increase password requirements

2026-04-07 16:02:45 +00:00 · 2024-12-12 17:25:32 -08:00
4 changed files with 37 additions and 2 deletions
--- a/backend/danswer/auth/users.py
+++ b/backend/danswer/auth/users.py
@@ -280,6 +280,35 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):

            return user

+    async def validate_password(self, password: str, _: schemas.UC | models.UP) -> None:
+        # Validate password according to basic security guidelines
+        if len(password) < 12:
+            raise exceptions.InvalidPasswordException(
+                reason="Password must be at least 12 characters long."
+            )
+        if len(password) > 64:
+            raise exceptions.InvalidPasswordException(
+                reason="Password must not exceed 64 characters."
+            )
+        if not any(char.isupper() for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one uppercase letter."
+            )
+        if not any(char.islower() for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one lowercase letter."
+            )
+        if not any(char.isdigit() for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one number."
+            )
+        if not any(char in "!@#$%^&*()_+-=[]{}|;:,.<>?" for char in password):
+            raise exceptions.InvalidPasswordException(
+                reason="Password must contain at least one special character (!@#$%^&*()_+-=[]{}|;:,.<>?)."
+            )
+
+        return
+
    async def oauth_callback(
        self,
        oauth_name: str,
--- a/backend/danswer/server/manage/get_state.py
+++ b/backend/danswer/server/manage/get_state.py
@@ -17,6 +17,7 @@ def healthcheck() -> StatusResponse:

@router.get("/auth/type")
 def get_auth_type() -> AuthTypeResponse:
+    print("AUTH_TYPE", AUTH_TYPE)
    return AuthTypeResponse(
        auth_type=AUTH_TYPE, requires_verification=user_needs_to_be_verified()
    )
--- a/web/src/app/auth/login/EmailPasswordForm.tsx
+++ b/web/src/app/auth/login/EmailPasswordForm.tsx
@@ -9,6 +9,7 @@ import * as Yup from "yup";
 import { requestEmailVerification } from "../lib";
 import { useState } from "react";
 import { Spinner } from "@/components/Spinner";
+import { set } from "lodash";

 export function EmailPasswordForm({
  isSignup = false,
@@ -47,10 +48,13 @@ export function EmailPasswordForm({
            );

            if (!response.ok) {
+              setIsWorking(false);
              const errorDetail = (await response.json()).detail;
-
              let errorMsg = "Unknown error";
-              if (errorDetail === "REGISTER_USER_ALREADY_EXISTS") {
+              console.log("errorDetail", errorDetail);
+              if (typeof errorDetail === "object") {
+                errorMsg = errorDetail.reason;
+              } else if (errorDetail === "REGISTER_USER_ALREADY_EXISTS") {
                errorMsg =
                  "An account already exists with the specified email.";
              }
--- a/web/src/app/auth/signup/page.tsx
+++ b/web/src/app/auth/signup/page.tsx
@@ -49,6 +49,7 @@ const Page = async (props: {
    }
    return redirect("/auth/waiting-on-verification");
  }
+  console.log("authTypeMetadata", authTypeMetadata);
  const cloud = authTypeMetadata?.authType === "cloud";

  // only enable this page if basic login is enabled