Situation: user enters a weak password that fails the defined password policy.
Compare the API response from the Management API:
{
"statusCode": 400,
"error": "Bad Request",
"message": "PasswordStrengthError: Password is too weak",
"errorCode": "auth0_idp_error"
}
to the API response from the Authentication API:
{
"name": "PasswordStrengthError",
"message": "Password is too weak",
"code": "invalid_password",
"description": {
"rules":
{
"message": "At least %d characters in length",
"format":
8
],
"code": "lengthAtLeast",
"verified": true
},
{
"message": "Should contain:",
"code": "shouldContain",
"verified": false,
"items":
{
"message": "lower case letters (a-z)",
"code": "lowerCase",
"verified": true
},
{
"message": "upper case letters (A-Z)",
"code": "upperCase",
"verified": false
},
{
"message": "numbers (i.e. 0-9)",
"code": "numbers",
"verified": false
}
]
}
],
"verified": false
},
"policy": "* At least 8 characters in length\n* Should contain:\n * lower case letters (a-z)\n * upper case letters (A-Z)\n * numbers (i.e. 0-9)",
"statusCode": 400
}
I have no idea why the Management API provides almost no useful information. I actually need to use the Management API because it is the only way I can create a user while bypassing email validation (setting email_verified: true
in the user creation request).
Please fix this.