Add custom password validators to TUserManager

Hello,

i've seen that TUserManager is already prepared to manage a list of Password Validators. TUserManager has this in "strict private" part

    FPasswordValidators: TList<IPasswordValidator>;

and in Create method there is

  FPasswordValidators.Add(TDefaultPasswordValidator.Create(PasswordOptions));

that adds the TDefaultPasswordValidator class. Plus, the ValidatePasswordInternal procedure loops all the validators, to check the password.

I would like to clone the TDefaultPasswordValidator class, modify some of it, and then add a second / third password validator to the default User Manager. Is it already possible ? It's something that you have in your general design, but at the moment it's not possible ?

Thank you, ciao !

Paolo

Indeed, it was kind of prepared for flexibility, but not "published" yet (no place you can add your own validator).

Do you have a use case for that, what validations you want to add?

in generally, we have to comply to this document

in detail, for passwords (i paste here what, at the moment, we should do in a custom way):

  • Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied. (C6)
  • Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space. (C6)
  • Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. (C6)
1 Like

I believe a better way to accomplish this is to create an event in TPasswordOptions for a generic validation, so you can validate it from there.

If you think this is enough, maybe it's good to file a feature request.

Yes, i think it's enough.
I have seen in source code the list of password validators, and i've thought "this is the way to do it", but the event in TPasswordOptions is also fine.

From my point of view, the worst thing is that i've tried the way to hack the PasswordOptions class, to introduce the event now and use it (...waiting for the "official" feature), but for now i can't find a "light" hack that i can add, and i don't want to mess up the Sphinx components. I will find a way !

Thank you Wagner, as always !

Ciao

Paolo

1 Like

Great. Please create the feature request so we can track!