Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Complexity requirements UI #579

Merged
merged 3 commits into from
Sep 18, 2020
Merged

Complexity requirements UI #579

merged 3 commits into from
Sep 18, 2020

Conversation

whaught
Copy link
Contributor

@whaught whaught commented Sep 18, 2020
edited
Loading

Fixes #573

Proposed Changes

  • Javscript-enforces complexity requirements for password change
    • Template provides complexity reqs from server config

passreq

Release Note

Added UI for password complexity requirements

@google-cla google-cla bot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Sep 18, 2020
mikehelmick
mikehelmick reviewed Sep 18, 2020
View reviewed changes
cmd/server/assets/login/select-password.html
</small>
</p>
{{end}}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

double checking - the password never gets sent to our sever, so JS validation is the last stop?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's correct. It's not my favorite thing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the password would go to us if we did server-side user creation though, right @whaught? The SDK just isn't ready for Go yet?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existing FB admin sdk supports user creation and password setting

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No it's that the Go SDK doesn't support Multi-Factor-Auth and associated management.

I know we can create a user with a password, idk about changing it with an ooB code - I'll check

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The trouble is the oobCode that gets sent in the email - we have no way to verify that (outside of firebase) because we don't send the email.

If we had an SMTP server we could send the email ourselves with a token we track and verify server-side (then we could embed the validation logic server side too). We'd then need to handle oobCode storage and expiry ourselves too.

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikehelmick, whaught

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [mikehelmick,whaught]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit a18dedf into google:main Sep 18, 2020
@whaught whaught deleted the complexity-req branch September 18, 2020 17:50
@google google locked and limited conversation to collaborators Oct 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sethvargo sethvargo sethvargo left review comments

@mikehelmick mikehelmick mikehelmick approved these changes

@yegle yegle Awaiting requested review from yegle

Assignees

@mikehelmick mikehelmick

Labels
cla: yes Auto: added by CLA bot when all committers have signed a CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

password complexity enforcement
4 participants
@whaught @google-oss-robot @mikehelmick @sethvargo