3scale · jlledom · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -98,8 +98,8 @@ system-builder-ruby33: &system-builder-ruby33
     ORACLE_SYSTEM_PASSWORD: threescalepass
     NLS_LANG: AMERICAN_AMERICA.UTF8
     TZ: UTC
-    MASTER_PASSWORD: p
-    USER_PASSWORD: p
+    MASTER_PASSWORD: superSecret1234#
+    USER_PASSWORD: superSecret1234#
     LC_ALL: C.utf8
     RAILS_ENV: test
 

diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,8 @@
+[allowlist]
+description = "Global Allowlist"
+
+# Ignore based on any subset of the file path
+paths = [
+    '''test/unit/authentication/by_password_test.rb''',
+    '''test/integration/admin/api/buyers_users_controller_test.rb'''
+]
diff --git a/app/controllers/admin/api/settings_controller.rb b/app/controllers/admin/api/settings_controller.rb
@@ -12,9 +12,9 @@ class Admin::Api::SettingsController < Admin::Api::BaseController
   before_action :validate_enforcing_sso_allowed, only: [:update]
 
   ALLOWED_PARAMS = %i[
-    useraccountarea_enabled hide_service signups_enabled account_approval_required strong_passwords_enabled
-    public_search account_plans_ui_visible change_account_plan_permission service_plans_ui_visible
-    change_service_plan_permission enforce_sso
+    useraccountarea_enabled hide_service signups_enabled account_approval_required public_search
+    account_plans_ui_visible change_account_plan_permission service_plans_ui_visible change_service_plan_permission
+    enforce_sso
   ].freeze
 
   # Settings Read

diff --git a/app/controllers/partners/providers_controller.rb b/app/controllers/partners/providers_controller.rb
@@ -56,7 +56,7 @@ def account_params
   def user_params
     {
       signup_type: partner.signup_type,
-      password: permitted_params[:password].presence || SecureRandom.hex,
+      password: permitted_params[:password].presence,
       email: permitted_params[:email],
       first_name: permitted_params[:first_name],
       last_name: permitted_params[:last_name],

diff --git a/app/controllers/partners/users_controller.rb b/app/controllers/partners/users_controller.rb
@@ -22,19 +22,19 @@ def destroy
   def create
     @user = @account.users.build
     @user.email = params[:email]
-    @user.password = SecureRandom.hex
+    @user.password = params[:password].presence
     @user.first_name = params[:first_name].presence
     @user.last_name = params[:last_name].presence
     @user.open_id = params[:open_id].presence
     @user.username = params[:username]
     @user.signup_type = :partner
     @user.role = :admin
     @user.activate!
-    if @user.save
-      render json: {id: @user.id, success: true}
-    else
-      render json: {errors: @user.errors, success: false}
-    end
+    @user.save!
+
+    render json: {id: @user.id, success: true}
+  rescue StandardError
+    render json: {errors: @user.errors, success: false}, status: :unprocessable_entity
   end
 
   private

diff --git a/app/controllers/provider/admin/user/personal_details_controller.rb b/app/controllers/provider/admin/user/personal_details_controller.rb
@@ -30,7 +30,7 @@ def user_params
   end
 
   def current_password_verification
-    return true unless current_user.using_password?
+    return true unless current_user.already_using_password?
 
     unless current_user.authenticated?(user_params[:current_password])
       flash.now[:danger] = t('.wrong')

diff --git a/app/controllers/provider/passwords_controller.rb b/app/controllers/provider/passwords_controller.rb
@@ -7,7 +7,7 @@ class Provider::PasswordsController < FrontendController
   before_action :passwords_allowed?
 
   def new
-    return redirect_back_or_to(root_path), danger: t('.has_password') if current_user.using_password?
+    return redirect_back_or_to(root_path), danger: t('.has_password') if current_user.already_using_password?
 
     reset_session_password_token
     token = current_user.generate_lost_password_token

diff --git a/app/javascript/src/Login/utils/validations.ts b/app/javascript/src/Login/utils/validations.ts
@@ -1,5 +1,10 @@
 import validate from 'validate.js'
 
