Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add password strength requirements during registration and password reset #287

Open
evadecker opened this issue Dec 17, 2024 · 4 comments · May be fixed by #308
Open

Add password strength requirements during registration and password reset #287

evadecker opened this issue Dec 17, 2024 · 4 comments · May be fixed by #308
Labels
backend Schema, query, and mutation changes frontend CSS, HTML, and JS changes
Milestone
Namesake v1.0

Comments

@evadecker
Copy link
Member

We should implement password requirements to reduce the risk of phishing and account loss.

https://labs.convex.dev/auth/config/passwords#customize-sign-up-form-validation
@evadecker evadecker added frontend CSS, HTML, and JS changes backend Schema, query, and mutation changes labels Dec 17, 2024
@evadecker evadecker added this to the Namesake v1.0 milestone Dec 17, 2024
@belhajManel
Copy link
Contributor

For email validation haveibeenpwned suggested by the docs offers a limited free plan .

I found mailchecker which doesn't do the same job as haveibeenpwned but rather validates if the email is not a temporary/spam mail which can be a start(still checking the package).

What do you think?

@evadecker
Copy link
Member Author

@belhajManel I love the idea of implementing some email validation using mailchecker or haveibeenpwned but let's save that for another PR.

For this PR, it would be great to implement https://zxcvbn-ts.github.io/zxcvbn/ for password-checking.

We'd want to:

  1. Create a new PasswordStrength component to display the strength of a password from 0-4 (a segmented bar with a label and color, something like this)

image

  1. Display the new component beneath the password input for registration

  2. Initialize the zxcvbn-ts library and hook up the password strength to the component

  3. Display warnings and suggestions returned from the library in a banner to help the user pick a stronger password (example API response)

CleanShot 2024-12-20 at 14 02 10@2x

  1. Prevent registration if the password is too insecure (maybe scores below 3?)

@evadecker evadecker changed the title Add password requirements and other signup validation logic Add password strength requirements during registration Dec 20, 2024
@evadecker evadecker mentioned this issue Dec 21, 2024
Merged
@evadecker
Copy link
Member Author

Created one for ya: #301

@belhajManel
Copy link
Contributor

You're amazing 🙌

@evadecker evadecker changed the title Add password strength requirements during registration Add password strength requirements during registration and password reset Dec 21, 2024
@belhajManel belhajManel linked a pull request Dec 22, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend Schema, query, and mutation changes frontend CSS, HTML, and JS changes
Projects
None yet
Milestone
Namesake v1.0
Development

Successfully merging a pull request may close this issue.

feat: integrate zxcvbn-ts for password strength evaluation belhajManel/namesake
2 participants
@evadecker @belhajManel