Set password admin API #3021
Set password admin API #3021
Conversation
Deploying matrix-authentication-service-docs with
|
| Latest commit: |
2ade8c2
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://c00bf310.matrix-authentication-service-docs.pages.dev |
| Branch Preview URL: | https://quenting-admin-api-set-passw.matrix-authentication-service-docs.pages.dev |
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
2 times, most recently
from
4d6732b to
b2dbcb0
Compare
sandhose
changed the base branch from
main
to
quenting/admin-api/temp-merge-base
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
from
b2dbcb0 to
6dd674b
Compare
sandhose
force-pushed
the
quenting/admin-api/temp-merge-base
branch
from
f382846 to
cc10495
Compare
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
2 times, most recently
from
d8406c5 to
df12feb
Compare
sandhose
changed the base branch from
quenting/admin-api/temp-merge-base
to
main
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
from
df12feb to
fa35020
Compare
| .lookup(*id) | ||
| .await? | ||
| .ok_or(RouteError::NotFound(*id))?; | ||
|
|
There was a problem hiding this comment.
is it intended that we don't apply any complexity limits on this API?
also, it may be worth checking the password isn't empty either. I feel like that is dodgy enough to protect against
There was a problem hiding this comment.
I was assuming that because this is the admin API, it should just accept it? Synapse does that (and I don't think it checks for empty passwords either)
But I'd be happy to make it check here and have a skip_password_check parameter or something similar
There was a problem hiding this comment.
I ended up checking the complexity and adding the flag
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
from
fa35020 to
4dbb5eb
Compare
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
from
0be3cb8 to
9551f55
Compare
| .is_password_complex_enough(¶ms.password) | ||
| .unwrap_or(false) | ||
| { | ||
| return Err(RouteError::PasswordTooWeak); |
There was a problem hiding this comment.
I think this will give a PasswordTooWeak error code if the password manager is disabled, which could be a bit misleading, should we have an error code just for it?
There was a problem hiding this comment.
Oh you're right! Did that in 87482b4
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
from
87482b4 to
aec9653
Compare
sandhose
force-pushed
the
quenting/admin-api/set-password
branch
from
aec9653 to
2ade8c2
Compare
This adds an API to set the password of a user