[bug]: Password complexity errors not displayed

[bljohnsondev]

Is there an existing issue for this?

• [x] I have searched the existing issues

Current behavior

When I try and either set my initial password or when I try and change my password to certain passwords I get a toast popup at the bottom that has a title of auth.common.password.toast.error.title and a message of auth.common.password.toast.error.message. The actual message isn't shown on the screen.

After doing some digging it looks like there is a password complexity check in the API file: apps/api/plane/authentication/views/common.py

I'm guessing this affects both the ChangePasswordEndpoint and SetUserPasswordEndpoint. The check is:

results = zxcvbn(new_password)
if results["score"] < 3:
    ...

This returns either an INVALID_NEW_PASSWORD or INVALID_PASSWORD but no user-friendly error message is being shown to the user.

Steps to reproduce

1. Go the User Settings -> Security
2. Change password
3. Type in a password with a password complexity lower than 3

Or

1. On initial user setup choose a low-complexity password for password and confirm password

A password that you can use to replicate this is: Say!hello1

It seems like it's complex enough to pass the frontend password weakness check but not complex enough to pass the backend zxcvbn check.

Environment

Production

Browser

Google Chrome

Variant

Self-hosted

Version

1.1.0

[shuaixr]

@pushya22 @vihar Hi, I'm interested in this issue. May I take it on?

[Hadley99]

I have noticed this as well. Password I had used was "Password@123". Frontend shows the strength is great, But backend fails