feat(auth): validatePassword method/PasswordPolicy Support (#17439)

MichaelVerdon · web-flow · commit 9a032b344d6a · 2025-07-24T08:41:27.000+01:00
diff --git a/packages/firebase_auth/firebase_auth/lib/firebase_auth.dart b/packages/firebase_auth/firebase_auth/lib/firebase_auth.dart
@@ -60,7 +60,8 @@ export 'package:firebase_auth_platform_interface/firebase_auth_platform_interfac
         RecaptchaVerifierOnExpired,
         RecaptchaVerifierOnError,
         RecaptchaVerifierSize,
-        RecaptchaVerifierTheme;
+        RecaptchaVerifierTheme,
+        PasswordValidationStatus;
 export 'package:firebase_core_platform_interface/firebase_core_platform_interface.dart'
     show FirebaseException;
 
diff --git a/packages/firebase_auth/firebase_auth/lib/src/firebase_auth.dart b/packages/firebase_auth/firebase_auth/lib/src/firebase_auth.dart
@@ -704,15 +704,6 @@ class FirebaseAuth extends FirebasePluginPlatform {
     }
   }
 
-  /// Signs out the current user.
-  ///
-  /// If successful, it also updates
-  /// any [authStateChanges], [idTokenChanges] or [userChanges] stream
-  /// listeners.
-  Future<void> signOut() async {
-    await _delegate.signOut();
-  }
-
   /// Checks a password reset code sent to the user by email or other
   /// out-of-band mechanism.
   ///
@@ -819,12 +810,72 @@ class FirebaseAuth extends FirebasePluginPlatform {
     return _delegate.revokeTokenWithAuthorizationCode(authorizationCode);
   }
 
+  /// Signs out the current user.
+  ///
+  /// If successful, it also updates
+  /// any [authStateChanges], [idTokenChanges] or [userChanges] stream
+  /// listeners.
+  Future<void> signOut() async {
+    await _delegate.signOut();
+  }
+
   /// Initializes the reCAPTCHA Enterprise client proactively to enhance reCAPTCHA signal collection and
   /// to complete reCAPTCHA-protected flows in a single attempt.
   Future<void> initializeRecaptchaConfig() {
     return _delegate.initializeRecaptchaConfig();
   }
 
+  /// Validates a password against the password policy configured for the project or tenant.
+  ///
+  /// If no tenant ID is set on the Auth instance, then this method will use the password policy configured for the project.
+  /// Otherwise, this method will use the policy configured for the tenant. If a password policy has not been configured,
+  /// then the default policy configured for all projects will be used.
+  ///
+  /// If an auth flow fails because a submitted password does not meet the password policy requirements and this method has previously been called,
+  /// then this method will use the most recent policy available when called again.
+  ///
+  /// Returns a map with the following keys:
+  /// - **status**: A boolean indicating if the password is valid.
+  /// - **passwordPolicy**: The password policy used to validate the password.
+  /// - **meetsMinPasswordLength**: A boolean indicating if the password meets the minimum length requirement.
+  /// - **meetsMaxPasswordLength**: A boolean indicating if the password meets the maximum length requirement.
+  /// - **meetsLowercaseRequirement**: A boolean indicating if the password meets the lowercase requirement.
+  /// - **meetsUppercaseRequirement**: A boolean indicating if the password meets the uppercase requirement.
+  /// - **meetsDigitsRequirement**: A boolean indicating if the password meets the digits requirement.
+  /// - **meetsSymbolsRequirement**: A boolean indicating if the password meets the symbols requirement.
+  ///
+  /// A [FirebaseAuthException] maybe thrown with the following error code:
+  /// - **invalid-password**:
+  ///  - Thrown if the password is invalid.
+  /// - **network-request-failed**:
+  ///  - Thrown if there was a network request error, for example the user
+  ///    doesn't have internet connection
+  /// - **INVALID_LOGIN_CREDENTIALS** or **invalid-credential**:
+  ///  - Thrown if the password is invalid for the given email, or the account
+  ///    corresponding to the email does not have a password set.
+  ///    Depending on if you are using firebase emulator or not the code is
+  ///    different
+  /// - **operation-not-allowed**:
+  ///  - Thrown if email/password accounts are not enabled. Enable
+  ///    email/password accounts in the Firebase Console, under the Auth tab.
+  Future<PasswordValidationStatus> validatePassword(
+    FirebaseAuth auth,
+    String? password,
+  ) async {
+    if (password == null || password.isEmpty) {
+      throw FirebaseAuthException(
+        code: 'invalid-password',
+        message: 'Password cannot be null or empty',
+      );
+    }
+    PasswordPolicyApi passwordPolicyApi =
+        PasswordPolicyApi(auth.app.options.apiKey);
+    PasswordPolicy passwordPolicy =
+        await passwordPolicyApi.fetchPasswordPolicy();
+    PasswordPolicyImpl passwordPolicyImpl = PasswordPolicyImpl(passwordPolicy);
+    return passwordPolicyImpl.isPasswordValid(password);
+  }
+
   @override
   String toString() {
     return 'FirebaseAuth(app: ${app.name})';
diff --git a/packages/firebase_auth/firebase_auth/pubspec.yaml b/packages/firebase_auth/firebase_auth/pubspec.yaml
@@ -27,7 +27,6 @@ dependencies:
   flutter:
     sdk: flutter
   meta: ^1.8.0
-
 dev_dependencies:
   async: ^2.5.0
   flutter_test:
diff --git a/packages/firebase_auth/firebase_auth/test/firebase_auth_test.dart b/packages/firebase_auth/firebase_auth/test/firebase_auth_test.dart
@@ -37,6 +37,28 @@ void main() {
   const String kMockOobCode = 'oobcode';
   const String kMockURL = 'http://www.example.com';
   const String kMockHost = 'www.example.com';
+  const String kMockValidPassword =
+      'Password123!'; // For password policy impl testing
+  const String kMockInvalidPassword = 'Pa1!';
+  const String kMockInvalidPassword2 = 'password123!';
+  const String kMockInvalidPassword3 = 'PASSWORD123!';
+  const String kMockInvalidPassword4 = 'password!';
+  const String kMockInvalidPassword5 = 'Password123';
+  const Map<String, dynamic> kMockPasswordPolicy = {
+    'customStrengthOptions': {
+      'minPasswordLength': 6,
+      'maxPasswordLength': 12,
+      'containsLowercaseCharacter': true,
+      'containsUppercaseCharacter': true,
+      'containsNumericCharacter': true,
+      'containsNonAlphanumericCharacter': true,
+    },
+    'allowedNonAlphanumericCharacters': ['!'],
+    'schemaVersion': 1,
+    'enforcement': 'OFF',
+  };
+  final PasswordPolicy kMockPasswordPolicyObject =
+      PasswordPolicy(kMockPasswordPolicy);
   const int kMockPort = 31337;
 
