@drax/identity-back 3.13.0 → 3.15.0

package/src/repository/sqlite/UserPasswordHistorySqliteRepository.ts

@@ -0,0 +1,47 @@
+import type {SqliteTableField} from "@drax/common-back";
+import {AbstractSqliteRepository} from "@drax/crud-back";
+import type {IUserPasswordHistoryRepository} from "../../interfaces/IUserPasswordHistoryRepository.js";
+import type {IUserPasswordHistory, IUserPasswordHistoryCreate} from "../../interfaces/IUserPasswordHistory.js";
+
+class UserPasswordHistorySqliteRepository extends AbstractSqliteRepository<IUserPasswordHistory, IUserPasswordHistoryCreate, IUserPasswordHistoryCreate> implements IUserPasswordHistoryRepository {
+    protected db: any;
+    protected tableName: string = "user_password_history";
+    protected dataBaseFile: string;
+    protected searchFields: string[] = [];
+    protected booleanFields: string[] = [];
+    protected identifier: string = "_id";
+    protected populateFields = [
+        {field: "user", table: "users", identifier: "_id"}
+    ]
+    protected tableFields: SqliteTableField[] = [
+        {name: "user", type: "TEXT", unique: false, primary: false},
+        {name: "passwordHash", type: "TEXT", unique: false, primary: false},
+        {name: "createdAt", type: "TEXT", unique: false, primary: false},
+        {name: "updatedAt", type: "TEXT", unique: false, primary: false},
+    ]
+    protected verbose: boolean;
+
+    async prepareData(): Promise<void> {
+    }
+
+    async prepareItem(item: IUserPasswordHistory): Promise<void> {
+        if (item.createdAt && typeof item.createdAt === "string") {
+            item.createdAt = new Date(item.createdAt)
+        }
+
+        if (item.updatedAt && typeof item.updatedAt === "string") {
+            item.updatedAt = new Date(item.updatedAt)
+        }
+    }
+
+    async findLatestByUserId(userId: string, limit: number): Promise<IUserPasswordHistory[]> {
+        const rows = this.db.prepare(`SELECT * FROM ${this.tableName} WHERE user = ? ORDER BY createdAt DESC LIMIT ?`).all(userId, limit);
+        for (const row of rows) {
+            await this.decorate(row)
+        }
+        return rows
+    }
+}
+
+export default UserPasswordHistorySqliteRepository
+export {UserPasswordHistorySqliteRepository}

package/src/resolver/PasswordPolicyResolver.ts

@@ -0,0 +1,33 @@
+import type {IPasswordPolicy, IPasswordPolicyProject} from "@drax/identity-share";
+import {defaultPasswordPolicy} from "../policies/defaultPasswordPolicy.js";
+import {PartialPasswordPolicySchema, PasswordPolicySchema} from "../schemas/PasswordPolicySchema.js";
+import getPasswordEnvPolicy from "../utils/getPasswordEnvPolicy.js";
+
+class PasswordPolicyResolver {
+
+    private projectPolicy : IPasswordPolicyProject = {};
+
+    setProjectPolicy (projectPolicy : IPasswordPolicyProject){
+        this.projectPolicy = projectPolicy;
+    }
+
+    async resolve(): Promise<IPasswordPolicy> {
+        const projectPolicy = await this.getProjectPolicy()
+        const envPolicy = getPasswordEnvPolicy()
+
+        return PasswordPolicySchema.parse({
+            ...defaultPasswordPolicy,
+            ...projectPolicy,
+            ...envPolicy
+        }) as IPasswordPolicy
+    }
+
+    private async getProjectPolicy(): Promise<Partial<IPasswordPolicy>> {
+        return this.projectPolicy
+            ? PartialPasswordPolicySchema.parse(this.projectPolicy)
+            : {}
+    }
+}
+
+export default PasswordPolicyResolver
+export {PasswordPolicyResolver}

package/src/routes/UserRoutes.ts

@@ -10,6 +10,7 @@ import {
 } from "../schemas/PasswordSchema.js";
 import {SwitchTenantBodyRequestSchema, SwitchTenantBodyResponseSchema} from "../schemas/SwitchTenantSchema.js";
 import zod from "zod"
+import {PasswordPolicySchema} from "../schemas/PasswordPolicySchema.js";
 
 async function UserRoutes(fastify, options) {
 
@@ -44,6 +45,16 @@ async function UserRoutes(fastify, options) {
         },
         (req, rep) => controller.auth(req, rep))
 
