Skip to content

feat: password validation hints and regex pattern support (#159)#205

Open
eugenioenko wants to merge 1 commit into
fix/validate-duration-settingsfrom
feat/password-validation-pattern
Open

feat: password validation hints and regex pattern support (#159)#205
eugenioenko wants to merge 1 commit into
fix/validate-duration-settingsfrom
feat/password-validation-pattern

Conversation

@eugenioenko
Copy link
Copy Markdown
Owner

@eugenioenko eugenioenko commented Apr 16, 2026

Summary

  • New settings `validation_password_pattern` (Go regexp) and `validation_password_hint` (human-readable tooltip text), exposed in the admin UI Settings page
  • On signup / onboard / password reset forms, the password `` now gets HTML5 `minlength`, `maxlength`, `pattern`, and `title` attributes — browser shows a native tooltip on invalid submit, no JS
  • Server-side validation enforces the same rules as defense in depth (`pkg/user/model.go`, `pkg/passwordreset/handler.go`)
  • Admin settings save rejects an invalid regex with 400 so a typo can't lock users out

Base branch

Depends on #204 (duration validator refactor) — stacked on `fix/validate-duration-settings`. Rebase to `main` after that lands.

Fixes #159

Test plan

  • `go build ./...` clean
  • `go test ./pkg/{user,appsettings,passwordreset,onboarding,signup}/...` passes
  • `tsc --noEmit` clean on admin-ui
  • Manual: set pattern `^(?=.[A-Z])(?=.\d).+$` + hint, sign up with a weak password → browser tooltip appears
  • Manual: submit an invalid regex via settings → 400 with clear error
  • Manual: with no pattern set, signup behaves as today

🤖 Generated with Claude Code

@eugenioenko @claude
feat: password validation hints and regex pattern support (#159)
a2079a7 
Adds two new settings — validation_password_pattern and
validation_password_hint — configurable via the admin UI. The pattern is
a Go regexp that new passwords must match (signup, self-service onboard,
password reset); the hint is a human-readable message shown to the user.

On the form, the pattern and hint are applied as HTML5 minlength,
maxlength, pattern, and title attributes on the password input, so the
browser shows a native validation tooltip before submit — no JS needed.
Server-side validation enforces the same rules as a defense in depth.

The regex is compiled once on settings save and the change is rejected
with 400 if it doesn't parse, so admins can't break the form with a
typo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eugenioenko