Skip to content

fix: live password policy checklist and translated modal errors (#7301)#7303

Open
woodyardae wants to merge 1 commit into
mailcow:stagingfrom
woodyardae:fix/7301-password-error-message
Open

fix: live password policy checklist and translated modal errors (#7301)#7303
woodyardae wants to merge 1 commit into
mailcow:stagingfrom
woodyardae:fix/7301-password-error-message

Conversation

@woodyardae

@woodyardae woodyardae commented Jun 22, 2026

Copy link
Copy Markdown

Summary

Fixes #7301

When a mailbox user is forced to change their password at first login and submits a password that fails complexity checks, the modal showed the raw internal key password_complexity instead of a translated message.

This PR:

  • Resolves forced-change modal AJAX errors through lang_danger (e.g. Password does not meet the policy).
  • Adds a live, sitewide password policy checklist (disabled checkboxes that tick as requirements are met while typing) for all data-hibp password fields, including #ChangePWModal.
  • Centralizes interactive policy HTML in password_complexity('html') with proper HTML escaping.
  • Wires shared validation in 013-mailcow.js (HIBP-aware DOM helpers, show/hide toggles, confirm-field match handling).
  • Adds password_policy_match to 33 locale files (including minimal lang.az-az.json).

Scope note for maintainers

  • Touches all shipped locale JSON files for the new admin.password_policy_match string.
  • 013-mailcow.js is served via mailcow's existing JS minifier/cache pipeline (footer.inc.php → content hash → /cache/<hash>.js); no separate build step required.
  • Confirm-password match row is hidden automatically on single-field passwords (relayhost/transport).

Live testing

Deployed commit 75821e33 on test-stax (18/18 containers healthy, php-fpm restarted). Full test notes and reconciliation of automated runs are in the fork PR: woodyardae/mailcow-dockerized#1.

# Test Result
1 Policy HTML API returns checklist markup Pass
2 Generate-password ticks all checkboxes + match Pass
3 HIBP breach check with input-group wrapper Pass
4 Show/hide toggle on data-hibp fields Pass
5 Single-field passwords — match row hidden Pass
6 Forced-change modal weak password → translated error + live checkboxes Pass
7 Locale spot-check (de-de) Pass
8 Admin forced-change path (/api/v1/edit/admin) Pass
9 Optional password mailbox edit — blank password save Pass
10 JS cache/minifier behavior Pass
11 aria-live accessibility Pass

Test plan

  • Deploy to test-stax and verify container health
  • Forced-change modal shows translated lang_danger message (not raw password_complexity)
  • Live password policy checklist updates while typing on data-hibp fields
  • Generate-password, HIBP, and show/hide toggles work with new DOM helpers
  • Single-field password forms hide confirm-match row
  • Admin forced-change path via /api/v1/edit/admin
  • Locale strings present (password_policy_match in 33 lang files)
  • Screenshots — optional; can add in a follow-up comment if maintainers want UI captures

Fixes #7301

@woodyardae
woodyardae force-pushed the fix/7301-password-error-message branch from 97be301 to 75821e3 Compare June 22, 2026 06:44
@milkmaker

Copy link
Copy Markdown
Collaborator

Thanks for contributing!

I noticed that you didn't select staging as your base branch. Please change the base branch to staging.
See the attached picture on how to change the base branch to staging:

check_prs_if_on_staging.png

@woodyardae woodyardae changed the title fix(ui): translate password_complexity errors and add live policy checklist (#7301) fix: live password policy checklist and translated modal errors (#7301) Jun 22, 2026
@milkmaker

Copy link
Copy Markdown
Collaborator

Thanks for contributing!

I noticed that you didn't select staging as your base branch. Please change the base branch to staging.
See the attached picture on how to change the base branch to staging:

check_prs_if_on_staging.png

@woodyardae
woodyardae changed the base branch from master to staging June 23, 2026 01:03
…cow#7301)

The forced password-change modal (#ChangePWModal) uses AJAX, so PHP's
alertbox_log_parser() never runs and the UI was showing the raw internal
key password_complexity. Resolve AJAX errors through lang_danger and add a
live password policy checklist (disabled checkboxes that tick as rules are
met while typing) for the modal and all data-hibp password fields.

- Centralize interactive policy HTML in password_complexity('html')
- Wire shared validation in 013-mailcow.js (mirrors password_check())
- Add show/hide password toggles for data-hibp fields
- Add admin.password_policy_match to all locale files
- Fix invalid trailing commas in ja-jp, ko-kr, zh-cn, zh-tw locale JSON

Fixes mailcow#7301

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Agent: Cursor
@woodyardae
woodyardae force-pushed the fix/7301-password-error-message branch from 75821e3 to 3db572d Compare June 23, 2026 01:05
@woodyardae

Copy link
Copy Markdown
Author

Retargeted to staging as requested. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Password complexity error message is not user-friendly

2 participants