Summary
The signup and reset_password forms lack client-side password validation (minlength/maxlength attributes). Users only learn about password requirements after server-side rejection, which clears the form.
Additionally, there's no support for regex-based validation for password complexity or username format restrictions.
Current Behavior
view/signup.html and view/reset_password.html password fields have no minlength/maxlength attributes- Password requirements are only enforced server-side via
ValidationMinPasswordLength / ValidationMaxPasswordLength (configurable at runtime)
- No regex pattern validation exists for password complexity
- Username validation only enforces length (min/max), with no character or format restrictions
- Admins cannot enforce username policies (e.g., alphanumeric only, no special characters, email format)
Proposed Changes
1. Dynamic minlength/maxlength on password fields
Since min/max password length is runtime-configurable via admin settings, the values need to be injected into templates:
<input type="password" minlength="{{.MinPasswordLength}}" maxlength="{{.MaxPasswordLength}}" />Affected templates:
view/signup.htmlview/reset_password.html
Each handler rendering these templates needs to pass MinPasswordLength and MaxPasswordLength from config.Get().
2. Regex password validation
Add a configurable password regex pattern (e.g., validation_password_pattern) as a runtime setting:
- Server-side: validate password against the regex in
ValidateUserCreateRequest
- Client-side: pass pattern to the template as an HTML
pattern attribute with a description
- Default: empty (no pattern enforced beyond length), so existing behavior is unchanged
Example setting:
validation_password_pattern: ^(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*]).+$
validation_password_pattern_hint: Must contain at least one uppercase letter, one number, and one special character
3. Regex username validation
Add a configurable username regex pattern (e.g., validation_username_pattern) as a runtime setting:
- Server-side: validate username against the regex in
ValidateUserCreateRequest and ValidateUserUpdateRequest
- Client-side: pass pattern to the template as an HTML
pattern attribute with a description
- Default: empty (no pattern enforced beyond length), so existing behavior is unchanged
Example setting:
validation_username_pattern: ^[a-zA-Z0-9._-]+$
validation_username_pattern_hint: Only letters, numbers, dots, hyphens, and underscores are allowed
This allows admins to enforce policies like:
- Alphanumeric only:
^[a-zA-Z0-9]+$
- No special characters except dash/underscore:
^[a-zA-Z0-9._-]+$
- Must start with a letter:
^[a-zA-Z][a-zA-Z0-9._-]*$
Related: #223 (whitespace trimming — fixed separately)
Context
Discovered during #153 — onboarding was fixed with hardcoded values (safe since it runs before settings are configured), but signup/reset forms need the dynamic approach.
🤖 Generated with Claude Code
Summary
The signup and reset_password forms lack client-side password validation (
minlength/maxlengthattributes). Users only learn about password requirements after server-side rejection, which clears the form.Additionally, there's no support for regex-based validation for password complexity or username format restrictions.
Current Behavior
view/signup.htmlandview/reset_password.htmlpassword fields have nominlength/maxlengthattributesValidationMinPasswordLength/ValidationMaxPasswordLength(configurable at runtime)Proposed Changes
1. Dynamic minlength/maxlength on password fields
Since min/max password length is runtime-configurable via admin settings, the values need to be injected into templates:
Affected templates:
view/signup.htmlview/reset_password.htmlEach handler rendering these templates needs to pass
MinPasswordLengthandMaxPasswordLengthfromconfig.Get().2. Regex password validation
Add a configurable password regex pattern (e.g.,
validation_password_pattern) as a runtime setting:ValidateUserCreateRequestpatternattribute with a descriptionExample setting:
3. Regex username validation
Add a configurable username regex pattern (e.g.,
validation_username_pattern) as a runtime setting:ValidateUserCreateRequestandValidateUserUpdateRequestpatternattribute with a descriptionExample setting:
This allows admins to enforce policies like:
^[a-zA-Z0-9]+$^[a-zA-Z0-9._-]+$^[a-zA-Z][a-zA-Z0-9._-]*$Related: #223 (whitespace trimming — fixed separately)
Context
Discovered during #153 — onboarding was fixed with hardcoded values (safe since it runs before settings are configured), but signup/reset forms need the dynamic approach.
🤖 Generated with Claude Code