From a83d99915d8decbc4f7a129ee72fa747bba37455 Mon Sep 17 00:00:00 2001
From: kodumbeats <brandon.leckemby@gmail.com>
Date: Thu, 25 Nov 2021 15:07:54 -0500
Subject: [PATCH] Align password requirements with nist guidelines

---
 app/controllers/api/account.php          | 14 +++++++-------
 app/controllers/api/users.php            |  2 +-
 app/views/home/auth/signup.phtml         |  2 +-
 src/Appwrite/Auth/Validator/Password.php | 10 ++++++----
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index c236509dd..d77704cfc 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -44,7 +44,7 @@ App::post('/v1/account')
     ->label('sdk.response.model', Response::MODEL_USER)
     ->label('abuse-limit', 10)
     ->param('email', '', new Email(), 'User email.')
-    ->param('password', '', new Password(), 'User password. Must be between 6 to 32 chars.')
+    ->param('password', '', new Password(), 'User password. Must be at least 8 chars.')
     ->param('name', '', new Text(128), 'User name. Max length: 128 chars.', true)
     ->inject('request')
     ->inject('response')
@@ -160,7 +160,7 @@ App::post('/v1/account/sessions')
     ->label('abuse-limit', 10)
     ->label('abuse-key', 'url:{url},email:{param-email}')
     ->param('email', '', new Email(), 'User email.')
-    ->param('password', '', new Password(), 'User password. Must be between 6 to 32 chars.')
+    ->param('password', '', new Password(), 'User password. Must be at least 8 chars.')
     ->inject('request')
     ->inject('response')
     ->inject('projectDB')
@@ -1356,8 +1356,8 @@ App::patch('/v1/account/password')
     ->label('sdk.response.code', Response::STATUS_CODE_OK)
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_USER)
-    ->param('password', '', new Password(), 'New user password. Must be between 6 to 32 chars.')
-    ->param('oldPassword', '', new Password(), 'Old user password. Must be between 6 to 32 chars.', true)
+    ->param('password', '', new Password(), 'User password. Must be at least 8 chars.')
+    ->param('oldPassword', '', new Password(), 'Old user password. Must be at least 8 chars.', true)
     ->inject('response')
     ->inject('user')
     ->inject('projectDB')
@@ -1404,7 +1404,7 @@ App::patch('/v1/account/email')
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_USER)
     ->param('email', '', new Email(), 'User email.')
-    ->param('password', '', new Password(), 'User password. Must be between 6 to 32 chars.')
+    ->param('password', '', new Password(), 'User password. Must be at least 8 chars.')
     ->inject('response')
     ->inject('user')
     ->inject('projectDB')
@@ -1863,8 +1863,8 @@ App::put('/v1/account/recovery')
     ->label('abuse-key', 'url:{url},userId:{param-userId}')
     ->param('userId', '', new UID(), 'User account UID address.')
     ->param('secret', '', new Text(256), 'Valid reset token.')
-    ->param('password', '', new Password(), 'New password. Must be between 6 to 32 chars.')
-    ->param('passwordAgain', '', new Password(), 'New password again. Must be between 6 to 32 chars.')
+    ->param('password', '', new Password(), 'User password. Must be at least 8 chars.')
+    ->param('passwordAgain', '', new Password(), 'New password again. Must be at least 8 chars.')
     ->inject('response')
     ->inject('projectDB')
     ->inject('audits')
diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php
index 8832e3061..caaae7f35 100644
--- a/app/controllers/api/users.php
+++ b/app/controllers/api/users.php
@@ -33,7 +33,7 @@ App::post('/v1/users')
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_USER)
     ->param('email', '', new Email(), 'User email.')
-    ->param('password', '', new Password(), 'User password. Must be between 6 to 32 chars.')
+    ->param('password', '', new Password(), 'User password. Must be at least 8 chars.')
     ->param('name', '', new Text(128), 'User name. Max length: 128 chars.', true)
     ->inject('response')
     ->inject('projectDB')
diff --git a/app/views/home/auth/signup.phtml b/app/views/home/auth/signup.phtml
index cf3059177..79ebb67d8 100644
--- a/app/views/home/auth/signup.phtml
+++ b/app/views/home/auth/signup.phtml
@@ -45,7 +45,7 @@ $root = ($this->getParam('root') !== 'disabled');
         <input name="email" type="email" autocomplete="email" placeholder="" required data-ls-bind="{{router.params.email}}">
 
         <label>Password</label>
-        <input name="password" type="password" autocomplete="off" placeholder="" required data-forms-password-meter pattern=".{6,}" title="Six or more characters">
+        <input name="password" type="password" autocomplete="off" placeholder="" required data-forms-password-meter pattern=".{8,}" title="Eight or more characters">
 
         <div class="agree margin-top-large margin-bottom-large">
             <div class="pull-start margin-end-small margin-bottom">
diff --git a/src/Appwrite/Auth/Validator/Password.php b/src/Appwrite/Auth/Validator/Password.php
index d3dd810fa..d7168774b 100644
--- a/src/Appwrite/Auth/Validator/Password.php
+++ b/src/Appwrite/Auth/Validator/Password.php
@@ -20,21 +20,23 @@ class Password extends Validator
      */
     public function getDescription()
     {
-        return 'Password must be between 6 and 32 chars and contain ...';
+        return 'Password must be at least 8 characters';
     }
 
     /**
      * Is valid.
      *
-     * Validation username
-     *
      * @param mixed $value
      *
      * @return bool
      */
     public function isValid($value)
     {
-        if (\strlen($value) < 6 || \strlen($value) > 32) {
+        if (!\is_string($value)) {
+            return false;
+        } 
+
+        if (\strlen($value) < 8) {
             return false;
         }