More extensive password validation about label-studio HOT 2 CLOSED

Hi @staubertTim,

You can add additional validators here, assuming you're building LS from source:

I would have thought testtest would be blocked by CommonPasswordValidator, but not sure on that.

from label-studio.

Hi @jombooth,

thank you for taking the time to answer!
That's what I thought as well so I went ahead and changed those - WITH NO EFFECT.
I'm afraid these Django Validators are not even used. You can verify that by using these Validators and then building from source:

AUTH_PASSWORD_VALIDATORS = [
{'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {'min_length': 10},
},
{'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'},
{'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'},
]

Normally Label Studio Passwords need to be 8 characters long and I would expect that they now need to be ten characters long - which is NOT the case, although this parameter is build in by default into the MinimumLengthValidator.

I then traced error messages from the frontend and realized that password checking is done in label_studio/users/forms.py
in the class UserSignupForm and the clean_password method where the only applied check is:

if len(password) < PASS_MIN_LENGTH:
raise forms.ValidationError(PASS_LENGTH_ERROR)

Once I changed PASS_MIN_LENGTH to 10 I could actually only use passwords that are ten characters long.
I will now try to monkey-patch this method in my docker build. But still I think it is suboptimal to have these Django validators and not apply them (if I am not mistaken).

Is this intended or a bug? Happy to hear your thoughts.

from label-studio.