Merge pull request #40 from Edamijueda/issue-#34

impl password policy func in user registration

Author: devondragon

.claude/settings.local.json

@@ -18,8 +18,13 @@
       "Bash(./fix-mockbean-deprecation.sh:*)",
       "mcp__zen__debug",
       "Bash(git commit:*)",
-      "mcp__zen__codereview"
+      "mcp__zen__codereview",
+      "Bash(gh pr view:*)",
+      "Bash(gh pr diff:*)",
+      "Bash(gh issue view:*)",
+      "Bash(gh pr checkout:*)",
+      "Bash(git checkout:*)"
     ],
     "deny": []
   }
-}
+}

.gitignore

@@ -137,3 +137,4 @@ application-local.yml
 .vscode/settings.json
 /repomix-output.txt
 src/main/resources/application-docker-keycloak.yml
+.vscode/

.vscode/settings.json

@@ -39,7 +39,7 @@ repositories {
 
 dependencies {
     // DigitalSanctuary Spring User Framework
-    implementation 'com.digitalsanctuary:ds-spring-user-framework:3.4.1'
+    implementation 'com.digitalsanctuary:ds-spring-user-framework:3.5.0'
 
     // Spring Boot starters
     implementation 'org.springframework.boot:spring-boot-starter-actuator'

build.gradle

@@ -2,7 +2,7 @@
 services:
   myapp-db:
     image: mariadb:11.6.2
-    container_name: springuser-db  #
+    container_name: springuser-db
     volumes:
       - userdb:/var/lib/mysql
     environment:

docker-compose.yml

@@ -125,6 +125,61 @@
       "type": "java.lang.String",
       "description": "A description for 'user.security.forgotPasswordChangeURI'"
     },
+    {
+      "name": "user.security.password.enabled",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.enabled'"
+    },
+    {
+      "name": "user.security.password.min-length",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.min-length'"
+    },
+    {
+      "name": "user.security.password.max-length",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.max-length'"
+    },
+     {
+      "name": "user.security.password.require-uppercase",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.require-uppercase'"
+    },
+     {
+      "name": "user.security.password.require-lowercase",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.require-lowercase'"
+    },
+     {
+      "name": "user.security.password.require-digit",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.require-digit'"
+    },
+     {
+      "name": "user.security.password.require-special",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.require-special'"
+    },
+     {
+      "name": "user.security.password.special-chars",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.special-chars'"
+    },
+     {
+      "name": "user.security.password.prevent-common-passwords",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.prevent-common-passwords'"
+    },
+     {
+      "name": "user.security.password.history-count",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.history-count'"
+    },
+     {
+      "name": "user.security.password.similarity-threshold",
+      "type": "java.lang.String",
+      "description": "A description for 'user.security.password.similarity-threshold'"
+    },
     {
       "name": "hibernate.globally_quoted_identifiers",
       "type": "java.lang.String",

src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -15,40 +15,40 @@ spring:
           protocol: smtp # Mail server protocol
 
   # security:
-    # oauth2:
-    #   enabled: true
-    #   client:
-    #     registration:
-    #       google:
-    #         client-id:
-    #         client-secret:
-    #         scope:
-    #           - email
-    #           - profile
-    #         client-name: Google
-    #         authorization-grant-type: authorization_code
-    #         client-authentication-method: post
-    #         provider: google
-    #       facebook:
-    #         client-id:
-    #         client-secret:
-    #         scope:
-    #           - email
-    #           - public_profile
-    #         client-name: Facebook
-    #         authorization-grant-type: authorization_code
-    #         client-authentication-method: post
-    #         provider: facebook
-    #       apple:
-    #         client-id:
-    #         client-secret:
-    #         scope:
-    #           - email
-    #           - name
-    #         client-name: Apple
-    #         authorization-grant-type: authorization_code
-    #         client-authentication-method: post
-    #         provider: apple
+  # oauth2:
+  #   enabled: true
+  #   client:
+  #     registration:
+  #       google:
+  #         client-id:
+  #         client-secret:
+  #         scope:
+  #           - email
+  #           - profile
+  #         client-name: Google
+  #         authorization-grant-type: authorization_code
+  #         client-authentication-method: post
+  #         provider: google
+  #       facebook:
+  #         client-id:
+  #         client-secret:
+  #         scope:
+  #           - email
+  #           - public_profile
+  #         client-name: Facebook
+  #         authorization-grant-type: authorization_code
+  #         client-authentication-method: post
+  #         provider: facebook
+  #       apple:
+  #         client-id:
+  #         client-secret:
+  #         scope:
+  #           - email
+  #           - name
+  #         client-name: Apple
+  #         authorization-grant-type: authorization_code
+  #         client-authentication-method: post
+  #         provider: apple
   thymeleaf: # Thymeleaf configuration
     cache: false # Enable or disable Thymeleaf cache
     template-loader-path: classpath:/templates # Template loader path for Thymeleaf
@@ -59,8 +59,8 @@ spring:
     properties: # Hibernate properties
       hibernate:
         dialect: org.hibernate.dialect.MariaDBDialect # Hibernate dialect
-       # "[globally_quoted_identifiers]": false # Globally quoted identifiers
-    show-sql: 'false' # Enable or disable SQL logging
+        # "[globally_quoted_identifiers]": false # Globally quoted identifiers
+    show-sql: "false" # Enable or disable SQL logging
   application: # Application configuration
     name: User Framework Demo # Application name
   datasource: # Datasource configuration
@@ -71,17 +71,14 @@ spring:
   messages:
     basename: messages/messages # Message basename
 