+// IMPORTANT: This STRONG_PASSWORD_MIN_SIZE constant is duplicated from the backend.
+// The source of truth is app/lib/authentication/by_password.rb. If this constant changes in Ruby,
+// you must update it here as well. Do not modify it without updating the backend first.
+const STRONG_PASSWORD_MIN_SIZE = 15
+
 const loginConstraints = {
   username: { presence: { allowEmpty: false, message: 'Email or username is mandatory' } },
   password: { presence: { allowEmpty: false, message: 'Password is mandatory' } }
@@ -12,7 +17,7 @@ function validateLogin (fields: Record<keyof typeof loginConstraints, string>):
 const changePasswordConstraints = {
   password: {
     presence: { allowEmpty: false, message: 'Password is mandatory' },
-    length: { minimum: 6 }
+    length: { minimum: STRONG_PASSWORD_MIN_SIZE }
   },
   passwordConfirmation: {
     presence: { allowEmpty: false, message: 'Password confirmation is mandatory' },

diff --git a/app/lib/authentication/by_password.rb b/app/lib/authentication/by_password.rb
@@ -4,38 +4,31 @@ module ByPassword
     extend ActiveSupport::Concern
 
     # strong passwords
-    SPECIAL_CHARACTERS = '-+=><_$#.:;!?@&*()~][}{|'
-    RE_STRONG_PASSWORD = /
-      \A
-        (?=.*\d) # number
-        (?=.*[a-z]) # lowercase
-        (?=.*[A-Z]) # uppercase
-        (?=.*[#{Regexp.escape(SPECIAL_CHARACTERS)}]) # special char
-        (?!.*\s) # does not end with space
-        .{8,} # at least 8 characters
-      \z
-    /x
-    STRONG_PASSWORD_FAIL_MSG = "Password must be at least 8 characters long, and contain both upper and lowercase letters, a digit and one special character of #{SPECIAL_CHARACTERS}.".freeze
+    STRONG_PASSWORD_MIN_SIZE = 15
 
     included do
       # We only need length validations as they are already set in Authentication::ByPassword
       has_secure_password validations: false
 
-      validates_presence_of :password, if: :password_required?
+      before_validation :normalize_password, if: :validate_password?
+
+      validates_presence_of :password, if: :validate_password?
 
       validates_confirmation_of :password, allow_blank: true
 
-      validates :password, format: { :with => RE_STRONG_PASSWORD, :message => STRONG_PASSWORD_FAIL_MSG,
-                                     if: -> { password_required? && provider_requires_strong_passwords? } }
-      validates :password, length: { minimum: 6, allow_blank: true,
-                                     if: -> { password_required? && !provider_requires_strong_passwords? } }
+      validates :password, length: { minimum: STRONG_PASSWORD_MIN_SIZE }, if: :validate_strong_password?
 
       validates :lost_password_token, :password_digest, length: { maximum: 255 }
 
-      attr_accessible :password, :password_confirmation
+      attr_accessible :password, :password_confirmation, as: %i[default member admin]
 
       scope :with_valid_password_token, -> { where { lost_password_token_generated_at >= 24.hours.ago } }
 
+      alias_method :authenticate_without_normalization, :authenticate
+
+      def authenticate(password)
+        authenticate_without_normalization(password&.unicode_normalize(:nfc))
+      end
       alias_method :authenticated?, :authenticate
     end
 
@@ -45,8 +38,16 @@ def find_with_valid_password_token(token)
       end
     end
 
-    def password_required?
-      signup.by_user? && (password_digest.blank? || password_digest_changed?)
+    def validate_password?
+      # The password changed or it's a new record that must provide a password
+      will_save_change_to_password_digest? || (new_record? && signup.by_user?)
+    end
+
+    def validate_strong_password?
+      return false if Rails.configuration.three_scale.strong_passwords_disabled
+      return false if signup.sample_data?
-      return false if signup.sample_data?
+      return false if signup.sample_data? && !Rails.env.production?
-      return false if signup.sample_data?
+      return false if signup.sample_data? && !Rails.env.production?
+
+      validate_password?
 before_validation :normalize_password, if: :validate_password? 
 before_validation :normalize_password, if: :validate_password? 
     end
 
     def just_changed_password?
@@ -59,9 +60,10 @@ def expire_password_token
 
     def generate_lost_password_token
       token = SecureRandom.hex(32)
-      return unless update_columns(lost_password_token: token, lost_password_token_generated_at: Time.current)
+      self.lost_password_token = token
+      self.lost_password_token_generated_at = Time.current
 
-      token
+      token if save
     end
 
     def generate_lost_password_token!
@@ -81,12 +83,12 @@ def update_password(new_password, new_password_confirmation)
       save
     end
 
