fix(auth): drop special-char password rule + honest set/reset errors (HUGO-147)#17
Merged
Merged
Conversation
…(HUGO-147) Why: a strong alphanumeric-only password (e.g. zMN8iBS9Lkzib5J) was rejected because the policy required a special character, and every set/reset failure — including a password-policy violation — surfaced the misleading "Something went wrong. The link may have expired." This left users unable to tell why they couldn't proceed or how to fix it. Decision (2026-06-18): length is the primary strength criterion; min 8 chars is the only enforced rule. Character classes are encouraged, not required. Users must see requirements live and always get an honest reason for a failure. - API: password policy is length-only (password.service.ts); PASSWORD_POLICY hint reworded; unit tests updated incl. regression on alphanumeric password. - API: expose a small allowlist of non-sensitive error codes in production (password-policy / token codes) so the UI can map them; everything else stays generic. Login + reset-request remain fully generic (no enumeration leak). - Auth: live PasswordRequirements checklist on set/reset; client-side policy mirror (password-policy.ts); failure() maps codes to specific localized messages (tooShort / linkInvalid / generic) instead of the link-expired catch-all. en/es translations added. - Docs: brief Password Rules updated + new Password UX & Error Transparency. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
HUGO-147: a strong alphanumeric-only password (
zMN8iBS9Lkzib5J) was rejected because the policy required a special character, whileQwerta123!passed. On top of that, every set/reset failure — including a password-policy violation — showed the misleading "Something went wrong. The link may have expired." Users couldn't tell why they were blocked or how to fix it.Decision (2026-06-18)
Changes
API
password.service.ts— policy is length-only; alphanumeric passwords accepted.PASSWORD_POLICY_VIOLATIONhint reworded.error-response.ts— small allowlist of non-sensitive error codes exposed in production (PASSWORD_POLICY_VIOLATION,MISSING_PASSWORD, token codes) so the UI can map them; everything else stays fully generic. Login (AUTHENTICATION_FAILED) and the reset-request flow remain generic → no email-enumeration leak.password.service.test.ts— updated, incl. regression thatzMN8iBS9Lkzib5Jpasses.Auth
PasswordRequirements.tsx(new) +password-policy.ts(new) — live requirements checklist mirroring the API policy.SetPasswordForm.tsx—failure()maps the API error code to a specific localized message (tooShort/linkInvalid/ generic) instead of the link-expired catch-all; client-side policy check before submit.api.ts—ApiFailure.code+extractCode().en.ts/es.ts— new keys; misleading message reworded.Docs
brief.md— Password Rules updated + new "Password UX & Error Transparency" section.Verification
@unlikeotherai/qr-art2FA dep, unrelated to this change).Resolves HUGO-147.
🤖 Generated with Claude Code