Added password policy support under the Edit User section (#1510)

Nayana-R-Gowda · NAYANAR0502 · crivetimihai · web-flow · commit e5f8f513382b · 2025-11-27T15:35:51.000Z
* Added password policy support under the Edit User section Signed-off-by: NAYANAR <nayana.r5@ibm.com> * fix: sync password policy validation with backend config settings - Update validate_password_strength to use configurable settings from config.py (password_min_length, password_require_*, etc.) instead of hardcoding requirements - Expand special character set to match EmailAuthService (!@#$%^&*(),.?":{}|<>) instead of limited set (@#$%&*) - Add missing digit/number requirement check - Fix admin_update_user to strip password consistently (was validating stripped password but passing unstripped to service) - Update JavaScript validation to inject settings from backend, conditionally show only enabled requirements in UI - Add numbers requirement to UI when enabled Closes #1510 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: NAYANAR <nayana.r5@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: NAYANAR <nayana.r5@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
diff --git a/mcpgateway/admin.py b/mcpgateway/admin.py
@@ -525,6 +525,43 @@ def serialize_datetime(obj):
     return obj
 
 
+def validate_password_strength(password: str) -> tuple[bool, str]:
+    """Validate password meets strength requirements.
+
+    Uses configurable settings from config.py for password policy.
+
+    Args:
+        password: Password to validate
+
+    Returns:
+        tuple: (is_valid, error_message)
+    """
+    min_length = getattr(settings, "password_min_length", 8)
+    require_uppercase = getattr(settings, "password_require_uppercase", False)
+    require_lowercase = getattr(settings, "password_require_lowercase", False)
+    require_numbers = getattr(settings, "password_require_numbers", False)
+    require_special = getattr(settings, "password_require_special", False)
+
+    if len(password) < min_length:
+        return False, f"Password must be at least {min_length} characters long"
+
+    if require_uppercase and not any(c.isupper() for c in password):
+        return False, "Password must contain at least one uppercase letter (A-Z)"
+
+    if require_lowercase and not any(c.islower() for c in password):
+        return False, "Password must contain at least one lowercase letter (a-z)"
+
+    if require_numbers and not any(c.isdigit() for c in password):
+        return False, "Password must contain at least one number (0-9)"
+
+    # Match the special character set used in EmailAuthService
+    special_chars = '!@#$%^&*(),.?":{}|<>'
+    if require_special and not any(c in special_chars for c in password):
+        return False, f"Password must contain at least one special character ({special_chars})"
+
+    return True, ""
+
+
 admin_router = APIRouter(prefix="/admin", tags=["Admin UI"])
 
 ####################
@@ -4734,17 +4771,24 @@ async def admin_create_user(
 
         form = await request.form()
 
+        # Validate password strength
+        password = str(form.get("password", ""))
+        if password:
+            is_valid, error_msg = validate_password_strength(password)
+            if not is_valid:
+                return HTMLResponse(content=f'<div class="text-red-500">Password validation failed: {error_msg}</div>', status_code=400)
+
         # First-Party
 
         auth_service = EmailAuthService(db)
 
         # Create new user
         new_user = await auth_service.create_user(
-            email=str(form.get("email", "")), password=str(form.get("password", "")), full_name=str(form.get("full_name", "")), is_admin=form.get("is_admin") == "on", auth_provider="local"
+            email=str(form.get("email", "")), password=password, full_name=str(form.get("full_name", "")), is_admin=form.get("is_admin") == "on", auth_provider="local"
         )
 
         # If the user was created with the default password, force password change
-        if str(form.get("password", "")) == settings.default_user_password.get_secret_value():  # nosec B105
+        if password == settings.default_user_password.get_secret_value():  # nosec B105
             new_user.password_change_required = True
             db.commit()
 
