Hello. My issue is that it doesent seem like the password reset page has any validation.
When i go in and reset the password, both with my user and our test users that are not admin we can set the password to ANYTHING. 3 letters small characters. And we have set the password policy to Good.
This is a potential security hole.
( I am sorry, I am not sure what category to put this in. I choose the auth0.js because we call the reset password function from there. )
I looked through various guides, like this one: https://auth0.com/docs/connections/database/password-strength
And made sure the correct password policy was set as well as the library version is correct. (1.5.1) and the dictionary with “password_complexity_options” is identical