+    fastify.get('/api/auth/password-policy', {
+        schema: {
+            tags: ['Auth'],
+            response: {
+                200: zod.toJSONSchema(PasswordPolicySchema),
+                500: schemas.jsonErrorBodyResponse,
+            },
+        },
+    }, (req, rep) => controller.passwordPolicy(req, rep))
+
     fastify.get('/api/auth/me', {
         schema: {
             tags: ['Auth'],

package/src/schemas/PasswordPolicySchema.ts

@@ -0,0 +1,29 @@
+import z from "zod";
+
+const PasswordPolicySchemaBase = z.object({
+    minLength: z.number().int().min(1),
+    maxLength: z.number().int().min(1),
+    requireUppercase: z.boolean(),
+    requireLowercase: z.boolean(),
+    requireNumber: z.boolean(),
+    requireSpecialChar: z.boolean(),
+    disallowSpaces: z.boolean(),
+    preventReuse: z.number().int().min(0),
+    expirationDays: z.number().int().min(1).nullable(),
+})
+
+const PasswordPolicySchema = PasswordPolicySchemaBase.refine((
+        policy) =>
+        policy.maxLength >= policy.minLength,
+    {
+        message: "validation.password.maxLength",
+        path: ["maxLength"]
+    }
+);
+
+const PartialPasswordPolicySchema = PasswordPolicySchemaBase.partial();
+
+export {
+    PasswordPolicySchema,
+    PartialPasswordPolicySchema
+}

package/src/schemas/RegisterSchema.ts

@@ -8,9 +8,7 @@ const RegisterBodyRequestSchema = z.object({
     email: email("validation.email.invalid"),
     phone: string({ error: "validation.required" }).optional(),
     password: string({ error: "validation.required" })
-        .min(1, "validation.required")
-        .min(8, "validation.password.min8")
-        .max(64, "validation.password.max64"),
+        .min(1, "validation.required"),
 });
 
 const RegisterBodyResponseSchema = z.object({

package/src/schemas/UserSchema.ts

@@ -17,9 +17,7 @@ const UserBaseSchema = object({
 
 const UserCreateSchema = UserBaseSchema.extend({
     password: string({error: "validation.required"})
-        .min(1, "validation.required")
-        .min(8, "validation.password.min8")
-        .max(64, "validation.password.max64"),
+        .min(1, "validation.required"),
 });
 
 

