breakfix: respect password policy from users.json

[tribor]

• I changed the settings in the users.json to acceppt one-character-passwords (in combination with MFA)
• reloaded Caddy
• in the UI (User Dashboard) I tried then to update my password to a password with only one character. An error occurs
  The password is non compliant. It should contain 8-254 characters

This seems to be hardcoded in the UI, because the min_length and max_length in users.json are set to 1 and 128

Configuration
users.json:

{
  "version": "1.1.4",
  "policy": {
    "password": {
      "keep_versions": 2,
      "min_length": 1,
      "max_length": 128,
      "require_uppercase": false,
      "require_lowercase": false,
      "require_number": false,
      "require_non_alpha_numeric": false,
      "block_reuse": false,
      "block_password_change": false
    },
    "user": {
      "min_length": 3,
      "max_length": 50,
      "allow_non_alpha_numeric": false,
      "allow_uppercase": false
    }
  },
[..]

Version Information

http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

-> The settings in the users.json should allow me so set this short password.

In general, the settings of the file and the user dashbaords should match. The check during input in the UI should therefore use the corresponding values of the file as threshold values.

In addition, it would be useful if the UI had a section for managing the password policy

[greenpau]

@tribor , I will soon begin the redesign of users database. Will take this into account. Thank you for reporting this!