Merge pull request #81 from deanilvincent/v3

V3 - allow all symbols by default, set the default min length to 12 instead of 10, fix license filename (fix #78)

.github/workflows/codacy-analysis.yml → .github/workflows/codacy.yml

@@ -1,3 +1,8 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
 # This workflow checks out code, performs a Codacy security scan
 # and integrates the results with the
 # GitHub Advanced Security code scanning feature.  For more information on
@@ -10,25 +15,32 @@ name: Codacy Security Scan
 
 on:
   push:
-    branches: [ master, releases/* ]
+    branches: [ "master", "releases/*" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ "master" ]
   schedule:
-    - cron: '21 11 * * 2'
+    - cron: '24 0 * * 2'
+
+permissions:
+  contents: read
 
 jobs:
   codacy-security-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Codacy Security Scan
     runs-on: ubuntu-latest
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI
-        uses: codacy/codacy-analysis-cli-action@1.1.0
+        uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
         with:
           # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
           # You can also omit the token and run the tools that support default configurations
@@ -44,6 +56,6 @@ jobs:
 
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/node.yml

@@ -0,0 +1,31 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
+
+name: Node.js CI
+
+on:
+  push:
+    branches: [ "master", "releases/*" ]
+  pull_request:
+    branches: [ "master", "releases/*" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [22.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+    - run: npm ci
+    - run: npm run build --if-present
+    - run: npm test

README.md

@@ -1,7 +1,7 @@
 
 # Overview
 
-A simple way to check that password strength of a certain passphrase. A password strength checker based from [Javascript RegEx](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions).
+A simple way to check that password strength of a certain passphrase. The library is fully typed.
 
 [![Build status](https://dev.azure.com/dv-github-repos/check-password-strength/_apis/build/status/check-password-strength-CI)](https://dev.azure.com/dv-github-repos/check-password-strength/_build/latest?definitionId=12) 
 
@@ -20,13 +20,14 @@ A simple way to check that password strength of a certain passphrase. A password
 ### Install via Browser Script Tag using [UNPKG](https://unpkg.com/)
 
 ```html
-<script src="https://unpkg.com/check-password-strength/dist/umd.js"></script>
+<script src="https://unpkg.com/check-password-strength/dist/umd.cjs"></script>
 <script type="text/javascript">
     const passwordStrength = checkPasswordStrength.passwordStrength('pwd123').value; // 'Weak'
 </script>
 ```
 
 ## Setup & Basic Usage
+
 ```javascript
 const { passwordStrength } = require('check-password-strength')
 // OR
@@ -45,46 +46,27 @@ console.log(passwordStrength('A@2asdF2020!!*').value)
 // Strong
 ```
 
-## Additional Info
+## API
 
-### Object Result
-| Property | Desc.                                                           |
-| -------- | --------------------------------------------------------------- |
-| id       | **0** = Too weak, **1** = Weak & **2** = Medium, **3** = Strong |
-| value    | Too weak, Weak, Medium & Strong                                 |
-| contains | lowercase, uppercase, symbol and/or number                      |
-| length   | length of the password                                          |
+### arguments
 
-### Password Length Default Options
-| Name     | Mininum Diversity | Mininum Length |
-| -------- | ----------------- | -------------- |
-| Too weak | 0                 | 0              |
-| Weak     | 2                 | 6              |
-| Medium   | 4                 | 8              |
-| Strong   | 4                 | 10             |
+The `passwordStrength` takes 3 arguments:
 
-```javascript
-console.log(passwordStrength('@Sdfasd2020!@#$'))
-// output 
-{ 
-    "id": 1, 
-    "value": "Strong",
-    "contains": ['lowercase', 'uppercase', 'symbol', 'number'],
-    "length": 15
-}
-```
+- `password` (string): the user password
+- `options` (array — optional): an option to override the default complexity required to match your password policy. See below.
+- `restrictSymbolsTo` (string — optional): 
+  - By default, the `passwordStrength` function checks against all characters except for the 26 Latin lowercase letters, 26 uppercase letters, and 10 digits. This includes OWASP-recommended characters, accented letters, other alphabets, and emojis.
+  - If you wish to apply restrictions, you can provide a custom string. This string should consist of unescaped symbol characters, which will be utilized internally in a RegExp expression in the following format: `[${escapeStringRegexp(restrictSymbolsTo)}]`.
+  - Additionally, you can import and use the owaspSymbols to limit the symbols to those recommended by OWASP.
 
-### Default Options
-
-The default symbols are based from **Password Special Characters [OWASP](https://owasp.org/www-community/password-special-characters)** list (except for the space)
-```
-!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
-```
-Thanks for [jlherren](https://github.com/jlherren) & [Ennoriel](https://github.com/Ennoriel) for this suggestion! 👨🏻‍💻👨🏻‍💻
+**Password Default Options**
 
