Hello. My issue is that it doesent seem like the password reset page has any validation.
When i go in and reset the password, both with my user and our test users that are not admin we can set the password to ANYTHING. 3 letters small characters. And we have set the password policy to Good.
This is a potential security hole.
( I am sorry, I am not sure what category to put this in. I choose the auth0.js because we call the reset password function from there. )
FYI
I looked through various guides, like this one: Password Strength in Auth0 Database Connections
And made sure the correct password policy was set as well as the library version is correct. (1.5.1) and the dictionary with “password_complexity_options” is identical
We use custom domain and hosted reset password page. I.e we call the endpoint from javascript (webauth change password) and then the user is sent to the hosted reset page.
I know password policies works for the sign up process because we just implemented our own custom UI using the javascript SDK. And i got correct errors before adding any javascript validation. I.e password to short, to weak etc from your servers.