@@ -4847,7 +4891,7 @@ async def admin_get_user_edit(
                     <label class="block text-sm font-medium text-gray-700 dark:text-gray-300">New Password (leave empty to keep current)</label>
                     <input type="password" name="password" id="password-field"
                            class="mt-1 px-1.5 block w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-md shadow-sm focus:outline-none focus:ring-indigo-500 focus:border-indigo-500 dark:bg-gray-700 text-gray-900 dark:text-white"
-                           oninput="validatePasswordMatch()">
+                           oninput="validatePasswordRequirements(); validatePasswordMatch();">
                 </div>
                 <div>
                     <label class="block text-sm font-medium text-gray-700 dark:text-gray-300">Confirm New Password</label>
@@ -4856,6 +4900,109 @@ async def admin_get_user_edit(
                            oninput="validatePasswordMatch()">
                     <div id="password-match-message" class="mt-1 text-sm text-red-600 hidden">Passwords do not match</div>
                 </div>
+                <!-- Password Requirements -->
+                <div class="bg-blue-50 dark:bg-blue-900 border border-blue-200 dark:border-blue-700 rounded-md p-4">
+                    <div class="flex items-start">
+                        <svg class="h-5 w-5 text-blue-600 dark:text-blue-400 flex-shrink-0 mt-0.5" viewBox="0 0 20 20" fill="currentColor">
+                            <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd"/>
+                        </svg>
+                        <div class="ml-3 flex-1">
+                            <h3 class="text-sm font-semibold text-blue-900 dark:text-blue-200">Password Requirements</h3>
+                            <div class="mt-2 text-sm text-blue-800 dark:text-blue-300 space-y-1">
+                                <div class="flex items-center" id="req-length">
+                                    <span class="inline-flex items-center justify-center w-4 h-4 bg-gray-400 text-white rounded-full text-xs mr-2">✗</span>
+                                    <span>At least {settings.password_min_length} characters long</span>
+                                </div>
+                                {'<div class="flex items-center" id="req-uppercase"><span class="inline-flex items-center justify-center w-4 h-4 bg-gray-400 text-white rounded-full text-xs mr-2">✗</span><span>Contains uppercase letters (A-Z)</span></div>' if settings.password_require_uppercase else ''}
+                                {'<div class="flex items-center" id="req-lowercase"><span class="inline-flex items-center justify-center w-4 h-4 bg-gray-400 text-white rounded-full text-xs mr-2">✗</span><span>Contains lowercase letters (a-z)</span></div>' if settings.password_require_lowercase else ''}
+                                {'<div class="flex items-center" id="req-numbers"><span class="inline-flex items-center justify-center w-4 h-4 bg-gray-400 text-white rounded-full text-xs mr-2">✗</span><span>Contains numbers (0-9)</span></div>' if settings.password_require_numbers else ''}
+                                {'<div class="flex items-center" id="req-special"><span class="inline-flex items-center justify-center w-4 h-4 bg-gray-400 text-white rounded-full text-xs mr-2">✗</span><span>Contains special characters (!@#$%^&amp;*(),.?&quot;:{{}}|&lt;&gt;)</span></div>' if settings.password_require_special else ''}
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <script>
+                // Password policy settings injected from backend
+                const passwordPolicy = {{
+                    minLength: {settings.password_min_length},
+                    requireUppercase: {'true' if settings.password_require_uppercase else 'false'},
+                    requireLowercase: {'true' if settings.password_require_lowercase else 'false'},
+                    requireNumbers: {'true' if settings.password_require_numbers else 'false'},
+                    requireSpecial: {'true' if settings.password_require_special else 'false'}
+                }};
+
+                function updateRequirementIcon(elementId, isValid) {{
+                    const req = document.getElementById(elementId);
+                    if (req) {{
+                        const icon = req.querySelector('span');
+                        if (isValid) {{
+                            icon.className = 'inline-flex items-center justify-center w-4 h-4 bg-green-500 text-white rounded-full text-xs mr-2';
+                            icon.textContent = '✓';
+                        }} else {{
+                            icon.className = 'inline-flex items-center justify-center w-4 h-4 bg-gray-400 text-white rounded-full text-xs mr-2';
+                            icon.textContent = '✗';
+                        }}
+                    }}
+                }}