package/src/services/PasswordPolicyService.ts

@@ -0,0 +1,184 @@
+import {randomInt} from "crypto";
+import {ZodError, ZodType} from "zod";
+import {ValidationError, ZodErrorToValidationError} from "@drax/common-back";
+import type {IUser} from "@drax/identity-share";
+import type {IUserPasswordHistory} from "../interfaces/IUserPasswordHistory";
+import type {IPasswordPolicy} from "@drax/identity-share";
+import type UserPasswordHistoryService from "./UserPasswordHistoryService";
+import type {IUserRepository} from "../interfaces/IUserRepository";
+import AuthUtils from "../utils/AuthUtils.js";
+import PasswordPolicyResolver from "../resolver/PasswordPolicyResolver.js";
+import PasswordPolicySchemaFactory from "../utils/PasswordPolicySchemaFactory.js";
+
+interface IValidatePasswordOptions {
+    field?: string
+    userId?: string
+    currentPasswordHash?: string
+}
+
+class PasswordPolicyService {
+    constructor(
+        private readonly resolver: PasswordPolicyResolver,
+        private readonly userRepository?: IUserRepository,
+        private readonly userPasswordHistoryService?: UserPasswordHistoryService
+    ) {
+    }
+
+    async getFinalPolicy(): Promise<IPasswordPolicy> {
+        return this.resolver.resolve()
+    }
+
+    async getPasswordSchema(): Promise<ZodType<string>> {
+        const policy = await this.getFinalPolicy()
+        return PasswordPolicySchemaFactory.create(policy)
+    }
+
+    async validatePassword(password: string,  options?: IValidatePasswordOptions): Promise<void> {
+        const field = options?.field || "password"
+        try {
+            const schema = await this.getPasswordSchema()
+            await schema.parseAsync(password)
+        } catch (e) {
+            if (e instanceof ZodError) {
+                const validationError = ZodErrorToValidationError(e, {[field]: password})
+                validationError.errors = validationError.errors.map((error) => ({...error, field}))
+                throw validationError
+            }
+            throw e
+        }
+
+        if (options?.userId) {
+            await this.validateReuse(password, options.userId, {
+                field,
+                currentPasswordHash: options.currentPasswordHash
+            })
+        }
+    }
+
+    async generateCompatiblePassword(): Promise<string> {
+        const policy = await this.getFinalPolicy()
+        const uppercaseChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+        const lowercaseChars = "abcdefghijkmnopqrstuvwxyz"
+        const numericChars = "0123456789"
+        const specialChars = "!@#$%&*_-+="
+        const fallbackSpecial = policy.disallowSpaces ? "!" : " "
+        const combinedChars = [
+            uppercaseChars,
+            lowercaseChars,
+            numericChars,
+            policy.requireSpecialChar ? specialChars : "",
+            policy.disallowSpaces ? "" : " "
+        ].join("") || `${uppercaseChars}${lowercaseChars}${numericChars}${fallbackSpecial}`
+
+        const chars: string[] = []
+
+        if (policy.requireUppercase) {
+            chars.push(this.randomChar(uppercaseChars))
+        }
+        if (policy.requireLowercase) {
+            chars.push(this.randomChar(lowercaseChars))
+        }
+        if (policy.requireNumber) {
+            chars.push(this.randomChar(numericChars))
+        }
+        if (policy.requireSpecialChar) {
+            chars.push(this.randomChar(specialChars))
+        }
+        if (!chars.length) {
+            chars.push(this.randomChar(`${uppercaseChars}${lowercaseChars}${numericChars}`))
+        }
+
+        while (chars.length < policy.minLength) {
+            chars.push(this.randomChar(combinedChars))
+        }
+
+        const password = this.shuffle(chars).join("").slice(0, policy.maxLength)
+        await this.validatePassword(password)
+        return password
+    }
+
+    async getPasswordExpiration(user: IUser): Promise<{expired: boolean, expiresAt: Date | null}> {
+        const policy = await this.getFinalPolicy()
+        if (!policy.expirationDays) {
+            return {expired: false, expiresAt: null}
+        }
+
+        const lastPasswordChange = await this.getLastPasswordChangeDate(user)
+        if (!lastPasswordChange) {
+            return {expired: false, expiresAt: null}
+        }
+
+        const expiresAt = new Date(lastPasswordChange)
+        expiresAt.setDate(expiresAt.getDate() + policy.expirationDays)
+
+        return {
+            expired: expiresAt.getTime() <= Date.now(),
+            expiresAt
+        }
+    }
+
+    async recordPassword(userId: string, passwordHash: string): Promise<void> {
+        await this.userPasswordHistoryService?.create(userId, passwordHash)
+    }
+
+    private async validateReuse(password: string, userId: string, options?: {field: string, currentPasswordHash?: string}): Promise<void> {
+        const policy = await this.getFinalPolicy()
+        if (!policy.preventReuse) {
+            return
+        }
+
+        const field = options?.field || "password"
+        const recentHashes = await this.getRecentPasswordHashes(userId, policy.preventReuse, options?.currentPasswordHash)
+        const reused = recentHashes.some((item) => AuthUtils.checkPassword(password, item.passwordHash))
+        if (reused) {
+            throw new ValidationError([{field, reason: "validation.password.preventReuse"}])
+        }
+    }
+
+    private async getRecentPasswordHashes(userId: string, limit: number, currentPasswordHash?: string): Promise<IUserPasswordHistory[]> {
+        const recent = await this.userPasswordHistoryService?.findLatestByUserId(userId, limit) || []
+        const hashes = [...recent]
+
+        if (currentPasswordHash && !hashes.some((item) => item.passwordHash === currentPasswordHash)) {
+            hashes.unshift({user: userId, passwordHash: currentPasswordHash})
+        } else if (!currentPasswordHash && this.userRepository) {
+            const user = await this.userRepository.findByIdWithPassword(userId)
+            if (user?.password && !hashes.some((item) => item.passwordHash === user.password)) {
+                hashes.unshift({user: userId, passwordHash: user.password})
+            }
+        }
+
+        return hashes.slice(0, limit)
+    }
+
+    private async getLastPasswordChangeDate(user: IUser): Promise<Date | null> {
+        if (!user?._id || !this.userPasswordHistoryService) {
+            return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null
+        }
+
+        const latest = await this.userPasswordHistoryService.findLatestByUserId(user._id.toString(), 1)
+        if (latest[0]?.createdAt) {
+            return new Date(latest[0].createdAt)
+        }
+
+        return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null
+    }
+
+    private randomChar(source: string): string {
+        return source[randomInt(0, source.length)]
+    }
+
+    private shuffle(chars: string[]): string[] {
+        const items = [...chars]
+        for (let i = items.length - 1; i > 0; i -= 1) {
+            const j = randomInt(0, i + 1)
+            const temp = items[i]
+            items[i] = items[j]
+            items[j] = temp
+        }
+        return items
+    }
+}
+
+export default PasswordPolicyService
+export {PasswordPolicyService}

