Password Strength Bundle Laravel Package

Getting Started

Minimal Setup

1. Installation

   composer require deniak/password-strength-bundle
   

   Add to config/bundles.php:

   return [
       // ...
       Deniak\PasswordStrengthBundle\DeniakPasswordStrengthBundle::class => ['all' => true],
   ];
   

2. Configuration Publish the default config:

   php artisan vendor:publish --tag=password-strength-config
   

   Edit config/packages/deniak_password_strength.yaml to define rules (e.g., min_length: 12).

3. First Use Case Validate a password in a Symfony Form:

   use Deniak\PasswordStrengthBundle\Validator\Constraints as PasswordAssert;
   
   // In your entity or form type
   #[PasswordAssert\PasswordStrength]
   private $password;
   

   Or manually:

   $validator = $this->get('validator');
   $violations = $validator->validate($password, new PasswordStrength());
   

Implementation Patterns

Common Workflows

1. Form Validation Use the constraint in Symfony Forms or API Platform:

   // src/Form/RegistrationType.php
   public function buildForm(FormBuilderInterface $builder, array $options)
   {
       $builder->add('password', TextType::class, [
           'constraints' => [new PasswordStrength()]
       ]);
   }
   

2. API Request Validation Validate incoming JSON payloads (e.g., Laravel Sanctum or API Platform):

   use Deniak\PasswordStrengthBundle\Validator\Constraints\PasswordStrength;
   
   // In a request DTO or entity
   #[PasswordStrength]
   public string $password;
   

3. Custom Rules Extend the validator for project-specific needs:

   // src/Validator/Constraints/CustomPasswordStrength.php
   use Deniak\PasswordStrengthBundle\Validator\Constraints\PasswordStrength as BasePasswordStrength;
   
   #[Attribute]
   class CustomPasswordStrength extends BasePasswordStrength {
       public function validatedBy(): string {
           return get_class($this) . 'Validator';
       }
   }
   

4. Dynamic Rules Pass runtime rules via options:

   $validator->validate($password, new PasswordStrength([
       'min_length' => 14,
       'require_uppercase' => true,
       'require_special_chars' => true,
   ]));
   

5. Integration with Laravel Fortify/Passport Hook into registration/login flows:

   // app/Providers/FortifyServiceProvider.php
   public function register()
   {
       Fortify::registerView(function () {
           return view('auth.register')
               ->with('passwordRules', config('password-strength.rules'));
       });
   }
   

Gotchas and Tips

Pitfalls

1. Configuration Overrides

   • Default rules may conflict with Laravel’s built-in validators (e.g., Symfony\Component\Validator\Constraints\Length). Tip: Disable redundant validators in your entity:

     #[Assert\Length(min: 8, max: 255)]
     #[PasswordAssert\PasswordStrength(min_length: 12)]
     private $password;
     

2. Unicode/Special Character Handling

   • The bundle treats Unicode and ASCII special characters uniformly. Tip: Test edge cases like:

     $password = 'P@ssw0rd!'; // Valid
     $password = 'パスワード!'; // May fail if `require_alphanumeric` is strict
     

3. Case Sensitivity in Tests

   • Rules like require_uppercase are case-sensitive. Tip: Use regex to pre-validate:

     if (!preg_match('/[A-Z]/', $password)) {
         $violations->add(new ConstraintViolation(...));
     }
     

4. Performance with Large Datasets

   • Avoid validating passwords in bulk (e.g., user imports). Tip: Use a separate service layer for validation.

5. Bundle Compatibility

   • The bundle is Symfony-first. For Laravel, wrap it in a Symfony Validator component or use Laravel’s Validator facade with custom rules:

     use Deniak\PasswordStrengthBundle\Validator\PasswordStrengthValidator;
     
     Validator::extend('password_strength', function ($attribute, $value, $parameters, $validator) {
         $validator = new PasswordStrengthValidator();
         $constraint = new PasswordStrength($parameters);
         $violations = $validator->validate($value, $constraint);
         return $violations->count() === 0;
     });
     

Debugging Tips

• Inspect Violations:

  $violations = $validator->validate($password, new PasswordStrength());
  foreach ($violations as $violation) {
      dump($violation->getPropertyPath(), $violation->getMessage());
  }
  

• Enable Debug Mode: Set debug: true in config/packages/deniak_password_strength.yaml to log detailed validation steps.

Extension Points

1. Custom Validators Override the default validator:

   // src/Validator/Constraints/PasswordStrengthValidator.php
   class CustomPasswordStrengthValidator extends PasswordStrengthValidator {
       protected function validateLength($value, $constraint) {
           // Custom logic
       }
   }
   

2. Translation Messages Extend translations in resources/lang/en/validation.php:

   'password' => [
       'strength' => [
           'min_length' => 'The :attribute must be at least :min characters.',
           'require_uppercase' => 'The :attribute must contain at least one uppercase letter.',
       ],
   ],
   

3. Integration with Laravel Hashing Combine with Laravel’s Hash::needsRehash() for password updates:

   if (Hash::needsRehash($user->password) && !PasswordStrengthValidator::isStrong($newPassword)) {
       // Reject update
   }