merlinoa
commented
1 year ago I've had this request before, and the difficulty is that we would have to apply the same rules to the password reset page or the user would be able to change their password and the custom rules on registration would not apply. The password reset page is served from the API, not the shiny app. Some possible work arounds:
- move the password reset page to the shiny app and allow the user to customize it (but this would require the user to set their url for it to work; password reset would not work on localhost). This would also require a decent amount of customization by the polished user.
-
have some default password difficulty options added as editable options on each app on dashboard.polished.tech (e.g. length, complexity, special chars). We have to save the password difficulty settings in the db so that we could apply them to the password reset page.
I'm leaning towards option 2. Would that work in your case?
Another possible solution would be to avoid passwords altogether, and enable email link sign in, where, each time your sign in, all you enter is your email address (no passwords involved ever). Each time you enter your email to sign in, you get an email with a link that you click to sign in. I think I would rather set this up than either of the password difficulty work arounds. Would this pass your security audit?
muschellij2
@merlinoa Is it possible to enforce some password rules for password creation? We're doing a security audit and wanted to know if we can enforce a standard or see what the Polished standard is (e.g. length, complexity, special chars). @assanstreamline