Page MenuHomePhabricator

$wgPasswordPolicy should be able to alter the password form field
Open, Needs TriagePublic

Description

[[https://www.mediawiki.org/wiki/Manual:$wgPasswordPolicy|$wgPasswordPolicy]] should be able to alter the password field on the login form. Use cases:

  • add HTML validators, such as minimum length. We already do AJAX-based validation (except on mobile we don't, but that should probably be fixed - T211439), but this would be slightly faster, more native to the device and work without JS.
  • add complex validators with visual elements, such as a password strength meter (T32574) or password generator (T151011), which require a script to be loaded (and probably some CSS class on the target field).
  • add visual hints or help text about password requirements (e.g. a notice saying "at least 8 characters") (T211440)

Implementation-wise, $wgPasswordPolicy['forms']['check1'] could be an array that's merged into the form definition. Or maybe a callback.

See also T211525: $wgPasswordPolicy checks should be able to communicate details to client-side logic via the validatepassword API.

Event Timeline

And password checking methods should probably be able to return extra data that's communicated to the client via the password validation API module, so something like a password strength meter can use server-side logic (important because password checking logic can involve huge wordlists which cannot be sent to the client).

Probably less confusing to have a separate task for that: T211525: $wgPasswordPolicy checks should be able to communicate details to client-side logic via the validatepassword API