Page MenuHomePhabricator

$wgPasswordPolicy should be able to alter the password form field
Open, Needs TriagePublic

Description

$wgPasswordPolicy should be able to alter the password field on the login form. Use cases:

  • add HTML validators, such as minimum length. We already do AJAX-based validation (except on mobile we don't, but that should probably be fixed - T211439), but this would be slightly faster, more native to the device and work without JS.
  • add complex validators with visual elements, such as a password strength meter (T32574) or password generator (T151011), which require a script to be loaded (and probably some CSS class on the target field).
  • add visual hints or help text about password requirements (e.g. a notice saying "at least 8 characters") (T211440)

Implementation-wise, $wgPasswordPolicy['forms']['check1'] could be an array that's merged into the form definition. Or maybe a callback.

See also T211525: $wgPasswordPolicy checks should be able to communicate details to client-side logic via the validatepassword API.

Event Timeline

Tgr created this task.Dec 9 2018, 7:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2018, 7:51 PM
Tgr updated the task description. (Show Details)Dec 9 2018, 10:33 PM

And password checking methods should probably be able to return extra data that's communicated to the client via the password validation API module, so something like a password strength meter can use server-side logic (important because password checking logic can involve huge wordlists which cannot be sent to the client).

Probably less confusing to have a separate task for that: T211525: $wgPasswordPolicy checks should be able to communicate details to client-side logic via the validatepassword API

Tgr updated the task description. (Show Details)Dec 9 2018, 10:48 PM