Validation only password and confirmation and there was an error

[jlopes90]

PHP Version

7.4.30

CodeIgniter4 Version

4.2.3

Shield Version

develop

Which operating systems have you tested for this bug?

Windows

Which server did you use?

apache

Database

MySQL 5.7.36

Did you customize Shield?

No Yes.

What happened?

I filled in the form with password and confirm password and validation failed.

Steps to Reproduce

public function resetAction()
{
    $rules = [
        'password' => [
            'required',
            'strong_password'
        ],
        'password_confirm' => [
            'required',
            'matches[password]',
        ],
    ];
    
    if (!$this->validate($rules)) {
        return redirect()->back()->withInput()->with('errors', $this->validator->getErrors());
    }

    {...}
}

Expected Output

Anything else?

No response

[kenjis]

I think Shied does not provide Rest Password page.

[datamweb]

Hey @jlopes90 , Thanks for your report,
The page you provided is a custom page with custom code.
Therefore, we cannot consider the issue as a bug.
Maybe someone can help you by providing more details of your custom code in the discussion section.

Do you agree with me to move this topic to the discussion section?

[jlopes90]

Do you agree with me to move this topic to the discussion section?

yes

[jlopes90]

Because strong_password gave error, without this it works.

[datamweb]

I suggest you provide more details about the controller, view or any other file that you have changed.

[jlopes90]

The fields return username, email and password and the email post is an empty string so user forces the setEmail() call which gives an error.

shield/src/Authentication/Passwords/ValidationRules.php

Lines 56 to 69 in a76b35e

	/**
	* Builds a new user instance from the global request.
	*/
	protected function buildUserFromRequest(): User
	{
	$fields = $this->prepareValidFields();
	/** @var IncomingRequest $request */
	$request = service('request');
	$data = $request->getPost($fields);
	return new User($data);
	}

protected function buildUserFromRequest(): User 
{ 
    $fields = $this->prepareValidFields(); 
    
    /** @var IncomingRequest $request */ 
    $request = service('request'); 
    
    $data = $request->getPost($fields);
    
    if (empty($data['username'])){
      unset($data['username']);
    }
    if (empty($data['email'])){
      unset($data['email']);
    }
    
    return new User($data);
}

---

Forces to validate email is empty string, the result gives an error, I used to check if email is empty, just ignore it.

shield/src/Authentication/Passwords/NothingPersonalValidator.php

Lines 68 to 87 in a76b35e

	// Parse out as many pieces as possible from username, password and email.
	// Use the pieces as needles and haystacks and look every which way for matches.
	if ($valid) {
	// Take username apart for use as search needles
	$needles = $this->strip_explode($userName);
	// extract local-part and domain parts from email as separate needles
	[
	$localPart,
	$domain,
	] = \explode('@', $email);
	// might be [email protected] and we want all the needles we can get
	$emailParts = $this->strip_explode($localPart);
	if (! empty($domain)) {
	$emailParts[] = $domain;
	}
	$needles = \array_merge($needles, $emailParts);
	// Get any other "personal" fields defined in config
	$personalFields = $this->config->personalFields;

// Parse out as many pieces as possible from username, password and email.
// Use the pieces as needles and haystacks and look every which way for matches.
if ($valid) {
    // Take username apart for use as search needles
    $needles = $this->strip_explode($userName);

    // If you don't use email
    if (!empty($email)) {

        // extract local-part and domain parts from email as separate needles
        [
            $localPart,
            $domain,
        ] = explode('@', $email);
        // might be [email protected] and we want all the needles we can get
        $emailParts = $this->strip_explode($localPart);
        if (!empty($domain)) {
            $emailParts[] = $domain;
        }
        $needles = array_merge($needles, $emailParts);
    }

    // Get any other "personal" fields defined in config
    $personalFields = $this->config->personalFields;

    {...}
}

---

I edited it but I know it's not a good idea.

[kenjis]

Add email address to the data to validate.
strong_password needs email address to check.

[jlopes90]

I did like this:

1. Forgot password is sent.
2. Receive email and open link .../reset?email=xxx&token=xxx.
3. The password reset form appears, the e-mail and the token are hidden in the input and fill in password and confirm.
4. And save change and that's it.