Hi All, We have [3276] from Romain about removing client ID / secret RegEx checks from the "reset" password API.
The original checks were added in [2197] when the "reset" API was first introduced. IIRC, the only reason for these checks was to ensure the values provided by the user via the "reset" API match the patterns of Polaris-generated values. However, Polaris code itself does not depend on any particular format for these values. Given that the reset API is protected by AuthZ checks (requires admin access), the risk of overly long values being injected through the reset API is rather minimal, IMHO. I believe removing the format checks is reasonable so as to allow more flexibility on the user side. PR [3276] was submitted for review on Dec 15 and LGTM. I'm going to merge on Dec 19 if there are no objections. I'm posting here for good measure since the affected API is related to user credentials and may be considered sensitive. [2197] https://github.com/apache/polaris/pull/2197 [3276] https://github.com/apache/polaris/pull/3276 Cheers, Dmitri.
