- How do I integrate zxcvbn-php into Laravel’s registration validation?
- Use Laravel’s validation pipeline by creating a custom rule or middleware. Bind the `Zxcvbn` class to the container and validate passwords like this: `Validator::extend('zxcvbn', function ($attribute, $value, $parameters) { return (new Zxcvbn())->guessStrength($value)['score'] >= $parameters[0]; })`. Then apply it in your `User` model rules: `'password' => 'required|zxcvbn:3'`.
- Does this package work with Laravel’s built-in `Hash` facade for password hashing?
- Yes, zxcvbn-php only estimates strength from plaintext passwords—it doesn’t handle hashing. Use it before hashing (e.g., in `create` or `update` methods) to validate strength, then pass the plaintext to `Hash::make()`. Never store or re-use plaintext passwords elsewhere.
- Can I use this for real-time password strength meters in a Laravel + Vue/React frontend?
- For frontend integration, call the package via a Laravel API endpoint (e.g., `POST /api/check-password-strength`). Return the `guessStrength()` result as JSON, then use it in your frontend framework. Avoid exposing the raw library to the client for security. Pair it with the JS zxcvbn for client-side validation if needed.
- What Laravel versions does zxcvbn-php support, and are there breaking changes?
- The package supports Laravel 8+ and PHP 8.0+. No framework-specific code exists, so it’s compatible with newer Laravel versions. If you’re on Laravel 7.x, ensure PHP 8.0+ is used (named arguments are required). Check the [GitHub issues](https://github.com/bjeavons/zxcvbn-php/issues) for version-specific notes.
- How do I enforce a minimum password score (e.g., 3/4) across all user creations?
- Create a Laravel middleware (e.g., `app/Http/Middleware/EnforcePasswordStrength`) that checks `guessStrength()` on incoming `POST /register` or `PATCH /users/{id}` requests. Reject requests with scores below your threshold by throwing a `ValidationException`. Example: `if ($result['score'] < 3) abort(422, 'Password too weak');`.
- Will this package slow down my auth endpoints under high traffic?
- zxcvbn-php is lightweight (~100KB) and optimized for performance, with minimal CPU overhead. Benchmark your auth endpoints to confirm, but it’s designed for high-throughput systems. If using async PHP (e.g., Swoole), wrap the call in a synchronous context or offload validation to a queue worker.
- How do I customize the feedback suggestions (e.g., add org-specific rules)?
- The library provides structured feedback (e.g., `feedback.suggestions`), which you can extend in your UI. For org-specific rules, filter or append suggestions in your middleware/controller. Example: `if (str_contains($password, '123')) $result['feedback']['suggestions'][] = 'Avoid sequential numbers.'`
- Does zxcvbn-php handle non-Latin scripts (e.g., Chinese, Arabic) well?
- The package supports multibyte characters via PHP’s `mb_*` functions, but scoring accuracy for non-Latin scripts depends on zxcvbn’s default dictionaries. For better results, provide custom dictionaries or pre-process passwords (e.g., normalize Unicode). Test thoroughly with your target languages.
- Are there alternatives to zxcvbn-php for Laravel, and when should I choose them?
- Alternatives include `php-password-policy` (simpler regex-based rules) or `paragonie/password-validator` (more strict but less user-friendly). Choose zxcvbn-php if you need **realistic strength estimates** (e.g., crack-time feedback) and **user-friendly suggestions**. Use alternatives if you prioritize strict compliance over usability or need minimal dependencies.
- How do I test password strength validation in Laravel’s PHPUnit tests?
- Mock the `Zxcvbn` class in your tests to return predictable scores. Example: `$this->mock(Zxcvbn::class)->shouldReceive('guessStrength')->andReturn(['score' => 4]);`. Test both valid and invalid passwords by asserting exceptions or validation failures. For edge cases, include non-Latin scripts, short passwords, and common phrases to verify robustness.