-
-
-
 management:
   newrelic:
     metrics:
       export:
         api-key: # New Relic API key
         account-id: # New Relic account ID
 hibernate:
-  globally_quoted_identifiers: 'false' # Hibernate Globally quoted identifiers
+  globally_quoted_identifiers: "false" # Hibernate Globally quoted identifiers
 server:
   servlet:
     session:
@@ -101,8 +98,6 @@ springdoc:
   packages-to-scan: com.digitalsanctuary.spring.demo,com.digitalsanctuary.spring.user
   show-actuator: false
 
-
-
 # User Framework configuration
 user:
   actuallyDeleteAccount: false # If true, users can delete their own accounts.  If false, accounts are disabled instead of deleted.
@@ -115,14 +110,14 @@ user:
     flushOnWrite: false # If true, the audit log will be flushed to disk after every write (less performant).  If false, the audit log will be flushed to disk every 10 seconds (more performant).
     logEvents: true # If true, all events will be logged.
 
-# Centralizing the URIs of common pages to make changing paths easier.  You can leave this section alone if you use the default page locations from this project.  These URLs do NOT have to be included in the unprotectedURIs list above as they will automatically be handled.
+  # Centralizing the URIs of common pages to make changing paths easier.  You can leave this section alone if you use the default page locations from this project.  These URLs do NOT have to be included in the unprotectedURIs list above as they will automatically be handled.
   security:
     failedLoginAttempts: 10 # The number of failed login attempts before the user account is locked out.  Set this to 0 to disable account lockout.
     accountLockoutDuration: 30 # The number of minutes to lock the user account after the maximum number of failed login attempts is reached.  Set this to 0 to disable account lockout.  Set this to -1 to lock the account until an administrator unlocks it.
     bcryptStrength: 12 # The bcrypt strength to use for password hashing.  The higher the number, the longer it takes to hash the password.  The default is 12.  The minimum is 4.  The maximum is 31.
     testHashTime: true # If true, the test hash time will be logged to the console on startup.  This is useful for determining the optimal bcryptStrength value.
     defaultAction: deny # The default action for all requests.  This can be either deny or allow.
-    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/img/**,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html  # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
+    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/img/**,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,error.html # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
     protectedURIs: /protected.html # A comma delimited list of URIs that should be protected by Spring Security if the defaultAction is allow.
     disableCSRFdURIs: /no-csrf-test # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.
 
@@ -141,6 +136,20 @@ user:
     registrationNewVerificationURI: /user/request-new-verification-email.html # The URI for the request new verification email page.
     updateUserURI: /user/update-user.html # The URI for the update user page.
 
+    # Password policy enforcement/rules
+    password:
+      enabled: true # Enable/disable password policy enforcement
+      min-length: 8 # Minimum password length
+      max-length: 128 # Maximum password length
+      require-uppercase: true # Require at least one uppercase character
+      require-lowercase: true # Require at least one lowercase character
+      require-digit: true # Require at least one digit
+      require-special: true # Require at least one special character
+      special-chars: "~`!@#$%^&*()_-+={}[]|\\:;\"'<>,.?/" # Allowed special characters
+      prevent-common-passwords: true # Prevent use of common passwords (dictionary check)
+      history-count: 3 # Number of previous passwords to prevent reuse
+      similarity-threshold: 70 # Percentage of similarity allowed with username/email
+
   mail:
     fromAddress: test@test.com # The from address for all emails sent by the application.
   purgetokens:
@@ -171,4 +180,3 @@ user:
     role-hierarchy: # Role hierarchy configuration section.  This defines a hierarchy of roles, where a higher level role inherits all roles from a lower level role.  The roles are defined in the roles-and-privileges section above.
       - ROLE_ADMIN > ROLE_MANAGER
       - ROLE_MANAGER > ROLE_USER
-

src/main/resources/application.yml

@@ -53,6 +53,17 @@ label.user.old-password=Old Password
 # Page Labels
 label.pages.home.title=Home
 
+# Password Validation Error Messages
+TOO_SHORT=Password must be {0} or more characters in length.
+TOO_LONG=Password must be no more than {0} characters in length.
+INSUFFICIENT_UPPERCASE=Password must contain at least {0} uppercase letter(s).
+INSUFFICIENT_LOWERCASE=Password must contain at least {0} lowercase letter(s).
+INSUFFICIENT_DIGIT=Password must contain at least {0} digit(s).
+INSUFFICIENT_SPECIAL=Password must contain at least {0} special character(s).
+ILLEGAL_WORD=Password is too common or easy to guess.
+password.error.history.reuse=You cannot reuse your last {0} passwords.
+password.error.similarity=Password is too similar to your username or email ({0}% similarity).
+
 # Registration Messages
 ## Success Messages
 registration.success.thank-you=Thank you for registering!

src/main/resources/messages/messages.properties

@@ -4,6 +4,12 @@ export function showError(container, message) {
     container.classList.remove("d-none");
 }
 
+export function showHtmlError(container, htmlMessage) {
+    if (!container) return;
+    container.innerHTML = htmlMessage;
+    container.classList.remove("d-none");
+}
+
 export function hideError(container) {
     if (!container) return;
     container.textContent = "";