   final TestAuthProvider testAuthProvider = TestAuthProvider();
@@ -767,6 +789,61 @@ void main() {
       });
     });
 
+    group('passwordPolicy', () {
+      test('passwordPolicy should be initialized with correct parameters',
+          () async {
+        PasswordPolicyImpl passwordPolicy =
+            PasswordPolicyImpl(kMockPasswordPolicyObject);
+        expect(passwordPolicy.policy, equals(kMockPasswordPolicyObject));
+      });
+
+      PasswordPolicyImpl passwordPolicy =
+          PasswordPolicyImpl(kMockPasswordPolicyObject);
+
+      test('should return true for valid password', () async {
+        final PasswordValidationStatus status =
+            passwordPolicy.isPasswordValid(kMockValidPassword);
+        expect(status.isValid, isTrue);
+      });
+
+      test('should return false for invalid password that is too short',
+          () async {
+        final PasswordValidationStatus status =
+            passwordPolicy.isPasswordValid(kMockInvalidPassword);
+        expect(status.isValid, isFalse);
+      });
+
+      test(
+          'should return false for invalid password with no capital characters',
+          () async {
+        final PasswordValidationStatus status =
+            passwordPolicy.isPasswordValid(kMockInvalidPassword2);
+        expect(status.isValid, isFalse);
+      });
+
+      test(
+          'should return false for invalid password with no lowercase characters',
+          () async {
+        final PasswordValidationStatus status =
+            passwordPolicy.isPasswordValid(kMockInvalidPassword3);
+        expect(status.isValid, isFalse);
+      });
+
+      test('should return false for invalid password with no numbers',
+          () async {
+        final PasswordValidationStatus status =
+            passwordPolicy.isPasswordValid(kMockInvalidPassword4);
+        expect(status.isValid, isFalse);
+      });
+
+      test('should return false for invalid password with no symbols',
+          () async {
+        final PasswordValidationStatus status =
+            passwordPolicy.isPasswordValid(kMockInvalidPassword5);
+        expect(status.isValid, isFalse);
+      });
+    });
+
     test('toString()', () async {
       expect(
         auth.toString(),
diff --git a/packages/firebase_auth/firebase_auth_platform_interface/lib/firebase_auth_platform_interface.dart b/packages/firebase_auth/firebase_auth_platform_interface/lib/firebase_auth_platform_interface.dart
@@ -39,3 +39,7 @@ export 'src/providers/play_games_auth.dart';
 export 'src/types.dart';
 export 'src/user_info.dart';
 export 'src/user_metadata.dart';
+export 'src/password_policy/password_policy_api.dart';
+export 'src/password_policy/password_policy_impl.dart';
+export 'src/password_policy/password_policy.dart';
+export 'src/password_policy/password_validation_status.dart';
diff --git a/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_policy.dart b/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_policy.dart
@@ -0,0 +1,49 @@
+// Copyright 2025, the Chromium project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+class PasswordPolicy {
+  final Map<String, dynamic> policy;
+
+  // Backend enforced minimum
+  late final int minPasswordLength;
+  late final int? maxPasswordLength;
+  late final bool? containsLowercaseCharacter;
+  late final bool? containsUppercaseCharacter;
+  late final bool? containsNumericCharacter;
+  late final bool? containsNonAlphanumericCharacter;
+  late final int schemaVersion;
+  late final List<String> allowedNonAlphanumericCharacters;
+  late final String enforcementState;
+
+  PasswordPolicy(this.policy) {
+    initialize();
+  }
+
+  void initialize() {
+    final Map<String, dynamic> customStrengthOptions =
+        policy['customStrengthOptions'] ?? {};
+
+    minPasswordLength = customStrengthOptions['minPasswordLength'] ?? 6;
+    maxPasswordLength = customStrengthOptions['maxPasswordLength'];
+    containsLowercaseCharacter =