+
+                function validatePasswordRequirements() {{
+                    const password = document.getElementById('password-field')?.value || '';
+
+                    // Check length requirement (always required)
+                    const lengthCheck = password.length >= passwordPolicy.minLength;
+                    updateRequirementIcon('req-length', lengthCheck);
+
+                    // Check uppercase requirement (if enabled)
+                    const uppercaseCheck = !passwordPolicy.requireUppercase || /[A-Z]/.test(password);
+                    updateRequirementIcon('req-uppercase', /[A-Z]/.test(password));
+
+                    // Check lowercase requirement (if enabled)
+                    const lowercaseCheck = !passwordPolicy.requireLowercase || /[a-z]/.test(password);
+                    updateRequirementIcon('req-lowercase', /[a-z]/.test(password));
+
+                    // Check numbers requirement (if enabled)
+                    const numbersCheck = !passwordPolicy.requireNumbers || /[0-9]/.test(password);
+                    updateRequirementIcon('req-numbers', /[0-9]/.test(password));
+
+                    // Check special character requirement (if enabled) - matches backend set
+                    const specialCheck = !passwordPolicy.requireSpecial || /[!@#$%^&*(),.?":{{}}|<>]/.test(password);
+                    updateRequirementIcon('req-special', /[!@#$%^&*(),.?":{{}}|<>]/.test(password));
+
+                    // Enable/disable submit button based on active requirements
+                    const submitButton = document.querySelector('#user-edit-modal-content button[type="submit"]');
+                    const allRequirementsMet = lengthCheck && uppercaseCheck && lowercaseCheck && numbersCheck && specialCheck;
+                    const passwordEmpty = password.length === 0;
+
+                    if (submitButton) {{
+                        // Allow submission if password is empty (keep current) or if all requirements are met
+                        if (passwordEmpty || allRequirementsMet) {{
+                            submitButton.disabled = false;
+                            submitButton.className = 'px-4 py-2 text-sm font-medium text-white bg-blue-600 border border-transparent rounded-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500';
+                        }} else {{
+                            submitButton.disabled = true;
+                            submitButton.className = 'px-4 py-2 text-sm font-medium text-white bg-gray-400 border border-transparent rounded-md cursor-not-allowed';
+                        }}
+                    }}
+                }}
+
+                function validatePasswordMatch() {{
+                    const password = document.getElementById('password-field')?.value || '';
+                    const confirmPassword = document.getElementById('confirm-password-field')?.value || '';
+                    const matchMessage = document.getElementById('password-match-message');
+
+                    if (password && confirmPassword && password !== confirmPassword) {{
+                        matchMessage?.classList.remove('hidden');
+                    }} else {{
+                        matchMessage?.classList.add('hidden');
+                    }}
+                }}
+
+                // Initialize validation on page load
+                document.addEventListener('DOMContentLoaded', function() {{
+                    validatePasswordRequirements();
+                }});
+                </script>
                 <div class="flex justify-end space-x-3">
                     <button type="button" onclick="hideUserEditModal()"
                             class="px-4 py-2 text-sm font-medium text-gray-700 dark:text-gray-300 bg-white dark:bg-gray-800 border border-gray-300 dark:border-gray-600 rounded-md hover:bg-gray-50 dark:hover:bg-gray-700">
@@ -4927,8 +5074,15 @@ async def admin_update_user(
         fn_val = form.get("full_name")
         pw_val = form.get("password")
         full_name = fn_val if isinstance(fn_val, str) else None
-        password = pw_val if isinstance(pw_val, str) else None
-        await auth_service.update_user(email=decoded_email, full_name=full_name, is_admin=is_admin, password=password if password else None)
+        password = pw_val.strip() if isinstance(pw_val, str) and pw_val.strip() else None
+
+        # Validate password if provided
+        if password:
+            is_valid, error_msg = validate_password_strength(password)
+            if not is_valid:
+                return HTMLResponse(content=f'<div class="text-red-500">Password validation failed: {error_msg}</div>', status_code=400)
+
+        await auth_service.update_user(email=decoded_email, full_name=full_name, is_admin=is_admin, password=password)
 
         # Return success message with auto-close and refresh
         success_html = """