 The default options can be required:
+
 ```javascript
 const { defaultOptions } = require("./index");
+// OR
+import { defaultOptions } from 'check-password-strength'
 ```
 
 default options:
@@ -100,19 +82,19 @@ default options:
     id: 1,
     value: "Weak",
     minDiversity: 2,
-    minLength: 6
+    minLength: 8
   },
   {
     id: 2,
     value: "Medium",
     minDiversity: 4,
-    minLength: 8
+    minLength: 10
   },
   {
     id: 3,
     value: "Strong",
     minDiversity: 4,
-    minLength: 10
+    minLength: 12
   }
 ]
 ```
@@ -124,57 +106,35 @@ To override the default options, simply pass your custom array as the second arg
   - minDiversity: between 0 and 4, correspond to the minimum of different criterias ('lowercase', 'uppercase', 'symbol', 'number') that should be met to pass the password strength
   - minLength: minimum length of the password that should be met to pass the password strength
 
-The `minDiversity` and `minLength` parameters of the first element cannot be overriden (set to 0 at the beginning of the method). Therefore, the first element should always correspond to a "too weak" option.
+**You can use an array containing fewer or more than four items to define the levels of trust.** However, the first element must have both the minDiversity and minLength parameters set to 0. This means that the first element should always represent a "too weak" option.
 
-```javascript
-passwordStrength('myPassword', yourCustomOptions)
-```
-### RegEx
-**Strong**
-```
- ^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*"'()+,-./:;<=>?[\]^_`{|}~])(?=.{10,})
- ```
-
-**Medium Password RegEx used:** 
-```
- ^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*"'()+,-./:;<=>?[\]^_`{|}~])(?=.{8,})
- ```
-
-| RegEx                                     | Desc.                                                               |
-| ----------------------------------------- | ------------------------------------------------------------------- |
-| ^                                         | The password string will start this way                             |
-| (?=.*[a-z])                               | The string must contain at least 1 lowercase alphabetical character |
-| (?=.*[A-Z])                               | The string must contain at least 1 uppercase alphabetical character |
-| (?=.*[0-9])                               | The string must contain at least 1 numeric character                |
-| (?=.[!"#$%&'()*+,-./:;<=>?@[\\]^_`{\|}~])) | The string must contain at least one special character              |
-| (?=.{10,})                                | The string must be eight characters or longer for Strong strength   |
-| (?=.{8,})                                 | The string must be eight characters or longer for Medium strength   |
-| (?=.{6,})                                 | Mininum of 6 characters for Weak strength                           |
-
-## TypeScript type declarations &#9745; 
-Available starting version `v2.0.3` and above. (Thanks to [@Mesoptier!](https://github.com/Mesoptier))
-
-## Other resources
-
-##### For .NET Project
-If you're working with .net core project, I've created a simple nuget package with same RegEx strings to validate a password strength.
+### Result
 
-You can easily install via Nuget Package Manager or .NET CLI ([Check.Password.Strength](https://github.com/deanilvincent/Check.Password.Strength)). This package uses Regular Expression `new Regex()` derives from `System.Text.RegularExpressions`. You can use this especially if you want to validate the passcode strength on backend services or web apis of your project.
+The result is an object containing the following values (unless you override the `options`):
 
-##### Other NPM RegEx validator
-I also made another NPM package ([hey-regex](https://www.npmjs.com/package/hey-regex)) that checks common inputs like numbers (whole number and decimal), alpha numeric, email and url. This package only returns `true` or `false` based from the selected function (with RegEx `.test()` inside).
+| Property | Desc.                                                           |
+| -------- | --------------------------------------------------------------- |
+| id       | **0** = Too weak, **1** = Weak & **2** = Medium, **3** = Strong |
+| value    | Too weak, Weak, Medium & Strong                                 |
+| contains | lowercase, uppercase, number and / or symbol                    |
+| length   | length of the password                                          |
 
-Reference [blog](https://www.thepolyglotdeveloper.com/2015/05/use-regex-to-test-password-strength-in-javascript/).
+If you want to translate the value (Too weak → Trop faible), you can translate it based on the return value, or override the `defaultOptions` option, which will be passed back as the function's return value.
 
-### Contribute
+## Contribute
 
 Feel free to clone or fork this project:  `https://github.com/deanilvincent/check-password-strength.git`
 
 Contributions & pull requests are welcome!
 
 I'll be glad if you give this project a ★ on [Github](https://github.com/deanilvincent/check-password-strength) :)
 
+## changelog
+
+- v3: allow all symbols by default (any character except the 26 latin lowercase, uppercase letters and 10 digits) & set the default min length to 12 instead of 10
+- v2: allow configuration through `options` object
+- v1: first version
+
 ***
-Kudos to [@Ennoriel](https://github.com/Ennoriel) and his efforts for making v2.x.x possible!
-### License
-This project is licensed under the MIT License - see the [LICENSE.md](https://github.com/deanilvincent/check-password-strength/blob/master/LICENSE.md/) file for details.
+
+Kudos to [@Ennoriel](https://github.com/Ennoriel) and his efforts for making v2 and v3 possible!

dist/index.d.ts

@@ -14,6 +14,8 @@ export type Options<V> = [FirstOption<V>, ...Option<V>[]];
 
 export const defaultOptions: Options<string>;
 
+export const owaspSymbols: string;
+
 export type DiversityType = "lowercase" | "uppercase" | "symbol" | "number";
 
 export interface Result<V> {
@@ -26,5 +28,5 @@ export interface Result<V> {
 export function passwordStrength<V = string>(
   password: string,
   options?: Options<V>,
-  allowedSymbols?: string,
+  restrictSymbolsTo?: string | undefined,
 ): Result<V>;