Security - Signup Form - email and password must be distinct values

[yann-yinn]

Today it is possible to create an account where id and password are the same value. This should not be possible.

See CreateUserValidator and AdminCreateUserValidator for form validation.

[Yoann-TYT]

@yann-yinn After this commit https://github.com/yann-yinn/adonis-starter/commit/efb697e086a7c46ceb4ef23f4029abb7e0b683dc I think it isn't useful anymore. What do you think about ?

[yann-yinn]

@Yoann-TYT Hello 👋 This commit is a refacto commit so i'm note sure how this related ?

[Yoann-TYT]

@yann-yinn That's true :D https://github.com/yann-yinn/adonis-starter/blob/5ef15a51b76ac3af5371b1439a5b6c4932b54534/app/Validators/UserValidators.ts#L13 Password rules are now very restrictive, so it isn't possible anymore to have an email as password ;)

[yann-yinn]

Oh yes. Actually you can still copy paste your email and just add what is required by rules, like so.

example@example.comA1!

But maybe it's good enough for now

[Yoann-TYT]

Indeed, the password can contain the email :) I didn't think about that

[yann-yinn]

Yep, and even with this rules, P@ssword123 is considered strong, so rules are pretty annoying for user without preventing some very bad passwords, but that's okay for now. I'm thinking about how to improve this for the next iteration, if people actually use this project.

edit: for the record I got interesting answers about this topic here: https://twitter.com/yann_yinn/status/1444259738523406337

[Yoann-TYT]

Yep, this is always the same problem :-/ A security awareness problem Maybe an ads to use BitWarden or LastPass ? :D ( It's a joke ! )