[BUG] Unable To Install Default Installations Using "+" In The Password
Closed this issue · 12 comments
Oqtane Info
Version - 5.2.4
Render Mode - Static
Interactivity - Server
Database - SQL Server
Describe the bug
Unable To Install Default Installations Using "+" In The Password
Expected Behavior
An auto generated password is accepted default installations.
Steps To Reproduce
Install a fresh instance of Oqtane and use '+' in the Password
Notice Potentially The Auto Generated Password Does Not Meet Password Complexity Although It Does Meet The Criteria Outlined
Anything else?
May need to work on this to figure out exactly why it didn't work once for me. It was saying password would not work. But when testing in User Management seems to work OK but needs more testing to know for sure as I did not retain the auto generated password.
Nothing mission critical but worth investigating a bit more to find out what special character combo is not being allowed to be used.
Some character is not being allowed that may need to be allowed in the regex.
The only way to reproduce this issue so that it can be investigated would be if you are able to provide the specific password value which is causing the validation issue.
in PR #4756 I return the exactly errors return from identity provider so that we can know which part is failed.
I will get a list of them to test here shortly. I had only time to create what I did for a PR issue. Thanks @zyhfish I will update this issue in a few.
any validation updates should be included in the user management forms as well as the installer forms. I will find out what characters stopped the use of a password as maybe it wasnt allowed but I didnt know which character and did not log the password used at the time.
I will turn on the user registration area too as this form should also be reviewed. This should be checked for #4752 as well.
- User Management
- Registration
- Installation
- Bulk User Creation
These areas should be updated as needed with messages what characters are not allowed or allow them if they are OK to use in the identity in the validation form.
,g]Pu=Nx%Zt.+48/*-+<>,./:";'{}|[]\!@#$%^&*()_+~
This password works in Registration form but not on the installer form for example
I will try to narrow down the characters, but the logic from registration form should be reviewed as well and the password reset/user profile form should match.
seems like I took out the + sign and was the issue when I make it half the length
yes I can confirm the + sign does not allow a user to install when in the password
also note I do not believe this is not an issue in the user registration area or for updating your password in profile or creating user passwords, only in the installation form.
Validation logic in the installation form should allow the + character I believe as I don't think it will harm anything and it is allowed in other areas of setting an Oqtane user password.
In all cases the system is using .NET Identity to store passwords - so the validation behavior should be consistent. For example if a "+" sign is not allowed when specifying the host username during installation, it should also not be allowed when registering a new user through User Management - all passwords are validated using the same criteria - which is part of .NET Identity.
It is possible that this is an encoding issue ie. the user input is being encoded when passed to the server, but not decoded on the server. This will require some more investigation.