Skip to content

THREESCALE-8916: Make strong passwords mandatory #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
jlledom wants to merge 31 commits into
base: THREESCALE-12174-remove-pass-migration
Choose a base branch
from
Draft

THREESCALE-8916: Make strong passwords mandatory #3

jlledom wants to merge 31 commits into from

Conversation

@jlledom
Copy link
Owner

@jlledom jlledom commented Jan 9, 2026

What this PR does / why we need it:

Currently, a provider can enforce strong password for the developer portal, and weak passwords are accepted by default. About admin portal, there's no option to enable strong passwords, weak passwords are always accepted.

I think both situations make no sense. I don't think it's acceptable to allow users decide whether they enforce strong passwords or not, as long as strong passwords are possible, that should be the default. And same thing about admin portal.

In this PR, I remove any option to accept weak passwords in both admin or developer portals. Existing passwords will continue to work, but new passwords will be enforced to be strong. Also, I increased the minimal number of characters to 16.

This affects multiple screens, but also API endpoints, this is the complete list:

  • All scenarios with a password
    • Admin portal
      • UI
        • User invitation signup form
        • Personal details
        • Edit user
        • Forgot password
      • API
        • POST /master/api/providers.xml
        • POST /admin/api/users.xml
        • PUT /admin/api/users/{id}.xml
    • Developer portal
      • UI
        • New buyer signup form
        • Existing buyer user invitation signup form
        • Personal details
        • Edit user
        • Forgot password
      • API
        • POST /admin/api/signup.xml
        • POST /admin/api/accounts/{id}/users.xml
        • PUT /admin/api/accounts/{id}/users/{id}.xml

Besides, while doing this, I found a few UI errors that I told Claude to fix. This are the affected screens:

  • Admin portal
    • User invitation signup form
      • JS validation:
        • Before: min 6 characters
        • Now: Same restrictions as in backend
      • Error messages formatting
        • "\n" was literally printed instead of a new line.
    • Personal Details
      • Password input in clear text
    • Edit user
      • Password inputs visible for users without password (e.g. OAuth)
    • Create new buyer
      • Password input in clear text
    • Forgot password
      • Pass JS Validation: Sames as above

Another thing I noticed is strong passwords, even when enabled, were not being enforced for users not created by a human. For instance, the default admin user created when a buyer is created was always accepting weak passwords no matter the setting. I also fixed this.

Which issue(s) this PR fixes

https://issues.redhat.com/browse/THREESCALE-8916

Verification steps

You can go through any (ideally all) screens above an try to set a weak password. Also tests should pass.

@jlledom jlledom self-assigned this Jan 9, 2026
@jlledom jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch from 8c93fc8 to da18ea7 Compare January 9, 2026 14:04
@jlledom jlledom changed the title Threescale 8916 admin strong paswords Threescale 8916: Make strong passwords mandatory Jan 9, 2026
@jlledom jlledom changed the title Threescale 8916: Make strong passwords mandatory THREESCALE-8916: Make strong passwords mandatory Jan 9, 2026
@jlledom jlledom mentioned this pull request Jan 9, 2026
Open
@jlledom jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch 2 times, most recently from 33fe198 to 25f4a95 Compare January 13, 2026 09:43
@jlledom jlledom force-pushed the THREESCALE-12174-remove-pass-migration branch from 0581d50 to 084bfd5 Compare February 2, 2026 10:14
mayorova and others added 2 commits February 2, 2026 12:33
@mayorova
Merge pull request 3scale#4211 from 3scale/remove-unused-npm-deps
8cdd422 
THREESCALE-12239: Remove unused npm packages
@josemigallas
Merge pull request 3scale#4203 from 3scale/THREESCALE-12200_clean_up_…
ea47df1 
…helpers_0

🧹 Clean up helpers part 0
@jlledom jlledom force-pushed the THREESCALE-12174-remove-pass-migration branch from 525653e to b6fde4e Compare February 2, 2026 12:48
@jlledom
Merge pull request 3scale#4194 from jlledom/THREESCALE-12174-remove-p…
6950238 
…ass-migration

THREESCALE-12174: Remove old password migration
@jlledom jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch 3 times, most recently from 101f7d4 to 7c97a77 Compare February 5, 2026 17:09
@jlledom
Remove strong passwords setting
732d05c
@jlledom
Add strong passwords setting to settings.yml
f1ddee2
@jlledom
Make strong passwords mandatory
0eb58cc
@jlledom
Fix UI problems in admin portal:
3eb95d5 
- Validate strong passwords in React forms
- Some forms treat the password field as clear text.
- Make password fields required only when they are actually required.
- `Current password` field visible and required only when it should.
- Password can be set for all users, no matter how did they signup.
- SSO Users: don't see the toast to change password.
  It can be changed from the same form
  This fixes https://issues.redhat.com/browse/THREESCALE-11548
- When enforce SSO is enabled, passwords can still be set or changed.
@jlledom jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch 2 times, most recently from f864657 to 891e8cb Compare February 6, 2026 12:39
jlledom and others added 4 commits February 6, 2026 13:51
@jlledom @claude
New signup_type: `:sample_data
c87be43 
This is to exclude John Doe from strong passwords validation

Co-Authored-By: Claude <noreply@anthropic.com>
@jlledom
Partners, allow password field to be empty
fbd2a20
@jlledom
Make provider user update accept password from API
ff3f13b
@jlledom @claude
Fix tests
35acc2b 
Co-Authored-By: Claude <noreply@anthropic.com>
@jlledom jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch from 891e8cb to 35acc2b Compare February 6, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jlledom jlledom

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jlledom @josemigallas @mayorova