User password input validation doesn't specify all requirements

[Nysosis]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

11.3.1

Bug summary

When creating the first backend user, or updating that backend users password (I have not checked when inviting new users), with the following security settings:

  "Security": {
        "UserPassword": {
          "RequireNonLetterOrDigit": true,
          "RequireDigit": true,
          "RequireLowercase": true,
          "RequireUppercase": true
        }
      }

The digit, lowercase and uppercase do not show as requirements under the input itself:

Nor am I blocked from submitting the form with validation errors. However it does fail on the API call and the toast validation does specify the requirements are not met (below is the result of me entering a password of just !!!!!!!!!!):

Specifics

No response

Steps to reproduce

• Create a new empty Umbraco Instance
• Update the appsettings.json to specify the security settings listed above
• Run the site for the first time with initial install, and see the criteria do not appear on the first screen
• Create a valid account, and go to the users area and attempt to change your password
• See that the criteria do not apply there

Expected result / actual result

No response

[github-actions]

Hi there @Nysosis!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[kjac]

Hi @Nysosis,

Thank you for reporting 👍 I can reproduce this - the change password dialog clearly does not take these extra config options into account.

I'll put this issue up for grabs, if you or anyone else would like to have a go at fixing it.

As a workaround you can replace the current text with your own using a custom user language file:

1. Create the directory /config/lang in your site root.
2. Create XML file(s) in the directory for the applicable language(s) where you want to override the text.
   • The files should be named [culture].user.xml - i.e. en-us.user.xml
   • For inspiration, you can find all the core language files here.
3. Restart the site.

For more in-depth docs on custom language files, see this article.

Example

Creating a language file at /config/lang/en-us.user.xml with the following content:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<language alias="en_us" intName="English (US)" localName="English (US)" lcid="" culture="en-US">
  <area alias="user">
    <key alias="newPasswordFormatNonAlphaTip">There should be at least %0% special character(s), one upper case letter and one lower case letter in there.</key>
  </area>
</language>

...yields the following change password dialog:

[github-actions]

Hi @Nysosis,

We're writing to let you know that we would love some help with this issue. We feel that this issue is ideal to flag for a community member to work on it. Once flagged here, folk looking for issues to work on will know to look at yours. Of course, please feel free work on this yourself ;-). If there are any changes to this status, we'll be sure to let you know.

For more information about issues and states, have a look at this blog post.

Thanks muchly, from your friendly Umbraco GitHub bot :-)

[snerpton]

I can report the issue is still live in v10 LTS.

Umbraco: 10.7.0
Chrome: 118.0.5993.117