package/src/services/UserPasswordHistoryService.ts

@@ -0,0 +1,23 @@
+import type {IUserPasswordHistoryRepository} from "../interfaces/IUserPasswordHistoryRepository.js";
+import type {IUserPasswordHistory} from "../interfaces/IUserPasswordHistory.js";
+
+class UserPasswordHistoryService {
+    constructor(private readonly repository: IUserPasswordHistoryRepository) {
+    }
+
+    async create(userId: string, passwordHash: string): Promise<IUserPasswordHistory> {
+        return this.repository.create({
+            user: userId,
+            passwordHash
+        })
+    }
+
+    async findLatestByUserId(userId: string, limit: number): Promise<IUserPasswordHistory[]> {
+        if (limit <= 0) {
+            return []
+        }
+        return this.repository.findLatestByUserId(userId, limit)
+    }
+}
+
+export default UserPasswordHistoryService

package/src/services/UserService.ts

@@ -11,12 +11,20 @@ import {AbstractService} from "@drax/crud-back";
 import {randomUUID} from "crypto"
 import UserLoginFailServiceFactory from "../factory/UserLoginFailServiceFactory.js";
 import UserSessionServiceFactory from "../factory/UserSessionServiceFactory.js";
+import type PasswordPolicyService from "./PasswordPolicyService";
+import PasswordPolicyServiceFactory from "../factory/PasswordPolicyServiceFactory.js";
+import type UserPasswordHistoryService from "./UserPasswordHistoryService.js";
+import UserPasswordHistoryServiceFactory from "../factory/UserPasswordHistoryServiceFactory.js";
 
