain messages showing
Provided password doesn't match password policy
-- can we return that to the user in both cases instead of the cryptic messages?What version of Directus are you using?
v9.0.0-rc.96
What version of Node.js are you using?
v16.10.0 (from directus/directus:9.0.0-rc.96 docker image)
What database are you using?
MariaDB 10.3.23
What browser are you using?
Chrome 94.0.4606.71
What operating system are you using?
macOS
How are you deploying Directus?
Docker
The text was updated successfully, but these errors were encountered: