UNSOLVED Password content specification?
Is it possible to force a requirement spec for passwords associated with a player account?
While we can do it in the client by simply requiring the incoming string be X length, contain a number, a capital letter and a special character, it doesn't look like we are able to specify those restrictions with the "Forgot Password" API call, which means it's entirely possible for a player to create an email on the back end - that we don't control - that won't be considered legal inside the app.
What can we do about this?
Thinking about this some more, perhaps having a specification of what is required in a password is a step too far?
Honestly, these days, a single step validation to ensure that passwords are :
At least 8 characters long
Have a capital letter included
Have a number included
Have one of the 'special characters' (e.g. + or - or , or . or ! or ? or % or # or @ or = or whatever you guys decide the special characters to be) included
would probably be enough? Perhaps a check box (off by default, because existing applications that are already released should NOT have this turned on, because then it would invalidate all the existing passwords they have, plus its probably that the existing clients aren't enforcing this) on the BrainCloud application definition side that says "Enforce Password Specification Requirements", with those requirements spelled out, and a new bit of text in the default email being sent out that details password requirements would be all that is required?
Obviously it means some JS work on the password reset form inside of BC, to validate a new password and tell the user that they are in error, if this flag is turned on, but it would be a REALLY good thing for security going forward.
I agree - and security-wise prefer it to the pre-hook solution we were considering...
We are looking into it.
Jake - I've sent you a question in the support chat - wondering what the timelines for your app are...