 class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
 
     _repository: IUserRepository
 
-    constructor(userRepository: IUserRepository) {
+    constructor(
+        userRepository: IUserRepository,
+        private readonly passwordPolicyService: PasswordPolicyService = PasswordPolicyServiceFactory(),
+        private readonly userPasswordHistoryService: UserPasswordHistoryService = UserPasswordHistoryServiceFactory()
+    ) {
         super(userRepository, UserBaseSchema);
         this._repository = userRepository;
     }
@@ -75,7 +83,7 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
         user = await this.findByEmail(email)
 
         if (!user && createIfNotFound) {
-            userData.password = userData.password ? userData.password : randomUUID()
+            userData.password = userData.password ? userData.password : await this.passwordPolicyService.generateCompatiblePassword()
             userData.active = userData.active === undefined ? true : userData.active
             user = await this.create(userData)
         }
@@ -105,8 +113,14 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
     async changeUserPassword(userId: string, newPassword: string):Promise<IUser> {
         const user = await this._repository.findByIdWithPassword(userId)
         if (user) {
-            newPassword = AuthUtils.hashPassword(newPassword)
-            await this._repository.changePassword(userId, newPassword)
+            await this.passwordPolicyService.validatePassword(newPassword,  {
+                field: 'newPassword',
+                userId,
+                currentPasswordHash: user.password
+            })
+            const newPasswordHash = AuthUtils.hashPassword(newPassword)
+            await this._repository.changePassword(userId, newPasswordHash)
+            await this.userPasswordHistoryService.create(userId, newPasswordHash)
             delete user.password
             return user
         } else {
@@ -124,8 +138,14 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
             }
 
             if (AuthUtils.checkPassword(currentPassword, user.password)) {
-                newPassword = AuthUtils.hashPassword(newPassword)
-                await this._repository.changePassword(userId, newPassword)
+                await this.passwordPolicyService.validatePassword(newPassword,  {
+                    field: 'newPassword',
+                    userId,
+                    currentPasswordHash: user.password
+                })
+                const newPasswordHash = AuthUtils.hashPassword(newPassword)
+                await this._repository.changePassword(userId, newPasswordHash)
+                await this.userPasswordHistoryService.create(userId, newPasswordHash)
                 delete user.password
                 return user
             } else {
@@ -167,8 +187,14 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
         try {
             const user = await this._repository.findByRecoveryCode(recoveryCode)
             if (user && user.active) {
-                newPassword = AuthUtils.hashPassword(newPassword)
-                await this._repository.changePassword(user._id, newPassword)
+                await this.passwordPolicyService.validatePassword(newPassword, {
+                    field: 'newPassword',
+                    userId: user._id.toString(),
+                    currentPasswordHash: user.password
+                })
+                const newPasswordHash = AuthUtils.hashPassword(newPassword)
+                await this._repository.changePassword(user._id, newPasswordHash)
+                await this.userPasswordHistoryService.create(user._id.toString(), newPasswordHash)
                 await this._repository.updatePartial(user._id, {recoveryCode: null})
                 return user
             } else {
@@ -237,10 +263,13 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
             userData.tenant = userData.tenant === "" ? null : userData.tenant
 
             await UserCreateSchema.parseAsync(userData)
+            await this.passwordPolicyService.validatePassword(userData.password)
 
-            userData.password = AuthUtils.hashPassword(userData.password.trim())
+            const passwordHash = AuthUtils.hashPassword(userData.password.trim())
+            userData.password = passwordHash
 
             const user: IUser = await this._repository.create(userData)
+            await this.userPasswordHistoryService.create(user._id.toString(), passwordHash)
             return user
         } catch (e) {
             console.error("Error creating user", e)

package/src/setup/LoadIdentityConfigFromEnv.ts

@@ -1,5 +1,6 @@
 import {DraxConfig} from "@drax/common-back";
 import IdentityConfig from "../config/IdentityConfig.js";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
 
