THREESCALE-8916: Make strong passwords mandatory by jlledom · Pull Request #3 · jlledom/porta

jlledom · 2026-01-09T14:00:53Z

What this PR does / why we need it:

Currently, a provider can enforce strong password for the developer portal, and weak passwords are accepted by default. About admin portal, there's no option to enable strong passwords, weak passwords are always accepted.

I think both situations make no sense. I don't think it's acceptable to allow users decide whether they enforce strong passwords or not, as long as strong passwords are possible, that should be the default. And same thing about admin portal.

In this PR, I remove any option to accept weak passwords in both admin or developer portals. Existing passwords will continue to work, but new passwords will be enforced to be strong. Also, I increased the minimal number of characters to 16.

This affects multiple screens, but also API endpoints, this is the complete list:

All scenarios with a password
- Admin portal
  - UI
    - User invitation signup form
    - Personal details
    - Edit user
    - Forgot password
  - API
    - POST /master/api/providers.xml
    - POST /admin/api/users.xml
    - PUT /admin/api/users/{id}.xml
- Developer portal
  - UI
    - New buyer signup form
    - Existing buyer user invitation signup form
    - Personal details
    - Edit user
    - Forgot password
  - API
    - POST /admin/api/signup.xml
    - POST /admin/api/accounts/{id}/users.xml
    - PUT /admin/api/accounts/{id}/users/{id}.xml

Besides, while doing this, I found a few UI errors that I told Claude to fix. This are the affected screens:

Admin portal
- User invitation signup form
  - JS validation:
    - Before: min 6 characters
    - Now: Same restrictions as in backend
  - Error messages formatting
    - "\n" was literally printed instead of a new line.
- Personal Details
  - Password input in clear text
- Edit user
  - Password inputs visible for users without password (e.g. OAuth)
- Create new buyer
  - Password input in clear text
- Forgot password
  - Pass JS Validation: Sames as above

Another thing I noticed is strong passwords, even when enabled, were not being enforced for users not created by a human. For instance, the default admin user created when a buyer is created was always accepting weak passwords no matter the setting. I also fixed this.

Which issue(s) this PR fixes

https://issues.redhat.com/browse/THREESCALE-8916

Verification steps

You can go through any (ideally all) screens above an try to set a weak password. Also tests should pass.

…le/porta into THREESCALE-12200_clean_up_helpers_0

THREESCALE-12239: Remove unused npm packages

…helpers_0 🧹 Clean up helpers part 0

…ass-migration THREESCALE-12174: Remove old password migration

This is to ensure that the error is visible on the UI form

⚰️ Remove dead code related to plans widgets

…dation THREESCALE-11219: Fix ActiveDoc issues with server URLs with variables

Co-Authored-By: Claude <noreply@anthropic.com>

- But skip validation

Let tests fail to get the complete list of outdated tests

* For unmigrated users to recover a password

Except on the User drop for liquid templates

This reverts commit 746bec2.

jlledom self-assigned this Jan 9, 2026

jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch from 8c93fc8 to da18ea7 Compare January 9, 2026 14:04

jlledom changed the title ~~Threescale 8916 admin strong paswords~~ Threescale 8916: Make strong passwords mandatory Jan 9, 2026

jlledom changed the title ~~Threescale 8916: Make strong passwords mandatory~~ THREESCALE-8916: Make strong passwords mandatory Jan 9, 2026

jlledom mentioned this pull request Jan 9, 2026

THREESCALE-8916: Make strong passwords mandatory 3scale/porta#4195

Open

jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch 2 times, most recently from 33fe198 to 25f4a95 Compare January 13, 2026 09:43

