Setting password validator pattern

amp · November 12, 2021, 10:06pm

I’m using the Parse Dashboard 1.2.0 and the Ruby API for a Rails app.

I’ve set the PARSE_SERVER_PASSWORD_POLICY_VALIDATOR_PATTERN env variable on the config page to “/^(?=.?[A-Z])(?=.?[a-z])(?=.?[0-9])(?=.?[#?!@$ %^&*-]).{8,}$/”. My impression is that this will force validation of passwords, ensuring a length of 8, one each of lower- and uppercase, digits, and “special” characters.

At the Rails model validation level, I’ve tried using:

  validates :password, format: {with: /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$ %^&*-]).{8,}$/, message: "Invalid password."}

I am, however, able to turn off javascript while setting a password, enter a password like “junkpass” with no apparent warnings, and later be able to login with it.

Am I missing a step? How do I ensure that ill-formed passwords do not pass validation, and notify the user of this fact?

davimacedo · November 13, 2021, 2:03am

Could you please try with “^(?=.?[A-Z])(?=. ?[a-z])(?=.?[0-9])(?=. ?[#?!@$ %^&*-]).{8,}$” ? Also maybe first try with a simpler regex (ex: "^.{8,}").

amp · November 14, 2021, 12:54am

Hi, thanks for the feedback! I tried both patterns and I was able to create a User with the password “foo” with each. I think, regardless of what the regex is, if a pattern doesn’t meet it, it should be rejected. But to confirm, adding the regex as a value for the PARSE_SERVER_PASSWORD_POLICY_VALIDATOR_PATTERN should be sufficient, under normal circumstances, to enforce such password requirements, yes? If so, I think we may have set up our installation in a very non-standard way, one that is breaking those expectations.

davimacedo · November 15, 2021, 4:55am

Yes. It should be sufficient but I am afraid the env var is not working as expected. Would you mind to try it out passing the option directly to Parse Server initialization?