Skip to content

[Validator] Document PasswordStrength constraint #18124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 31, 2023
Merged

[Validator] Document PasswordStrength constraint #18124

merged 1 commit into from
Mar 31, 2023

Conversation

Spomky
Copy link
Contributor

@Spomky Spomky commented Mar 25, 2023
edited
Loading

These modifications are proposed as per symfony/symfony#49789 => symfony/symfony#49856

@Spomky Spomky requested a review from xabbuh as a code owner March 25, 2023 22:01
@Spomky Spomky changed the base branch from 6.2 to 6.3 March 25, 2023 22:01
@Spomky Spomky mentioned this pull request Mar 25, 2023
Merged
@OskarStark OskarStark added the Waiting Code Merge Docs for features pending to be merged label Mar 26, 2023
@carsonbot carsonbot added this to the next milestone Mar 26, 2023
@OskarStark OskarStark changed the title [Validator] Pages for the PasswordStrength constraint [Validator] Document PasswordStrength constraint Mar 26, 2023
MrYamous
MrYamous reviewed Mar 26, 2023
View reviewed changes
Copy link
Contributor

@MrYamous MrYamous left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think minScore option could be listed too in Available Options section

fabpot added a commit to symfony/symfony that referenced this pull request Mar 26, 2023
@fabpot
feature #49789 [Validator] New PasswordStrength constraint (Spomky)
c375406 
This PR was squashed before being merged into the 6.3 branch.

Discussion
----------

[Validator] New `PasswordStrength` constraint

| Q             | A
| ------------- | ---
| Branch?       | 6.3
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets       | none
| License       | MIT
| Doc PR        | symfony/symfony-docs#18124

This PR adds a new constraint `PasswordStrength`. This constraint is able to determine if the password strength (or any other string) fulfils with the threshold.
It leverages on [`bjeavons/zxcvbn-php`](https://github.com/bjeavons/zxcvbn-php) which is required when this constraint is used.

Example:

```php
<?php

declare(strict_types=1);

namespace App\Form;

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\Extension\Core\Type\PasswordType;
use Symfony\Component\Form\Extension\Core\Type\RepeatedType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\Validator\Constraints\NotBlank;
use Symfony\Component\Validator\Constraints\PasswordStrength;

final class ChangePasswordFormType extends AbstractType
{
    public function buildForm(FormBuilderInterface $builder, array $options): void
    {
        $restrictedData = $options['restrictedData'] ?? [];

        $builder
            ->add('plainPassword', RepeatedType::class, [
                'type' => PasswordType::class,
                'options' => [
                    'attr' => [
                        'autocomplete' => 'new-password',
                    ],
                ],
                'first_options' => [
                    'constraints' => [
                        new NotBlank(),
                        new PasswordStrength(['restrictedData' => $restrictedData])
                    ],
                    'label' => 'New password',
                ],
                'second_options' => [
                    'label' => 'Repeat the new password',
                ],
                'mapped' => false,
            ])
        ;
    }

    public function configureOptions(OptionsResolver $resolver): void
    {
        $resolver->setDefaults([
            'restrictedData' => [],
        ])
            ->setAllowedTypes('restrictedData', 'string[]')
        ;
    }
}
```

Then from e.g. a controller

```php
$form = $this->createForm(ChangePasswordFormType::class, null, [
    'restrictedData' => [
        $user->getUsername(),
        $user->getEmail(),
        $user->getGivenName(),
        $user->getFamilyName(),
        'ApplicationName', // Arbitrary data
    ],
]);
```

It can be added as a property attribute:

```php
<?php

declare(strict_types=1);

namespace App\Form;

use Symfony\Component\Validator\Constraints\NotBlank;
use Symfony\Component\Validator\Constraints\PasswordStrength;

final class ChangePasswordFormData
{
    #[NotBlank]
    #[PasswordStrength]
    public string $password = '';
}
```

Options:
* `lowStrengthMessage`: the message in case of a weak password (default: `The password strength is too low. Please use a stronger password.`)
* `minScore`: 0 means a weak password, 4 means a very good password (default: `2`)
* `restrictedData`: a list of restricted data e.g. user information such as ID, username, email, given name, last name or application information (default: `[]`)
* `restrictedDataMessage`: the message in case of the restricted data in the password (default: `The password contains at least one restricted data: {{ wordList }}.`)

Commits
-------

1d93f5c [Validator] New `PasswordStrength` constraint
@OskarStark OskarStark added Waiting Code Merge Docs for features pending to be merged and removed Waiting Code Merge Docs for features pending to be merged labels Mar 27, 2023
@OskarStark
Copy link
Contributor

Reverted by @chalasr in symfony/symfony#49831

@Spomky Spomky marked this pull request as draft March 27, 2023 17:36
@Spomky Spomky mentioned this pull request Mar 29, 2023
Merged
@Spomky Spomky force-pushed the fetures/password-strength branch 2 times, most recently from 0e27613 to f703400 Compare March 30, 2023 13:36
@Spomky Spomky force-pushed the fetures/password-strength branch from f703400 to ec51dd2 Compare March 30, 2023 13:38
@Spomky Spomky marked this pull request as ready for review March 30, 2023 13:38
@carsonbot carsonbot modified the milestones: next, 6.3 Mar 30, 2023
fabpot added a commit to symfony/symfony that referenced this pull request Mar 31, 2023
@fabpot
feature #49856 [Validator] Remove bjeavons/zxcvbn-php in favor of a…
48d5236 
… builtin solution (Spomky)

This PR was merged into the 6.3 branch.

Discussion
----------

[Validator] Remove `bjeavons/zxcvbn-php` in favor of a builtin solution

| Q             | A
| ------------- | ---
| Branch?       | 6.3
| Bug fix?      | yes
| New feature?  | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets       | Fix #49831
| License       | MIT
| Doc PR        | symfony/symfony-docs#18124 will be updated

As per the discussion in #49831, this PR aims at removing `bjeavons/zxcvbn-php` in favor of a builtin solution.
The password strength estimator is a PHP implementation of [deanilvincent/check-password-strength](https://github.com/deanilvincent/check-password-strength/blob/master/index.js), but can be changed at will.

Commits
-------

6b2bf22 Remove bjeavons/zxcvbn-php in favor of a builtin solution
@OskarStark OskarStark removed the Waiting Code Merge Docs for features pending to be merged label Mar 31, 2023
@OskarStark
Copy link
Contributor

The new PR was merged

@OskarStark
Copy link
Contributor

Thank you Florent.

@OskarStark OskarStark merged commit 8497373 into symfony:6.3 Mar 31, 2023
@Spomky Spomky deleted the fetures/password-strength branch March 31, 2023 20:03
@stof stof mentioned this pull request Mar 3, 2025
Merged
javiereguiluz added a commit that referenced this pull request Mar 4, 2025
@javiereguiluz
minor #20711 Remove non-existent password_strength setting from the r…
548b0cd 
…eference (stof)

This PR was merged into the 6.4 branch.

Discussion
----------

Remove non-existent password_strength setting from the reference

This was added in #18124 when documenting the new constraint, but the implementation does not have a configuration setting for that in the FrameworkBundle configuration.

I spotted this when I saw it being in the reference without the usual info about the type of values and wanting to fix it.

Commits
-------

a87223b Remove non-existent password_strength setting from the reference
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrYamous MrYamous MrYamous left review comments

@OskarStark OskarStark OskarStark approved these changes

@xabbuh xabbuh Awaiting requested review from xabbuh xabbuh is a code owner

Assignees
No one assigned
Labels
Status: Reviewed Validator
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.
4 participants
@Spomky @OskarStark @MrYamous @carsonbot