0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

chore: password policy release prep (#4488)

This commit is contained in:
Gao Sun 2023-09-14 10:32:46 +08:00 committed by GitHub
parent 4ed649dc20
commit e8b0b1d020
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 103 additions and 0 deletions

View file

@ -0,0 +1,47 @@
---
"@logto/schemas": minor
"@logto/console": minor
"@logto/core": minor
"@logto/phrases": minor
"@logto/phrases-ui": minor
"@logto/core-kit": minor
"@logto/ui": minor
---
feature: password policy
### Summary
This feature enables custom password policy for users. Now it is possible to guard with the following rules when a user is creating a new password:
- Minimum length (default: `8`)
- Minimum character types (default: `1`)
- If the password has been pwned (default: `true`)
- If the password is exactly the same as or made up of the restricted phrases:
- Repetitive or sequential characters (default: `true`)
- User information (default: `true`)
- Custom words (default: `[]`)
If you are an existing Logto Cloud user or upgrading from a previous version, to ensure a smooth experience, we'll keep the original policy as much as possible:
> The original password policy requires a minimum length of 8 and at least 2 character types (letters, numbers, and symbols).
Note in the new policy implementation, it is not possible to combine lower and upper case letters into one character type. So the original password policy will be translated into the following:
- Minimum length: `8`
- Minimum character types: `2`
- Pwned: `false`
- Repetitive or sequential characters: `false`
- User information: `false`
- Custom words: `[]`
If you want to change the policy, you can do it:
- Logto Console -> Sign-in experience -> Password policy.
- Update `passwordPolicy` property in the sign-in experience via Management API.
### Side effects
- All new users will be affected by the new policy immediately.
- Existing users will not be affected by the new policy until they change their password.
- We removed password restrictions when adding or updating a user via Management API.

View file

@ -148,6 +148,7 @@ jobs:
working-directory: ./fresh working-directory: ./fresh
run: pnpm cli db alt deploy next run: pnpm cli db alt deploy next
env: env:
ALTERATION_TEST: true
DB_URL: postgres://postgres:postgres@localhost:5432/alteration DB_URL: postgres://postgres:postgres@localhost:5432/alteration
- name: Compare databases - name: Compare databases
@ -168,6 +169,7 @@ jobs:
working-directory: ./fresh working-directory: ./fresh
run: pnpm cli db alt r v$(echo ${{ steps.version.outputs.current }} | cut -d@ -f3) run: pnpm cli db alt r v$(echo ${{ steps.version.outputs.current }} | cut -d@ -f3)
env: env:
ALTERATION_TEST: true
DB_URL: postgres://postgres:postgres@localhost:5432/fresh DB_URL: postgres://postgres:postgres@localhost:5432/fresh
- name: Compare manifests - name: Compare manifests

View file

@ -0,0 +1,54 @@
import { yes } from '@silverhand/essentials';
import { sql } from 'slonik';
import type { AlterationScript } from '../lib/types/alteration.js';
// In the alteration testing environment, we do not want to run this alteration
// script since it alters the existing data which does not match the new policy.
const isAlterationTesting = yes(process.env.ALTERATION_TEST);
/**
* Note: The legacy password policy does not separate upper and lower cases into
* different character types. It is not possible to migrate this behavior.
*/
const legacyPasswordPolicy = {
length: { min: 8 },
characterTypes: { min: 2 },
rejects: {
pwned: false,
repetitionAndSequence: false,
userInfo: false,
words: [],
},
};
const alteration: AlterationScript = {
up: async (pool) => {
if (isAlterationTesting) {
console.warn(
'Skipping alteration script next-1694509714-keep-existing-password-policy in alteration testing environment.'
);
return;
}
await pool.query(sql`
update sign_in_experiences
set password_policy = ${sql.jsonb(legacyPasswordPolicy)};
`);
},
down: async (pool) => {
if (isAlterationTesting) {
console.warn(
'Skipping alteration script next-1694509714-keep-existing-password-policy in alteration testing environment.'
);
return;
}
await pool.query(sql`
update sign_in_experiences
set password_policy = '{}'::jsonb;
`);
},
};
export default alteration;