Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: reject common/weak passwords on every set-password path (#31) #60

Open
Hartmut wants to merge 2 commits from security/password-policy-blacklist into main
pull from: security/password-policy-blacklist
merge into: Hartmut:main
Conversation 0 Commits 2 Files Changed 8
+359

2 Commits

Author SHA1 Message Date
Hartmut cfce1f2a15 test(shared): narrow PasswordCheckResult before reading reason
CI / Architecture Guardrails (pull_request) Successful in 6m11s
Details
CI / Assistant Split Regression (pull_request) Successful in 7m19s
Details
CI / Lint (pull_request) Successful in 7m59s
Details
CI / Typecheck (pull_request) Successful in 9m28s
Details
CI / Build (pull_request) Successful in 6m53s
Details
CI / E2E Tests (pull_request) Successful in 6m7s
Details
CI / Fresh-Linux Docker Deploy (pull_request) Successful in 6m52s
Details
CI / Release Images (pull_request) Has been skipped
Details
CI / Unit Tests (pull_request) Successful in 8m30s
Details 
CI typecheck failed because the discriminated union returned by
checkPasswordPolicy only exposes `reason` on the `{ ok: false }` branch.
Guard each `.reason` assertion with `if (!result.ok)` so the test file
typechecks under exactOptionalPropertyTypes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-04-18 14:53:30 +02:00
Hartmut e01074926e security: reject common/weak passwords on every set-password path (#31)
CI / Architecture Guardrails (pull_request) Successful in 6m31s
Details
CI / Typecheck (pull_request) Failing after 6m9s
Details
CI / Build (pull_request) Has been skipped
Details
CI / E2E Tests (pull_request) Has been skipped
Details
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
Details
CI / Assistant Split Regression (pull_request) Successful in 7m23s
Details
CI / Lint (pull_request) Successful in 6m54s
Details
CI / Unit Tests (pull_request) Successful in 9m28s
Details
CI / Release Images (pull_request) Has been skipped
Details 
Adds a synchronous policy check that blocks (1) the curated >=12-char
common-password list (rockyou top, predictable seasonal, admin defaults),
(2) trivial patterns (single-char repeat, short-pattern repeat, keyboard
or numeric sequences), and (3) passwords containing the user's email
local-part or any name component. Wired into all five password-mutation
sites: first-admin setup, admin createUser/setUserPassword, invite
acceptance, and password-reset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-04-18 14:09:38 +02:00