-    def using_password?
-      password_digest.present?
+    def already_using_password?
+      password_digest_in_database.present?
     end
 
     def can_set_password?
-      account.password_login_allowed? && !using_password?
+      account.password_login_allowed? && !already_using_password?
     end
 
     def special_fields
@@ -96,5 +98,22 @@ def special_fields
     def reset_lost_password_token
       self.lost_password_token = nil
     end
+
+    raise "FIXME" if Gem::Version.new(Rails.version) >= Gem::Version.new("8.1")
+    # To avoid all this logic, from Rails 8.1+ we can use
+    # `ActiveModel::Attributes::Normalization`, so `normalizes` method
+    # works with virtual attributes like `password` and `password_validation`
+    # and normalizes on assignment rather than before_validation
+    def normalize_password
+      if password.present?
+        normalized = password.unicode_normalize(:nfc)
+        self.password = normalized unless password == normalized
+      end
+
+      if password_confirmation.present?
+        normalized_confirmation = password_confirmation.unicode_normalize(:nfc)
+        self.password_confirmation = normalized_confirmation unless password_confirmation == normalized_confirmation
+      end
+    end
   end
 end
diff --git a/app/lib/logic/provider_signup.rb b/app/lib/logic/provider_signup.rb
@@ -71,7 +71,7 @@ def ensure_users(count)
       def signup_user
         email_part = email.split('@')
         user_attributes = { email: "#{email_part[0]}+test@#{email_part[1]}", username: 'john', first_name: 'John',
-                            last_name: 'Doe', password: '123456', password_confirmation: '123456', signup_type: :minimal}
+                            last_name: 'Doe', password: '123456', password_confirmation: '123456', signup_type: :sample_data}
         signup_params = ::Signup::SignupParams.new(plans: [], user_attributes: user_attributes, account_attributes: { org_name: 'Developer' })
         ::Signup::DeveloperAccountManager.new(@provider).create(signup_params)
       end

diff --git a/app/lib/signup/developer_account_manager.rb b/app/lib/signup/developer_account_manager.rb
@@ -15,7 +15,7 @@ def persist!(result, plans, defaults)
 
       # TODO: Temporary here. A new object should have the responsability to activate and approve when needed
       # As part of THREESCALE-1317
-      result.user_activate! if result.user_activate_on_minimal_signup?
+      result.user_activate! if result.user_activate_on_minimal_or_sample_data?
     end
   end
 end
diff --git a/app/lib/signup/result.rb b/app/lib/signup/result.rb
@@ -20,7 +20,7 @@ def local_initialize; end
     attr_reader :user, :account
 
     delegate :approve, :approve!, :approved?, :approval_required?, :make_pending!,   to: :account, prefix: true
-    delegate :activate, :activate!, :active?, :activate_on_minimal_signup?,          to: :user,    prefix: true
+    delegate :activate, :activate!, :active?, :activate_on_minimal_or_sample_data?,  to: :user, prefix: true
     delegate :id, to: :account
 
     def valid?

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -344,14 +344,6 @@ def provider_id_for_audits
     account.try!(:provider_id_for_audits) || provider_account.try!(:provider_id_for_audits)
   end
 
-  def provider_requires_strong_passwords?
-    # use fields definitons source (instance variable) as backup when creating new record
-    # and there is no provider account (its still new record and not set through association.build)
-    if source = fields_definitions_source_root
-      source.settings.strong_passwords_enabled?
-    end
-  end
-
   protected
 
   def account_for_sphinx
@@ -436,6 +428,11 @@ def minimal?
       signup_type == :minimal
     end
 
+    def sample_data?
+      # This is true only for John Doe
+      signup_type == :sample_data
+    end
+
     def api?
       signup_type == :api
     end
@@ -457,7 +454,7 @@ def cas?
     end
 
     def machine?
-      minimal? || api? || created_by_provider? || open_id? || cas? || oauth2?
+      minimal? || sample_data? || api? || created_by_provider? || open_id? || cas? || oauth2?
     end
 
     def by_user?

diff --git a/app/models/user/states.rb b/app/models/user/states.rb
@@ -75,8 +75,8 @@ def make_activation_code
     self.activation_code = self.class.make_token
   end
 