 function LoadIdentityConfigFromEnv() {
 
@@ -10,6 +11,16 @@ function LoadIdentityConfigFromEnv() {
 
     DraxConfig.set(IdentityConfig.RbacCacheTTL, process.env[IdentityConfig.RbacCacheTTL])
     DraxConfig.set(IdentityConfig.AvatarDir, process.env[IdentityConfig.AvatarDir])
+
+    DraxConfig.set(PasswordPolicyConfig.MinLength, process.env[PasswordPolicyConfig.MinLength])
+    DraxConfig.set(PasswordPolicyConfig.MaxLength, process.env[PasswordPolicyConfig.MaxLength])
+    DraxConfig.set(PasswordPolicyConfig.RequireUppercase, process.env[PasswordPolicyConfig.RequireUppercase])
+    DraxConfig.set(PasswordPolicyConfig.RequireLowercase, process.env[PasswordPolicyConfig.RequireLowercase])
+    DraxConfig.set(PasswordPolicyConfig.RequireNumber, process.env[PasswordPolicyConfig.RequireNumber])
+    DraxConfig.set(PasswordPolicyConfig.RequireSpecialChar, process.env[PasswordPolicyConfig.RequireSpecialChar])
+    DraxConfig.set(PasswordPolicyConfig.DisallowSpaces, process.env[PasswordPolicyConfig.DisallowSpaces])
+    DraxConfig.set(PasswordPolicyConfig.PreventReuse, process.env[PasswordPolicyConfig.PreventReuse])
+    DraxConfig.set(PasswordPolicyConfig.ExpirationDays, process.env[PasswordPolicyConfig.ExpirationDays])
 }
 
 export default LoadIdentityConfigFromEnv

package/src/setup/SetProjectPasswordPolicy.ts

@@ -0,0 +1,12 @@
+import type {IPasswordPolicyProject} from "@drax/identity-share";
+import PasswordPolicyResolverFactory from "../factory/PasswordPolicyResolverFactory.js";
+
+
+function SetProjectPasswordPolicy(projectPasswordPolicy: IPasswordPolicyProject){
+
+    const passwordPolicyResolver = PasswordPolicyResolverFactory()
+    passwordPolicyResolver.setProjectPolicy(projectPasswordPolicy)
+}
+
+export default SetProjectPasswordPolicy
+export {SetProjectPasswordPolicy}

package/src/utils/PasswordPolicySchemaFactory.ts

@@ -0,0 +1,47 @@
+import z from "zod";
+import type {IPasswordPolicy} from "@drax/identity-share";
+
+class PasswordPolicySchemaFactory {
+    private static cache = new Map<string, z.ZodType<string>>()
+
+    static create(policy: IPasswordPolicy): z.ZodType<string> {
+        const cacheKey = JSON.stringify(policy)
+        const cached = this.cache.get(cacheKey)
+        if (cached) {
+            return cached
+        }
+
+        let schema = z.string({error: "validation.required"})
+            .min(1, "validation.required")
+            .min(policy.minLength, "validation.password.minLength")
+            .max(policy.maxLength, "validation.password.maxLength")
+
+        if (policy.requireUppercase) {
+            schema = schema.regex(/[A-Z]/, "validation.password.requireUppercase")
+        }
+
+        if (policy.requireLowercase) {
+            schema = schema.regex(/[a-z]/, "validation.password.requireLowercase")
+        }
+
+        if (policy.requireNumber) {
+            schema = schema.regex(/[0-9]/, "validation.password.requireNumber")
+        }
+
+        if (policy.requireSpecialChar) {
+            schema = schema.regex(/[^A-Za-z0-9]/, "validation.password.requireSpecialChar")
+        }
+
+        if (policy.disallowSpaces) {
+            schema = schema.refine((value) => !/\s/.test(value), {
+                message: "validation.password.disallowSpaces"
+            })
+        }
+
+        this.cache.set(cacheKey, schema)
+        return schema
+    }
+}
+
+export default PasswordPolicySchemaFactory
+export {PasswordPolicySchemaFactory}

