Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sebastian Budka 12 posts 93 karma points
    Apr 27, 2020 @ 14:09
    Sebastian Budka
    0

    Custom password validation on password change

    Hi everyone I am struggling with password validation problem. I know that there is a way to set up some requirements in web.config like minimum length, special characters required or even a Regex. But our client has very specific requirements which cannot be fulfilled with thise settings. Most custom are:

    1. your password can't contain username, first name and last name
    2. you can't use one of the breached passwords from the list
    3. password must contain at least 2 of the following: digit, special character, capital letter

    I quickly found an obvious solution - create custom UsersMembershipProvider (I believe that I will also need to extend IdentityEnabledMembersMembershipProvider, but for now I focused on administration panel). Long story short, this approach doesn't work (or I am doing somthing wrong). No matter which method I override it is not executed. I tried CreateUser, DeleteUser, and of course ChangePassword. Those actions are performed normally, disrespecting my overrides.

    I also tried to inject my own implementation of IIdentityValidator< string> PasswordValidator and IIdentityValidator< TUser> UserValidator as for documentation here. Unfortunately I need both user information and plain text password to perform forementioned validation.

    Maybe there is something that I'm doing wrong or I missed some other solutions. Can you help me, please?

    Best regards, Sebastian

  • Sebastian Budka 12 posts 93 karma points
    May 15, 2020 @ 05:52
    Sebastian Budka
    0

    I looked through Umbraco code on GItHub and found partial solution - setting allowManuallyChangingPassword to true in provider. Partial, because this enables users to change their passwords without supplying old password and I don't want to do it.

    Can someone tell me why overrides from MembershipProviderBase are invoked only when allowManuallyChangingPassword is true?

Please Sign in or register to post replies

Write your reply to:

Draft