fix: make sure password requirements are in sync with Auth0 (AAI-615) (#165)

marius-mather · web-flow · commit e2a3fa68a10b · 2026-01-16T09:58:52.000+11:00
* fix: update password special characters to match OWASP list

* test: update invalid special character in test

* refactor: use constants to make password length limits more explicit
diff --git a/schemas/biocommons.py b/schemas/biocommons.py
@@ -30,9 +30,17 @@
     from db import models
 
 # From Auth0 password settings
-ALLOWED_SPECIAL_CHARS = "!@#$%^&*"
+PASSWORD_MIN_LENGTH = 8
+# Auth0's max password length is 72, it "allows" more characters but silently ignores
+#   them beyond 72. We try to explicitly set a max of 72
+PASSWORD_MAX_LENGTH = 72
+# List of special characters from:
+# https://owasp.org/www-community/password-special-characters
+ALLOWED_SPECIAL_CHARS = r""" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"""
+# Define the regex for special characters explicitly (escaping some of them is tricky)
+SPECIAL_CHARS_PATTERN = r'[ !"#$%&\'()*+,\-./:;<=>?@[\\\]^_`{|}~]'
 VALID_PASSWORD_REGEX = re.compile(
-    f"^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[{ALLOWED_SPECIAL_CHARS}]).{{8,}}$"
+    f"^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?{SPECIAL_CHARS_PATTERN}).{{8,}}$"
 )
 PASSWORD_FORMAT_MESSAGE = (
     "Password must contain at least one uppercase letter, one lowercase letter, one number, "
@@ -79,9 +87,11 @@ def _check(v: str) -> str:
     "max_length": "Username must be 128 characters or less.",
     "pattern": "Username must only contain lowercase letters, numbers, hyphens and underscores."
 })
-BiocommonsPassword = ValidatedString(min_length=8, max_length=72, pattern=VALID_PASSWORD_REGEX, messages={
-    "min_length": "Password must be at least 8 characters.",
-    "max_length": "Password must be 72 characters or less.",
+BiocommonsPassword = ValidatedString(min_length=PASSWORD_MIN_LENGTH,
+                                     max_length=PASSWORD_MAX_LENGTH,
+                                     pattern=VALID_PASSWORD_REGEX, messages={
+    "min_length": f"Password must be at least {PASSWORD_MIN_LENGTH} characters.",
+    "max_length": f"Password must be {PASSWORD_MAX_LENGTH} characters or less.",
     "pattern": PASSWORD_FORMAT_MESSAGE
 })
 BiocommonsFullName = ValidatedString(min_length=1, max_length=300,
diff --git a/tests/schemas/test_biocommons_schemas.py b/tests/schemas/test_biocommons_schemas.py
@@ -48,8 +48,8 @@ def test_valid_password(password: str):
     ("AbcdEfgh!", PASSWORD_FORMAT_MESSAGE),
     # Missing special character
     ("abCD1234", PASSWORD_FORMAT_MESSAGE),
-    # Invalid special characters
-    ("Password123.", PASSWORD_FORMAT_MESSAGE),
+    # Invalid special characters (not in OWASP list)
+    ("Password123🙂", PASSWORD_FORMAT_MESSAGE),
 ])
 def test_invalid_password(password: str, expected_error: str):
     """Test that invalid passwords raise appropriate validation errors."""