-  def activate_on_minimal_signup?
-    minimal_signup? && password.present? && !account.try!(:bought_account_plan).try!(:approval_required?)
+  def activate_on_minimal_or_sample_data?
+    (minimal_signup? || signup.sample_data?) && password.present? && !account.try!(:bought_account_plan).try!(:approval_required?)
   end
 
   def generate_email_verification_token

diff --git a/app/representers/settings_representer.rb b/app/representers/settings_representer.rb
@@ -9,7 +9,6 @@ module SettingsRepresenter
   property :hide_service
   property :signups_enabled
   property :account_approval_required
-  property :strong_passwords_enabled
   property :public_search
   property :account_plans_ui_visible
   property :change_account_plan_permission

diff --git a/app/views/buyers/accounts/new.html.erb b/app/views/buyers/accounts/new.html.erb
@@ -21,7 +21,7 @@
         </div>
         <%= form.fields_for [:user, @user ] do |user| %>
           <%= user.user_defined_form %>
-          <%= user.input :password, as: :patternfly_input, required: true %>
+          <%= user.input :password, as: :patternfly_input, input_html: { type: 'password' }, required: true %>
         <% end %>
       </section>
 

diff --git a/app/views/buyers/users/edit.html.erb b/app/views/buyers/users/edit.html.erb
@@ -13,8 +13,8 @@
   <% end %>
 
   <%= form.inputs :name => "Change Password" do %>
-    <%= form.input :password, required: true, input_html: { autocomplete: 'off' } %>
-    <%= form.input :password_confirmation, required: true, input_html: { autocomplete: 'off' } %>
+    <%= form.input :password, required: false, input_html: { autocomplete: 'off' } %>
+    <%= form.input :password_confirmation, required: false, input_html: { autocomplete: 'off' } %>
   <% end -%>
 
   <% if can? :update_role, @user %>

diff --git a/app/views/provider/admin/account/users/_form.html.erb b/app/views/provider/admin/account/users/_form.html.erb
@@ -3,8 +3,8 @@
 <% end %>
 
 <%= form.inputs :name => "Change Password" do %>
-  <%= form.input :password, :required => true %>
-  <%= form.input :password_confirmation, :required => true %>
+  <%= form.input :password, :required => false %>
+  <%= form.input :password_confirmation, :required => false %>
 <% end -%>
 
 <% if can? :update_role, @user %>

diff --git a/app/views/provider/admin/user/personal_details/edit.html.slim b/app/views/provider/admin/user/personal_details/edit.html.slim
@@ -3,13 +3,6 @@
 - content_for :javascripts do
   = stylesheet_packs_chunks_tag 'pf_form'
 
-- if current_user.can_set_password? && !current_account.settings.enforce_sso?
-  - content_for :page_header_alert do
-      br
-      = pf_inline_alert t('.set_password_html', href: new_provider_password_path), variant: :info
-
-- using_password = current_user.using_password?
-
 div class="pf-c-card"
   div class="pf-c-card__body"
     = semantic_form_for current_user, builder: Fields::PatternflyFormBuilder,
@@ -20,13 +13,12 @@ div class="pf-c-card"
 
       = form.inputs 'User Information' do
         = form.user_defined_form
-        - if using_password
-          = form.input :password, as: :patternfly_input,
-                                  label: t('.new_password_label'),
-                                  required: current_user.password_required?,
-                                  input_html: { value: '', required: current_user.password_required? }
+        = form.input :password, as: :patternfly_input,
+                                label: t('.new_password_label'),
+                                required: false,
+                                input_html: { value: '', type: 'password', required: false }
 
-      - if using_password
+      - if current_user.already_using_password?
         = form.inputs "Provide your current password and update your personal details" do
           = form.input :current_password, as: :patternfly_input,
                                           required: true,

diff --git a/app/views/sites/usage_rules/edit.html.slim b/app/views/sites/usage_rules/edit.html.slim
@@ -27,10 +27,6 @@ div class="pf-c-card"
                                                    input_html: { disabled: settings.approval_required_disabled? },
                                                    hint: account_approval_required_hint(current_account)
 
-      = form.inputs 'Users'
-        = form.input :strong_passwords_enabled, as: :patternfly_checkbox,
-                                                hint: t("formtastic.hints.settings.strong_passwords_enabled", strong_password_definition: strong_password_definition)
-
       = form.inputs 'Search'
         = form.input :public_search, as: :patternfly_checkbox
 

diff --git a/config/examples/settings.yml b/config/examples/settings.yml
@@ -54,6 +54,7 @@ development:
   force_ssl: false
   report_traffic: false
   secure_cookie: false
+  strong_passwords_disabled: true
 
 test:
   <<: *default