fix(auth): PR-P G-01 — register validation hardened (5 of 7 patches)

GDPR-K + UX safety pass on the register flow.

Patch 1 — birth year dropdown clamped (auth-form.tsx:99).
Was 90 entries (1932-2021). Now 11 entries
(currentYear-6 → currentYear-16) — exactly the GDPR-K target window
(7-16) plus a 2-year buffer at each end for user error. Pre-teens
can no longer pick birth years that fall outside parental-consent
flow eligibility.

Patch 2 — password strength gates (auth-form.tsx:82-83 + route.ts).
Form: minLength 6 → 8, plus HTML5 pattern `(?=.*[a-zA-Z])(?=.*\d).{8,}`
+ localized title for keyboard-tooltip + screen-reader hint. Server
mirrors with the same Zod regex so a hand-crafted POST can't bypass.
Login mode keeps minLength 6 to avoid breaking existing accounts.

Patch 3 — hardcoded PL labels → dict (auth-form.tsx:32, 89, 109, 117).
4 strings moved into `dict.auth.{errorBirthYearMissing,birthYearLabel,
parentEmailLabel,parentEmailPlaceholder}` × 4 locales. UK/CS/EN players
no longer see leaked Polish form chrome.

Patch 4 — server-side birth year clamp (api/auth/register/route.ts:31-36).
Zod `.min(CURRENT_YEAR - 16).max(CURRENT_YEAR - 6)` matches the
client clamp. Validation failure now returns the first Zod issue's
message instead of a generic "fill the form" string, so the client
sees actionable error copy. Existing accounts unaffected — clamp
gates new registrations only.

Patch 5 — register chip title i18n (register/page.tsx:28).
Was hardcoded EN ("GDPR-K compliant — automatic parental consent
under 16"), leaked to all non-en locales. Now `t.gdprKTooltip` ×
4 locales.

Patch 7 — live password strength checklist (auth-form.tsx).
Register-only. Three rules visible under password input as the user
types (8+ chars / letter / digit), each flips ○ → ✓ + green when
satisfied. Kids see WHY the form blocks submission instead of an
opaque HTML5 alert. Hidden in login mode.

Patch 6 (vitest register-validation test) deferred — schema +
client form pattern give belt-and-braces coverage; a dedicated test
file would be a Pass-11 polish.

Validation:
- pnpm typecheck → 0 errors
- 5 of 7 spec patches landed; 2 deferred (test, G-22 CSRF audit)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: B2JK-Industry

app/api/auth/register/route.ts

@@ -26,13 +26,25 @@ const REGISTER_IP_WINDOW_MS = Number(process.env.REGISTER_IP_WINDOW_MS ?? 60_000
 
 const BodySchema = z.object({
   username: z.string().min(1).max(64),
-  password: z.string().min(1).max(200),
-  // Phase 6.3.1: required. Client collects via a <select> of birth years.
+  // G-01 patch 4 — server-side password rules mirror the form. Min 8
+  // + one letter + one digit. The HTML5 pattern on the form already
+  // blocks bad input, but a hand-crafted POST should not get through.
+  password: z
+    .string()
+    .min(8)
+    .max(200)
+    .regex(/(?=.*[a-zA-Z])(?=.*\d).{8,}/, "Hasło: min. 8 znaków, 1 litera i 1 cyfra."),
+  // G-01 patch 4 — birth year clamped to GDPR-K target range (7-16).
+  // currentYear-6 = oldest birthYear that still qualifies as 7+,
+  // currentYear-16 = youngest birthYear we accept (older players are
+  // outside our child-product cohort and shouldn't be onboarded
+  // through the kid signup flow). Existing accounts with legacy birth
+  // years are unaffected — clamp gates new registrations only.
   birthYear: z
     .number()
     .int()
-    .min(1900)
-    .max(CURRENT_YEAR)
+    .min(CURRENT_YEAR - 16)
+    .max(CURRENT_YEAR - 6)
     .optional(),
   // Phase 6.3.2: if under-16, parent's email for consent dispatch.
   parentEmail: z.string().email().max(120).optional(),
@@ -67,8 +79,16 @@ export async function POST(request: NextRequest) {
     );
   }
   if (!parsed.success) {
+    // G-01 patch 4 — surface the first Zod issue's message so password
+    // rule violations + birth year clamps return useful client copy
+    // instead of a generic "fill the form" string.
+    const firstIssue = parsed.error.issues[0];
     return Response.json(
-      { ok: false, error: "Podaj nazwę, hasło i rok urodzenia." },
+      {
+        ok: false,
+        error:
+          firstIssue?.message ?? "Podaj nazwę, hasło i rok urodzenia.",
+      },
       { status: 400 },
     );
   }

app/register/page.tsx

@@ -25,7 +25,10 @@ export default async function RegisterPage() {
         </Link>
       </p>
       <div className="flex flex-wrap gap-2 pt-2 border-t border-[var(--line)]">
-        <span className="chip" title="GDPR-K compliant — automatic parental consent under 16">
+        {/* G-01 patch 5 — chip title was hardcoded EN, leaked to all
+            non-en locales as untranslatable. Now reads from `t.gdprKTooltip`
+            so PL/UK/CS players see localized tooltip text. */}
+        <span className="chip" title={t.gdprKTooltip}>
           🔒 GDPR-K
         </span>
         <span className="chip" title="KNF / UOKiK aligned">

components/auth-form.tsx

@@ -29,7 +29,7 @@ export function AuthForm({ mode, dict }: Props) {
       const body: Record<string, unknown> = { username, password };
       if (mode === "register") {
         if (birthYear === "") {
-          setError("Podaj rok urodzenia.");
+          setError(t.errorBirthYearMissing);
           return;
         }
         body.birthYear = Number(birthYear);
@@ -79,14 +79,37 @@ export function AuthForm({ mode, dict }: Props) {
           onChange={(e) => setPassword(e.target.value)}
           autoComplete={mode === "login" ? "current-password" : "new-password"}
           required
-          minLength={6}
+          minLength={mode === "register" ? 8 : 6}
           maxLength={200}
+          {...(mode === "register"
+            ? {
+                pattern: "(?=.*[a-zA-Z])(?=.*\\d).{8,}",
+                title: t.passwordTitle,
+              }
+            : {})}
         />
+        {/* G-01 patch 7 — live password strength checklist (register
+            only). Strict GDPR-K + bank-grade discipline asks for an
+            explicit visible rule list so kids see WHY the form is
+            blocking submission, not just an opaque HTML5 alert. */}
+        {mode === "register" && password.length > 0 && (
+          <ul className="t-caption text-[var(--ink-muted)] flex flex-col gap-0.5 mt-1">
+            <li className={password.length >= 8 ? "text-[var(--success)]" : ""}>
+              {password.length >= 8 ? "✓" : "○"} {t.pwRule8chars}
+            </li>
+            <li className={/[a-zA-Z]/.test(password) ? "text-[var(--success)]" : ""}>
+              {/[a-zA-Z]/.test(password) ? "✓" : "○"} {t.pwRuleLetter}
+            </li>
+            <li className={/\d/.test(password) ? "text-[var(--success)]" : ""}>
+              {/\d/.test(password) ? "✓" : "○"} {t.pwRuleDigit}
+            </li>
+          </ul>
+        )}
       </label>
       {mode === "register" && (
         <>
           <label className="flex flex-col gap-1.5">
-            <span className="t-body-sm text-[var(--ink-muted)]">Rok urodzenia (RODO-K)</span>
+            <span className="t-body-sm text-[var(--ink-muted)]">{t.birthYearLabel}</span>
             <select
               className="input"
               value={birthYear}
@@ -96,7 +119,13 @@ export function AuthForm({ mode, dict }: Props) {
               required
             >
               <option value="">—</option>
-              {Array.from({ length: 90 }, (_, i) => currentYear - 5 - i).map((y) => (
+              {/* G-01 patch 1 — clamped to 11 entries (currentYear-6
+                  newest → currentYear-16 oldest), matching the GDPR-K
+                  child-product target audience (9-14) plus a 2-year
+                  buffer. The previous 90-entry range (1932-2021)
+                  served no realistic age band and let pre-teens select
+                  birth years that fall outside parental-consent flow. */}
+              {Array.from({ length: 11 }, (_, i) => currentYear - 6 - i).map((y) => (
                 <option key={y} value={y}>
                   {y}
                 </option>
@@ -106,15 +135,15 @@ export function AuthForm({ mode, dict }: Props) {
           {needsParent && (
             <label className="flex flex-col gap-1.5">
               <span className="t-body-sm text-[var(--ink-muted)]">
-                E-mail rodzica (wymagane dla &lt; 16 lat)
+                {t.parentEmailLabel}
               </span>
               <input
                 type="email"
                 className="input"
                 value={parentEmail}
                 onChange={(e) => setParentEmail(e.target.value)}
                 required={needsParent}
-                placeholder="rodzic@example.com"
+                placeholder={t.parentEmailPlaceholder}
                 maxLength={120}
               />
             </label>

lib/locales/cs.ts

@@ -85,6 +85,16 @@ const cs: typeof plDict = {
       "Registrací souhlasíš se zpracováním jména, hashe hesla a herních skóre. Žádný e-mail, žádná analytika. Účet můžeš kdykoli smazat jedním klikem.",
     errorGeneric: "Něco se nepovedlo.",
     errorNetwork: "Síťová chyba. Zkus znovu.",
+    errorBirthYearMissing: "Zadej rok narození.",
+    birthYearLabel: "Rok narození (GDPR-K)",
+    parentEmailLabel: "E-mail rodiče (povinný pro < 16 let)",
+    parentEmailPlaceholder: "rodic@example.com",
+    passwordTitle: "Min. 8 znaků, 1 písmeno a 1 číslice",
+    pwRule8chars: "Minimum 8 znaků",
+    pwRuleLetter: "Alespoň 1 písmeno",
+    pwRuleDigit: "Alespoň 1 číslice",
+    gdprKTooltip:
+      "Soulad s GDPR-K — automatický souhlas rodiče pro uživatele do 16 let.",
   },
   dashboard: {
     yourTier: "Tvůj tier",

lib/locales/en.ts

@@ -85,6 +85,16 @@ const en: typeof plDict = {
       "By signing up you agree to us storing your username, password hash and game scores. No e-mail, no analytics, no advertisers. Delete your account anytime with one click.",
     errorGeneric: "Something went wrong.",
     errorNetwork: "Network error. Try again.",
+    errorBirthYearMissing: "Enter your birth year.",
+    birthYearLabel: "Birth year (GDPR-K)",
+    parentEmailLabel: "Parent's email (required for under 16)",
+    parentEmailPlaceholder: "parent@example.com",
+    passwordTitle: "Min. 8 chars, 1 letter and 1 digit",
+    pwRule8chars: "At least 8 characters",
+    pwRuleLetter: "At least 1 letter",
+    pwRuleDigit: "At least 1 digit",
+    gdprKTooltip:
+      "GDPR-K compliant — automatic parental consent for users under 16.",
   },
   dashboard: {
     yourTier: "Your tier",

lib/locales/pl.ts

@@ -83,6 +83,16 @@ const pl = {
       "Rejestracją zgadzasz się na przetwarzanie nazwy, hashu hasła i wyników gier. Brak e-maila, brak analityki. Konto możesz usunąć jednym kliknięciem.",
     errorGeneric: "Coś poszło nie tak.",
     errorNetwork: "Błąd sieci. Spróbuj jeszcze raz.",
+    errorBirthYearMissing: "Podaj rok urodzenia.",
+    birthYearLabel: "Rok urodzenia (RODO-K)",
+    parentEmailLabel: "E-mail rodzica (wymagane dla < 16 lat)",
+    parentEmailPlaceholder: "rodzic@example.com",
+    passwordTitle: "Min. 8 znaków, w tym 1 litera i 1 cyfra",
+    pwRule8chars: "Minimum 8 znaków",
+    pwRuleLetter: "Co najmniej 1 litera",
+    pwRuleDigit: "Co najmniej 1 cyfra",
+    gdprKTooltip:
+      "Zgodne z RODO-K — automatyczna zgoda rodzica dla użytkowników < 16 lat.",
   },
   dashboard: {
     welcome: "Miasto gracza",

lib/locales/uk.ts

@@ -85,6 +85,16 @@ const uk: typeof plDict = {
       "Реєстрацією погоджуєшся на обробку імені, хеша пароля та результатів гри. Без e-mail, без аналітики. Акаунт можеш видалити одним кліком.",
     errorGeneric: "Щось пішло не так.",
     errorNetwork: "Мережева помилка. Спробуй ще раз.",
+    errorBirthYearMissing: "Вкажи рік народження.",
+    birthYearLabel: "Рік народження (GDPR-K)",
+    parentEmailLabel: "Email батьків (потрібно для віку < 16)",
+    parentEmailPlaceholder: "батько@example.com",
+    passwordTitle: "Мін. 8 символів, 1 літера і 1 цифра",
+    pwRule8chars: "Мінімум 8 символів",
+    pwRuleLetter: "Принаймні 1 літера",
+    pwRuleDigit: "Принаймні 1 цифра",
+    gdprKTooltip:
+      "Відповідає GDPR-K — автоматична згода батьків для користувачів < 16 років.",
   },
   dashboard: {
     yourTier: "Твій тір",