sha174n commented on PR #40670: URL: https://github.com/apache/superset/pull/40670#issuecomment-4691650141
Confirmed the usual paths are unaffected (`add_user()`/`fab create-admin` bypass the validator; only forms + the User REST API enforce), and the unit tests pass. Two suggestions: 1. **Default `AUTH_PASSWORD_MIN_LENGTH` to 12, not 8.** ASVS's length bar is 12; 8 is the older NIST floor, so the default is slightly weaker than the standard this targets. Still operator-configurable. 2. **Add one integration test through the real FAB path** (e.g. `POST /api/v1/security/users/` with a too-short password expecting a 4xx). The unit tests cover the validator function, but nothing asserts it's wired into the form/API layer — a future Flask-AppBuilder bump could drop enforcement with no test failing. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
