Password Policy

Added

• Added optional CSP (Content Security Policy) nonce support for the password indicator script #39
• Added SecurityService to generate and manage CSP nonces per request
• Added cspNonce configuration option to enable CSP nonce generation

Changed

• Made sure that the rules thrown by Password Policy all show at once, rather than one by one.

Fixed

• Fixed an issue where the native Craft errors would still display when password policy was active #40
• Fixed an issue where the retention feature never actually got processed #41

Changed

• Added services to a service trait

Fixed

• Fixed a bug that could occur if the max length wasn't set, passwords always said "could not contain more than 0 characters".
• Removed the "playground" from the settings to test the strength indicator, this was only meant for development.
• Fixed an issue where the pwned option would always return that the password was compromised.
• Fixed the issue where the assets would throw an error on the front-end, not finding the manifest path. (Thanks to Andrew Welch) #34

Fixed

• Fixed Failed to instantiate component or class on the assetbundle Thanks niektenhoopen

Fixed

• Fixed native type class constant as those are only allowed from PHP8.3+

Fixed

• More ECS fixes after PHPStan fixes

Fixed

• ECS Style fixes
• Fixed PHP Stan Errors

Added

• Added a "Have I been pwned" validator #29
• Added "Have I been pwned" through k-anonymity
• Password Retention feature to determine on which time interval passwords should expire
• Added the craft password-policy/retention/force-reset-passwords CLI command
• Added the "Force Reset Passwords" Retention Utility

Changed

• Refactored the password strength indicator, now using vanilla JS and TailwindCSS
• Refactored all the validation rules