[5.4] Installation - Admin password must be at least 12 characters long

[alikon]

Pull Request for Issue #46111, #42289 .

Summary of Changes

Admin password must be at least 12 characters long and Password must not have spaces at the beginning or end

Testing Instructions

Install Joomla 5.3.x At Login Data: set a short <12 char and or use spaces as 'Set the username for your Super User account. *'

Actual result BEFORE applying this Pull Request

The installation process goes on until it gets stuck in the 'Installation progress' phase. There is no possibility to cancel, stop or do something other than go back in the browser.

Expected result AFTER applying this Pull Request

you cannot proceed untill you set a minimum password of 12 chars and Password must not have spaces at the beginning or end

Link to documentations

Please select:

• [ ] Documentation link for docs.joomla.org:

• [ ] No documentation changes for docs.joomla.org needed

• [ ] Pull Request link for manual.joomla.org:

• [ ] No documentation changes for manual.joomla.org needed

[tecpromotion]

@alikon Please do not use hard-coded strings. This should be a variable so that appropriate translations can be made in all languages.

[alikon]

@tecpromotion no more hard-coded strings

[brianteeman]

I have tested this item :white_check_mark: successfully on 65a2286ae6b33c972d3ff6345f7de0d218bec6aa

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46173.}

[tecpromotion]

Does it make sense to check for invalid characters here as well, or do we need a new PR for that? I just entered four letters and the rest as spaces. The bar turns green and at the very end, an error message appears saying that the password must not contain any spaces, and nothing works anymore.

Screenshot in german but you see the problem.

[alikon]

the only chars that is been checked on installation should be spaces, check added

[tecpromotion]

It works in principle, but the string JFIELD_PASSWORD_SPACES_IN_PASSWORD is not entirely correct, as spaces within the password are not accepted either. However, it only refers to the beginning and end.

[alikon]

then the text of JFIELD_PASSWORD_SPACES_IN_PASSWORD="Password must not have spaces at the beginning or end." is wrong

as it is only used here https://github.com/joomla/joomla-cms/blob/1b14ada694a179a144ad53f8992ab8739a97e7c9/libraries/src/Form/Rule/PasswordRule.php#L95-L115

it should be JFIELD_PASSWORD_SPACES_IN_PASSWORD="Password must not have spaces."

[HLeithner]

This pull request has been automatically rebased to 5.4-dev.

[Milo-W]

Is the change only for the characters? Because it's not the only issue here... the logics of validation IMO should change into the screen where you actually input the password...

[wojsmol]

@richard67 prebuild packages for this PR aren't available.

[richard67]

@richard67 prebuild packages for this PR aren't available.

Seems they were too old and so deleted. I have just triggered a new build, they should be available again in some 30 minutes.

[wojsmol]

@Milo-W Prebuild packages are now available for this PR.

[muhme]

Tested with JBT and en-GB

• Before the PR
  • There is a note 'Enter at least 12 characters.' and a orange hint 'Password doesn't meet the site's requirements.' But if I use a shorter password, I can continue. Installation fails later with clear red error message "Password is too short." – But of course, it would be better to fail directly on the password input page.
  • With one space in the middle the installation is working.
  • With only 12 spaces as password the installation fails later with clear red error message 'Password must not have spaces at the beginning or end.' – But again, it would be better to fail directly on the password input page.
• Graft PRs full package and deleted configuration.php
  • Tested password shorter than 12 chars have red error 'Enter at least 12 characters.'
    • ⚠️ But with typing each character the error message pops-up new as nervous fidgeting. Is it possible to check more user-friendly on 'Setup Database Connection' click? See
    • ❌ Test fails as even with a space in the middle, which was working before, there is the error message 'Password must not have spaces at the beginning or end.'

[alikon]

but with typing each character the error message pops-up new as nervous fidgeting. Is it possible to check more user-friendly

used on blur now

Test fails as even with a space in the middle, which was working before, there is the error message 'Password must not have spaces at the beginning or end.'

see previous comment "We don't allow white space inside passwords" https://github.com/joomla/joomla-cms/pull/46173#issuecomment-3338404880

[ceford]

I have tested this item :white_check_mark: successfully on f3d0cc9e158098d90ab58de630fdcc2625a5e1ec

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46173.}

[muhme]

@alikon Thank you very much for further improving this PR. We discussed this PR in yesterday's maintainer meeting. Since white spaces within passwords currently work (we have tested creating a user, login and changing the password), we would not change this functionality in a minor release. Could you please adjust the PR to that it only checks for spaces in the beginning and end of a password?

[tecpromotion]

@alikon Thank you very much for further improving this PR. We discussed this PR in yesterday's maintainer meeting. Since white spaces within passwords currently work (we have tested creating a user, login and changing the password), we would not change this functionality in a minor release. Could you please adjust the PR to that it only checks for spaces in the beginning and end of a password?

Spaces within passwords are expected behaviour; there are password managers that generate such passwords, and this should continue to work.

[alikon]

now Password must not have spaces at the beginning or end should be fixed

[muhme]

Thank you very much @alikon for your adjustments. Re-Tested with JBT, Firefox and en-GB:

• Graft PRs full package and deleted configuration.php
• ✅ Nervous fidgeting is fixed
• ✅ It is possible to have spaces in the middle of the password
• ✅ Spaces in the beginning or end of the password are detected and corred red error 'Password must not have spaces at the beginning or end.'
• ✅ For passwords, shorter than 12 chars, red error 'Enter at least 12 characters.' is shown, and continue to setup database connection is not possible
• ❌ Click 'Setup Database Connection' is not working, it needs one more click or click in the page to continue
  • And JavaScript error: The invalid form control with name=‘jform[db_user]’ is not focusable.
• ❌ There is a discrepancy between the red 'Password must not have spaces at the beginning or end.' and the green message 'Password accepted'. See the following screenshot. Can we also use JavaScript to check for spaces at the beginning and end and display a corresponding error message? Or simple change to 'Password length accepted.'?

[laoneo]

Why do you don't use the existing validator, like we normally do in Joomla instead of copy the logic?

[alikon]

not sure to understand

[laoneo]

https://github.com/joomla/joomla-cms/blob/5.4-dev/build/media_source/system/js/fields/passwordstrength.es6.js

[alikon]

still don't understand that script doesn't even take care of space on first and last psw char how it should be and more is just an indicator you can still set psw lenght less than 12 char and it goes on step3

[laoneo]

Then better to fix that script instead of having duplicated functionality.

[alikon]

ah ok, now it's a little clearer to me :smiley:

[laoneo]

Just wondering, did the CS changes a tool or is it your preference?

[alikon]

both VScode + preference

[alikon]

added some system test

[HLeithner]

why all this unrelated style changes? that makes it harder to review... Also can we be sure that the space is always forbidden at the beginning and the end? Especially if the password strength meter is not used for joomla passwords.