Yesterday I noticed that when a user uses the standard Anvil password reset email, they are able to set their password to any strength and complexity, including nothing at all. Of course, I realize that if I use a custom sign up flow I can enforce whatever rules I’d like for these kinds of things, but I’m trying to utilize the tools that Anvil gives me as much as I can.
That said, are there features on the road map to allow developers to set basic rules about password hygiene for their apps? For example, just a few basic settings in the Users Service to declare minimum password length and required character types (one uppercase, two numbers, one symbol, and so on).
Are there features on the road map to allow developers to set basic rules about password hygiene for their apps?
Yes there are! We’re about to roll out a password hygiene feature that ensures that passwords for the Users service have a minimum length and haven’t been included in a public breach (via the excellent “Have I Been Pwned?” service, which allows you to check the password against their database without revealing the password itself - it’s called k-anonymity, and it’s very clever ).
The anvil.users.signup_with_email function performs the Have I Been Pwned check. Can you adapt your app to use that or do you need more control over precisely how the hashing and verification is done?
The Custom Sign-Up Flow uses a completely custom sign up function (_do_signup). We don’t currently have a function to only perform the Have I Been Pwned check.
You can implement it by directly making an HTTP request to the Have I Been Pwned API. You make a GET request to an API endpoint with the first 5 characters of the SHA-1 of the password:
GET https://api.pwnedpasswords.com/range/{first 5 hash chars}
The response will be a list of compromised password SHA-1s that begin with those 5 characters - although it only gives you the end of the SHA-1. If your password matches any of these, it has been compromised.
I’m once again working on the users portion of my apps. I’ve had a chance to try out the “Have I Been Pwned” service for creating new users and I think it’s great!
However, I was still able to reset a password to a single-character pwnd password using the anvil.users.send_password_reset_email() email though. The app that sends the email does have the “Require Secure Passwords” option selected. Is there something I’ve missed, or is “Have I Been Pwned” yet to be integrated with the password reset email?
I’ve been thinking that rather than a bug, it may have been me (most of my bugs usually are ). I just realized that I didn’t republish the app before testing the feature, so the reset password link would be directing me to an older version of the app that did not have the feature enabled. Does this sound correct to you?
).
). I just realized that I didn’t republish the app before testing the feature, so the reset password link would be directing me to an older version of the app that did not have the feature enabled. Does this sound correct to you?