Skip to content

feat: enforce configurable minimum password length when strict#452

Closed
VaibhavAcharya wants to merge 1 commit into
vaibhavacharya/identity-security-opt-infrom
vaibhavacharya/ex-1871-identity-no-password-complexity-requirements-gotrue-brk-chng
Closed

feat: enforce configurable minimum password length when strict#452
VaibhavAcharya wants to merge 1 commit into
vaibhavacharya/identity-security-opt-infrom
vaibhavacharya/ex-1871-identity-no-password-complexity-requirements-gotrue-brk-chng

Conversation

@VaibhavAcharya

Copy link
Copy Markdown
Contributor

- Summary

Part of splitting the Identity security hardening work into reviewable pieces. Stacked on the opt-in flag wiring (#451); depends on its Security.Strict flag.

GoTrue enforces no minimum password length, so an instance accepts trivially short passwords. This adds a minimum-length check gated on Security.Strict: with the flag off, behavior is unchanged. The minimum is Security.MinPasswordLength, defaulting to 8 when strict is on and the value is unset. Length is counted in runes, not bytes, so a handful of multi-byte glyphs can't satisfy a policy meant to enforce real length, and the existing 72-byte bcrypt cap still takes precedence.

- Test plan

  • go build ./... and go vet ./... pass.
  • go test -run 'TestValidatePassword|TestSecurityConfigurationDefaults' ./api/... ./conf/... passes.
  • Signup and instance suite tests need MySQL (hack/mysqld.sh); run go test ./api/... against it.

- Description for the changelog

Enforce a configurable minimum password length on Identity instances that opt in to strict security.

Link EX-1871

@VaibhavAcharya VaibhavAcharya requested a review from a team as a code owner June 1, 2026 09:35
@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 579d6182-c2b2-406f-bb6a-e0cfd70ad300

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch vaibhavacharya/ex-1871-identity-no-password-complexity-requirements-gotrue-brk-chng

Comment @coderabbitai help to get the list of available commands and usage tips.

@VaibhavAcharya VaibhavAcharya force-pushed the vaibhavacharya/ex-1871-identity-no-password-complexity-requirements-gotrue-brk-chng branch from 18330fe to 8fcf71e Compare June 1, 2026 10:03
@VaibhavAcharya VaibhavAcharya force-pushed the vaibhavacharya/identity-security-opt-in branch from c20c091 to d16a894 Compare June 1, 2026 10:14
@VaibhavAcharya VaibhavAcharya force-pushed the vaibhavacharya/ex-1871-identity-no-password-complexity-requirements-gotrue-brk-chng branch from 8fcf71e to aea5274 Compare June 1, 2026 10:14
@VaibhavAcharya VaibhavAcharya deleted the vaibhavacharya/ex-1871-identity-no-password-complexity-requirements-gotrue-brk-chng branch June 2, 2026 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant