New Password Policy (!31881) · Merge requests · Administrator / sourcegraph

Administrator requested to merge david-sandy-password-policy into main Feb 25, 2022

Created by: david-sandy

This implements a new "password policy" under experimental features and is made available to front-end via the JSContext (window.context.experimentalFeatures.passwordPolicy).

If the feature is disabled it follows the current method of password validation (only 12 characters).

  "experimentalFeatures": {
    "passwordPolicy": {
      "enabled": true,
      "minimumLength": 12,
      "numberOfSpecialCharacters": 1,
      "requireAtLeastOneNumber": true,
      "requireUpperandLowerCase": true
    }
  },

This is tied into the users.go/Checkpassword. This will only force users to follow the new password policy from either signup or account settings > update password. Thus this is a non-breaking change. It is self-contained in it's own library (security > security.go).

Test plan

Testing changes locally:

Validate password matches password policy entries and that if disabled/enabled, proper flow is followed.

App preview:

Link

New Password Policy

Test plan

App preview:

Merge request reports