feat: integrate zxcvbn-ts for password strength evaluation
#308
Conversation
…in and reset password forms
|
github-actions
bot
added
dependencies
| <Banner variant="info"> | ||
| <p> | ||
| <span> |
There was a problem hiding this comment.
I made this tiny change because it will cause a hydration error
There was a problem hiding this comment.
Yay! This rocks. 🔥🔥🔥
First: Can we tighten up the margin here between the input and strength meter?
Second: seeing this in action, the messages appearing and disappearing while typing is distracting. I wonder if we can update the PasswordStrength component to:
- Display a
circle-helpicon to the right of the label when suggestions or a warning exists - Open a
Popoverwith the existing banners Popovershould display on the right when there's available space, otherwise on the bottom
Third: Can we update the PasswordStrength component to prevent the label from re-animating if the strength does not change?
CleanShot.2024-12-22.at.10.56.39.mp4
Let me know if you have any thoughts/questions/recommended improvements for the design or implementation!
| zxcvbnOptions.setOptions(options); | ||
| }); | ||
|
|
||
| export function usePasswordStrength(password: string) { |
There was a problem hiding this comment.
Love the creation of a hook for this!
| const loadOptions = async () => { | ||
| const zxcvbnCommonPackage = await import( | ||
| /* webpackChunkName: "zxcvbnCommonPackage" */ "@zxcvbn-ts/language-common" | ||
| ); | ||
| const zxcvbnEnPackage = await import( | ||
| /* webpackChunkName: "zxcvbnEnPackage" */ "@zxcvbn-ts/language-en" | ||
| ); | ||
| return { | ||
| dictionary: { | ||
| ...zxcvbnCommonPackage.dictionary, | ||
| ...zxcvbnEnPackage.dictionary, | ||
| }, | ||
| translations: zxcvbnEnPackage.translations, | ||
| }; | ||
| }; |
There was a problem hiding this comment.
Thanks for adding lazy-loading!
| <Button | ||
| type="submit" | ||
| variant="primary" | ||
| isDisabled={isSubmitting || (passwordState && passwordState?.score < 3)} |
There was a problem hiding this comment.
Instead of disabling the button entirely, which can cause accessibility issues, can we instead update our form submission handler to set the error when the score is < 3?
It might also be nice to pull the submission handler out into a handleSubmit function for readability.
| isDisabled={ | ||
| isSubmitting || (passwordState && passwordState.score < 3) | ||
| } |
There was a problem hiding this comment.
Let's display an error instead of disabling the button (see other comment)
| @@ -137,7 +140,20 @@ const SignIn = () => { | |||
| value={password} | |||
| onChange={setPassword} | |||
| /> | |||
| <Button type="submit" isDisabled={isSubmitting} variant="primary"> | |||
| {password && passwordState && ( | |||
There was a problem hiding this comment.
One more idea:
- Can we change the api of
PasswordStrengthto just accept one prop forpassword, instead ofvalueandwarningandsuggestions? And then handle all logic for display inside of the component? That way we don't have to check?? undefinedor nest it within a conditional statement wherever it's used, and we can invoke the hook from within the component itself. - Can we display the strength meter even when the password is empty, but hide the label? To prevent reflowing the page when a user begins typing.
There was a problem hiding this comment.
Definitely!
For the 2nd point when the password is empty do we provide the help icon or is it hidden with the label? It can have initial suggestions for the pwd structure but idk if that really helps?
There was a problem hiding this comment.
Does the library return suggestions if the password is empty?
There was a problem hiding this comment.
Yep it does return 2 suggestions
There was a problem hiding this comment.
Yeah, let's try leaving it in even without a label.
|
The |
What changed?
Resolves #287
Add password strength evaluation during registration and password reset.
2024-12-22-11-17-40.mp4
Why?
Limit account phishing by requiring a minimum password score when creating an account or reseting a password.
How was this change made?
zxcvbn-tsfor password strength estimationusePasswordStrengthhook to use in different componentsHow was this tested?
👀