package/src/utils/getPasswordEnvPolicy.ts

@@ -0,0 +1,25 @@
+import type {IPasswordPolicy} from "@drax/identity-share";
+import {DraxConfig} from "@drax/common-back";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
+import {PartialPasswordPolicySchema} from "../schemas/PasswordPolicySchema.js";
+
+function getPasswordEnvPolicy(): Partial<IPasswordPolicy> {
+    const envPolicy = {
+        minLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MinLength, "number"),
+        maxLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MaxLength, "number"),
+        requireUppercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireUppercase, "boolean"),
+        requireLowercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireLowercase, "boolean"),
+        requireNumber: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireNumber, "boolean"),
+        requireSpecialChar: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireSpecialChar, "boolean"),
+        disallowSpaces: DraxConfig.getOrLoad(PasswordPolicyConfig.DisallowSpaces, "boolean"),
+        preventReuse: DraxConfig.getOrLoad(PasswordPolicyConfig.PreventReuse, "number"),
+        expirationDays: DraxConfig.getOrLoad(PasswordPolicyConfig.ExpirationDays, "number")
+    }
+
+    return PartialPasswordPolicySchema.parse(
+        Object.fromEntries(Object.entries(envPolicy).filter(([, value]) => value !== undefined))
+    )
+}
+
+export default getPasswordEnvPolicy
+export {getPasswordEnvPolicy}

package/test/data-obj/users/root-mongo-user.ts

@@ -6,7 +6,7 @@ const user = {
   groups: [],
   username:  "root",
   email: "root@example.com",
-  password: "12345678",
+  password: "Root1234",
   name: "root",
   phone: "123456789",
   role: "646a661e44c93567c23d8d62",

package/test/data-obj/users/root-sqlite-user.ts

@@ -6,7 +6,7 @@ const user = {
   groups: [],
   username:  "root",
   email: "root@example.com",
-  password: "123",
+  password: "Root1234",
   name: "root",
   phone: "123456789",
   avatar: "asd",

package/test/endpoints/data/users-data.ts

@@ -2,7 +2,7 @@ import {IUserCreate} from "@drax/identity-share";
 
 const USER1: IUserCreate = {
     active: true,
-    password: "12345678",
+    password: "User1234",
     phone: "",
     role: "",
     name: "John Wick",
@@ -11,7 +11,7 @@ const USER1: IUserCreate = {
 }
 const USER2: IUserCreate = {
     active: true,
-    password: "12345678",
+    password: "User1234",
     phone: "",
     role: "",
     name: "John Rambo",
@@ -20,7 +20,7 @@ const USER2: IUserCreate = {
 }
 const USER3: IUserCreate = {
     active: true,
-    password: "12345678",
+    password: "User1234",
     phone: "",
     role: "",
     name: "John Depp",

package/test/endpoints/password-policy-route.test.ts

@@ -0,0 +1,33 @@
+import {afterAll, beforeAll, describe, expect, it} from "vitest";
+import {LoadIdentityConfigFromEnv} from "../../src/setup/LoadIdentityConfigFromEnv.js";
+import {TestSetup} from "../setup/TestSetup";
+
+describe("Password Policy Route Test", () => {
+    const testSetup = new TestSetup("sqlite")
+
+    beforeAll(async () => {
+        await testSetup.setup()
+        process.env.PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR = "true"
+        process.env.PASSWORD_POLICY_MIN_LENGTH = "18"
+        LoadIdentityConfigFromEnv()
+    })
+
+    afterAll(async () => {
+        delete process.env.PASSWORD_POLICY_MIN_LENGTH
+        delete process.env.PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR
+        await testSetup.dropAndClose()
+    })
+
+    it("returns the final effective policy", async () => {
+        const response = await testSetup.fastifyInstance.inject({
+            method: "GET",
+            url: "/api/auth/password-policy"
+        })
+
+        expect(response.statusCode).toBe(200)
+        const body = response.json()
+        expect(body.minLength).toBe(18)
+        expect(body.requireSpecialChar).toBe(true)
+        expect(body.requireUppercase).toBe(true)
+    })
+})