Feature Request: allow querying password_policy validate api

[DanRiess]

Hi,

when creating shares of existing files with your app, the requests will get rejected if the password does not conform to the corresponding NextCloud's password policy. In my case, I don't get an error message, the fetch just fails without any additional info.

It would be cool if you could integrate a route (e. g. /apps/webapppassword/api/v1/shares/validate-password) that queries the internal password_policy app's /validate endpoint and return that result. I used to do this in my internal Nextcloud app as well.

Here is an example request that I would send from a third-party website:

const result = await fetch(`${this.server}/index.php/apps/webapppassword/api/v1/shares/validate-password`, {
	method: 'POST',
	headers: {
		Authorization: `Bearer ${webAppPasswordToken}`,
		'Content-Type': 'application/json',
		'OCS-APIRequest': 'true',
	},
	body: JSON.stringify({ password: 'Taco' }),
})

Here is what I used to send in a Nextcloud app:

const result = await fetch(`${generateOcsUrl('apps/password_policy/api/v1/validate')}`, {
	method: 'POST',
	body: JSON.stringify({ password: 'Taco' }),
})

And the result would be something like this:

{
    "meta": {
        "status": "ok",
        "statuscode": 200,
        "message": "OK"
    },
    "data": {
        "passed": false,
        "reason": "Password is among the 1,000,000 most common ones. Please make it unique. Password needs to be at least 10 characters long. Password is present in compromised password list. Please choose a different password."
    }
}

Would that be possible?

Best regards,
Daniel

[pbek]

The share API was contributed by @aleixq in #61.

Hm, https://github.com/nextcloud/password_policy is an external app. Maybe it would really be a better idea to talk to the developers of the app about CORS policies to make the app accessible in browsers.

[pbek]

Maybe just try to open an issue at https://github.com/nextcloud/password_policy/issues.

[DanRiess]

Password policy is an internal app that is present in probably every Nextcloud instance. While I think that you're right in saying that Nextcloud really should implement global CORS policies, the fact that you had to build this app right here suggests that is not going to happen.

[aleixq]

A global strategy to configure CORS, was suggested in PR nextcloud/server#37896 and issue nextcloud/server#37716 , the PR needs mentorship or attention (elsewhere I need time to rebase it) .

[pbek]

At least https://github.com/nextcloud/password_policy is a different app. Maybe one has more luck asking there...