Password Policy not checked with REST interface /user/register?_format=json

Created on 25 October 2018, over 5 years ago

Updated 7 April 2024, 3 months ago

Hi
I configured the following policy

character_types: Minimum password character types: 2	
password_policy_character_constraint:	Password must contain 1 special characters	
password_policy_character_constraint:	Password must contain 1 numeric characters	
password_length:	Password character length of at least 8	
password_username:	Password must not contain the user's username.

It is working if I create the account through Registration web form
However, I tested REST API /user/register and I found that the policy is not checked when the user is created via JSON
--> I was able to create the account with a password not compliant with the rules.

Here the example of request and response

**** REQUEST ****
POST /user/register?_format=json HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Cache-Control: no-cache
Postman-Token: 1ecde1a9-d5d6-ac09-4f3c-a22534e27874

{
	"name":{
		"value":"test"
	},
	"mail":{
		"value":"test@mail.com"
	},
	"pass":{
		"value":"test"
	}
}

**** RESPONSE ****

{"uid":[{"value":17}],"uuid":[{"value":"617edc4b-6680-40ef-ad9f-7240cba08705"}],"langcode":[{"value":"en"}],"name":[{"value":"test"}],"created":[{"value":"2018-10-25T11:28:31+00:00","format":"Y-m-d\\TH:i:sP"}],"changed":[{"value":"2018-10-25T11:28:31+00:00","format":"Y-m-d\\TH:i:sP"}],"default_langcode":[{"value":true}],"field_last_password_reset":[{"value":"2018-10-25T13:28:34"}],"field_password_expiration":[{"value":false}]}

🐛 Bug report

Status

Postponed: needs info

Version

4.0

Component

Code

Created by

🇮🇹Italy axel80

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇯🇴Jordan Anas_maw
This will be fixed with ✨ Apply policy globally through validation constraint on user entity Needs review
Comment 4 months ago →
🇺🇸United States Kristen Pol Santa Cruz, CA, USA
Critical errors should be reserved for fatal errors and similar. The project page already notes that the module only works on the UI forms. Moving this to normal.
Status changed to Postponed: needs info 3 months ago10:55pm 7 April 2024
Comment 3 months ago →
🇺🇸United States Kristen Pol Santa Cruz, CA, USA
It would be good to collaborate on issue ✨ Apply policy globally through validation constraint on user entity Needs review . Or if you think this is a better approach, then update that issue saying so.

Not marking this as duplicate yet, but marking postponed until we decide which of these 2 issues should be closed. We can then move credit accordingly.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024