Avoid simple passwords (e.g. email as password) #1439
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…oncial variants on registration
pscheit
commented
Mar 15, 2024
| @@ -99,7 +99,7 @@ public function reset(Request $request, UserPasswordHasherInterface $passwordHas | |||
| } | |||
|
|
|||
| // The token is valid; allow the user to change their password. | |||
| $form = $this->createForm(ResetPasswordFormType::class, null, ['user' => $user]); | |||
| $form = $this->createForm(ResetPasswordFormType::class, $user); | |||
There was a problem hiding this comment.
I was a bit torn here, to keep the option. But in the end the ResetPasswordForm only has two non-mapped properties and so this allowed to reuse the Validator as is and not just add another case
| @@ -55,6 +56,7 @@ public function configureOptions(OptionsResolver $resolver): void | |||
| { | |||
| $resolver->setDefaults([ | |||
| 'data_class' => User::class, | |||
| 'constraints' => [new NotProhibitedPassword()], | |||
There was a problem hiding this comment.
alternative would be to add this as an attribute to the UserClass, but I liked that it's now on the same file where we add the Password constraint (cause can't add it to the Password Compound class)
Comment on lines
+65
to
+68
| #[TestWith(['max.example'])] | ||
| #[TestWith(['[email protected]'])] | ||
| #[TestWith(['[email protected]'])] | ||
| public function testRegisterWithTooSimplePasswords(string $password): void |
There was a problem hiding this comment.
I died writing a unit test for the validator. So just blew up the cases in the functional test
pscheit
commented
Mar 15, 2024
|
Thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR changes that you can't use your email address or your username as a password anymore.
We are aware that it's hard in general to get people to use really good passwords, but at least this crosses out the really dumb mistakes.