josemigallas and others added 9 commits January 23, 2026 14:12

🧹 clean up helpers part 0

65d9814

🚨 fixes linter errors

b3bc8ab

fixes escaped html string in billing status

23da9e5

remove unnecessary string cast

8c3d1de

Merge branch 'master' into THREESCALE-12200_clean_up_helpers_0

e440c44

Remove unused npm packages

17daea7

✅ fixes tests

308938e

Merge branch 'THREESCALE-12200_clean_up_helpers_0' of github.com:3sca…

53c969c

…le/porta into THREESCALE-12200_clean_up_helpers_0

restores redundant change

5ead1d6

jlledom force-pushed the THREESCALE-12174-remove-pass-migration branch from 0581d50 to 084bfd5 Compare February 2, 2026 10:14

mayorova and others added 3 commits February 2, 2026 12:33

Merge pull request 3scale#4211 from 3scale/remove-unused-npm-deps

8cdd422

THREESCALE-12239: Remove unused npm packages

Merge pull request 3scale#4203 from 3scale/THREESCALE-12200_clean_up_…

ea47df1

…helpers_0 🧹 Clean up helpers part 0

⚰️ remove a bunch of dead code

bacbab7

jlledom force-pushed the THREESCALE-12174-remove-pass-migration branch from 525653e to b6fde4e Compare February 2, 2026 12:48

jlledom and others added 9 commits February 2, 2026 14:40

Merge pull request 3scale#4194 from jlledom/THREESCALE-12174-remove-p…

6950238

…ass-migration THREESCALE-12174: Remove old password migration

Add ApiDoc base path validation error on 'body'

dce3a14

This is to ensure that the error is visible on the UI form

Swagger Spec accepts server URL with variables

3cfbce8

Fix some small style issues

c543ff3

Add a test for invalid URL

f68ddf0

Merge pull request 3scale#4208 from 3scale/remove_dead_code

5d36a33

⚰️ Remove dead code related to plans widgets

Merge pull request 3scale#4204 from 3scale/active-doc-server-url-vali…

20ea169

…dation THREESCALE-11219: Fix ActiveDoc issues with server URLs with variables

🚨 fixes naming convention

62c49c1

♻️ refactor fields definition helper into decorator

5b63bbd

jlledom and others added 27 commits March 4, 2026 14:25

Fix tests

25172a6

Co-Authored-By: Claude <noreply@anthropic.com>

Remove the max password size requirement.

3b4b3f3

Set min pass size to 15

c6d4718

Fix tests after updating password requirements

6c71cce

Move password error message to I18N

343b521

generate_lost_password_token: Run callbacks

3ddc0fd

- But skip validation

Remove role param from buyer user controller

83ae6f6

Use will_save_change_to_password_digest?

0295a69

Enable strong passwords in tests by default

2a07849

Let tests fail to get the complete list of outdated tests

First attempt to fix all tests...

b7f8945

Fix more tests...

d4b27b3

Third attempt to fix tests...

d218783

Fix failing cuke

808ac73

Don't enforce ASCII characters in passwords

56ede16

Normalize passwords before validating

3945957

Remove dead method

8d3cbf0

Fix tests

4885b46

Add comment

bad6f9f

Additional tests about Unicode normalization

c8f9e86

Fix flaky cuke

887ae28

Refactor validate_password?

53ae061

Add EOF

2ac5e1a

No need to skip validation

a4e1fb1

* For unmigrated users to recover a password

Raise FIXME on Rails 8.1

1dca334

Make min password size configurable

bfdf095

Rename using_password? to already_using_password?

b678465

Except on the User drop for liquid templates

Revert "Make min password size configurable"

bc746e2

This reverts commit 746bec2.

jlledom force-pushed the THREESCALE-8916-admin-strong-paswords branch from 1138886 to bc746e2 Compare March 4, 2026 13:29

jlledom added 2 commits March 4, 2026 17:58

Remove empty file after merging conflicts

32e9935

Remove outdated comment

8dceb4b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

THREESCALE-8916: Make strong passwords mandatory#3

THREESCALE-8916: Make strong passwords mandatory#3
jlledom wants to merge 105 commits intoTHREESCALE-12174-remove-pass-migrationfrom
THREESCALE-8916-admin-strong-paswords

jlledom commented Jan 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

jlledom commented Jan 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants