Force a configurable minimum password length. (#353)

Sets the minimum length of passwords, by default, to 8 characters and allows administrators to set the minimum length via a setting in the Backend.

Credit to @obuchmann. Fixes #373.

Author: obuchmann

README.md

@@ -145,6 +145,10 @@ By default the User plugin will use the email address as the login name. To swit
 
 We can add any other additional fields here too, such as `phone`, `company`, etc.
 
+## Password length requirements
+
+By default, the User plugin requires a minimum password length of 8 characters for all users when registering or changing their password. You can change this length requirement by going to backend and navigating to System > Users > User Settings. Inside the Registration tab, a **Minimum password length** field is provided, allowing you to increase or decrease this limit to your preferred length.
+
 ## Error handling
 
 ### Flash messages

components/ResetPassword.php

@@ -101,7 +101,7 @@ public function onResetPassword()
     {
         $rules = [
             'code'     => 'required',
-            'password' => 'required|between:4,255'
+            'password' => 'required|between:' . UserModel::getMinPasswordLength() . ',255'
         ];
 
         $validation = Validator::make(post(), $rules);

lang/de/lang.php

@@ -98,6 +98,8 @@
     'notifications_tab' => 'Benachrichtigungen',
     'allow_registration' => 'Benutzerregistrierung erlauben',
     'allow_registration_comment' => 'Falls dies deaktivert ist, können Benutzer nur von Administratoren erstellt werden.',
+    'min_password_length' => 'Minimale Passwortlänge',
+    'min_password_length_comment' => 'Die minimale Passwortlänge für Benutzerpasswörter.',
     'activate_mode' => 'Aktivierungsmodus',
     'activate_mode_comment' => 'Wählen Sie aus, wie ein Benutzer aktiviert werden soll.',
     'activate_mode_auto' => 'Automatisch',

lang/en/lang.php

@@ -74,6 +74,8 @@
         'notifications_tab' => 'Notifications',
         'allow_registration' => 'Allow user registration',
         'allow_registration_comment' => 'If this is disabled users can only be created by administrators.',
+        'min_password_length' => 'Minimum password length',
+        'min_password_length_comment' => 'The minimum length of characters required for user passwords.',
         'activate_mode' => 'Activation mode',
         'activate_mode_comment' => 'Select how a user account should be activated.',
         'activate_mode_auto' => 'Automatic',

models/Settings.php

@@ -1,8 +1,6 @@
 <?php namespace RainLab\User\Models;
 
-use Lang;
 use Model;
-use RainLab\User\Models\User as UserModel;
 
 class Settings extends Model
 {
@@ -16,13 +14,16 @@ class Settings extends Model
     public $settingsCode = 'user_settings';
     public $settingsFields = 'fields.yaml';
 
+
     const ACTIVATE_AUTO = 'auto';
     const ACTIVATE_USER = 'user';
     const ACTIVATE_ADMIN = 'admin';
 
     const LOGIN_EMAIL = 'email';
     const LOGIN_USERNAME = 'username';
 
+    const MIN_PASSWORD_LENGTH_DEFAULT = 8;
+
     public function initSettingsData()
     {
         $this->require_activation = true;
@@ -31,6 +32,7 @@ public function initSettingsData()
         $this->block_persistence = false;
         $this->allow_registration = true;
         $this->login_attribute = self::LOGIN_EMAIL;
+        $this->min_password_length = self::MIN_PASSWORD_LENGTH_DEFAULT;
     }
 
     public function getActivateModeOptions()

models/User.php

@@ -24,8 +24,8 @@ class User extends UserBase
         'email'    => 'required|between:6,255|email|unique:users',
         'avatar'   => 'nullable|image|max:4000',
         'username' => 'required|between:2,255|unique:users',
-        'password' => 'required:create|between:4,255|confirmed',
-        'password_confirmation' => 'required_with:password|between:4,255',
+        'password' => 'required:create|between:' . UserSettings::MIN_PASSWORD_LENGTH_DEFAULT . ',255|confirmed',
+        'password_confirmation' => 'required_with:password|between:' . UserSettings::MIN_PASSWORD_LENGTH_DEFAULT . ',255',
     ];
 
     /**
@@ -183,6 +183,15 @@ public function getLoginName()
         return static::$loginAttribute = UserSettings::get('login_attribute', UserSettings::LOGIN_EMAIL);
     }
 
+    /**
+     * Returns the minimum length for a new password from settings.
+     * @return int
+     */
+    public static function getMinPasswordLength()
+    {
+        return (int) UserSettings::get('min_password_length', UserSettings::MIN_PASSWORD_LENGTH_DEFAULT);
+    }
+
     //
     // Scopes
     //
@@ -225,6 +234,14 @@ public function beforeValidate()
         ) {
             $this->username = $this->email;
         }
+
+
+        /*
+         * Apply Password Length Settings
+         */
+        $minPasswordLength = static::getMinPasswordLength();
+        $this->rules['password'] = "required:create|between:$minPasswordLength,255|confirmed";
+        $this->rules['password_confirmation'] = "required_with:password|between:$minPasswordLength,255";
     }
 
     /**
@@ -418,6 +435,6 @@ protected function sendInvitation()
      */
     protected function generatePassword()
     {
-        $this->password = $this->password_confirmation = Str::random(6);
+        $this->password = $this->password_confirmation = Str::random(static::getMinPasswordLength());
     }
 }

models/settings/fields.yaml

@@ -36,6 +36,15 @@ tabs:
             type: switch
             tab: rainlab.user::lang.settings.registration_tab
 
+        # Minimum password length
+        min_password_length:
+            span: left
+            commentAbove: rainlab.user::lang.settings.min_password_length_comment
+            label: rainlab.user::lang.settings.min_password_length
+            type: number
+            tab: rainlab.user::lang.settings.registration_tab
+            min: 1
+
         # Require Activation
         require_activation:
             span: left