+        customStrengthOptions['containsLowercaseCharacter'];
+    containsUppercaseCharacter =
+        customStrengthOptions['containsUppercaseCharacter'];
+    containsNumericCharacter =
+        customStrengthOptions['containsNumericCharacter'];
+    containsNonAlphanumericCharacter =
+        customStrengthOptions['containsNonAlphanumericCharacter'];
+
+    schemaVersion = policy['schemaVersion'] ?? 1;
+    allowedNonAlphanumericCharacters = List<String>.from(
+      policy['allowedNonAlphanumericCharacters'] ??
+          customStrengthOptions['allowedNonAlphanumericCharacters'] ??
+          [],
+    );
+
+    final enforcement = policy['enforcement'] ?? policy['enforcementState'];
+    enforcementState = enforcement == 'ENFORCEMENT_STATE_UNSPECIFIED'
+        ? 'OFF'
+        : (enforcement ?? 'OFF');
+  }
+}
diff --git a/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_policy_api.dart b/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_policy_api.dart
@@ -0,0 +1,48 @@
+// Copyright 2025, the Chromium project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'package:http/http.dart' as http;
+import 'dart:convert';
+import 'dart:core';
+import 'password_policy.dart';
+
+class PasswordPolicyApi {
+  final String _apiKey;
+  final String _apiUrl =
+      'https://identitytoolkit.googleapis.com/v2/passwordPolicy?key=';
+
+  PasswordPolicyApi(this._apiKey);
+
+  final int _schemaVersion = 1;
+
+  Future<PasswordPolicy> fetchPasswordPolicy() async {
+    try {
+      final response = await http.get(Uri.parse('$_apiUrl$_apiKey'));
+      if (response.statusCode == 200) {
+        final policy = json.decode(response.body);
+
+        // Validate schema version
+        final _schemaVersion = policy['schemaVersion'];
+        if (!isCorrectSchemaVersion(_schemaVersion)) {
+          throw Exception(
+            'Schema Version mismatch, expected version 1 but got $policy',
+          );
+        }
+
+        Map<String, dynamic> rawPolicy = json.decode(response.body);
+        return PasswordPolicy(rawPolicy);
+      } else {
+        throw Exception(
+          'Failed to fetch password policy, status code: ${response.statusCode}',
+        );
+      }
+    } catch (e) {
+      throw Exception('Failed to fetch password policy: $e');
+    }
+  }
+
+  bool isCorrectSchemaVersion(int schemaVersion) {
+    return _schemaVersion == schemaVersion;
+  }
+}
diff --git a/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_policy_impl.dart b/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_policy_impl.dart
@@ -0,0 +1,92 @@
+// Copyright 2025, the Chromium project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+import 'dart:core';
+import 'password_policy.dart';
+import 'password_validation_status.dart';
+
+class PasswordPolicyImpl {
+  final PasswordPolicy _policy;
+
+  PasswordPolicyImpl(this._policy);
+
+  // Getter to access the policy
+  PasswordPolicy get policy => _policy;
+
+  PasswordValidationStatus isPasswordValid(String password) {
+    PasswordValidationStatus status = PasswordValidationStatus(true, _policy);
+
+    _validatePasswordLengthOptions(password, status);
+    _validatePasswordCharacterOptions(password, status);
+
+    return status;
+  }
+
+  void _validatePasswordLengthOptions(
+    String password,
+    PasswordValidationStatus status,
+  ) {
+    int minPasswordLength = _policy.minPasswordLength;
+    int? maxPasswordLength = _policy.maxPasswordLength;
+
+    status.meetsMinPasswordLength = password.length >= minPasswordLength;
+    if (!status.meetsMinPasswordLength) {
+      status.isValid = false;
+    }
+    if (maxPasswordLength != null) {
+      status.meetsMaxPasswordLength = password.length <= maxPasswordLength;
+      if (!status.meetsMaxPasswordLength) {
+        status.isValid = false;
+      }
+    }
+  }
+
+  void _validatePasswordCharacterOptions(
+    String password,
+    PasswordValidationStatus status,
+  ) {
+    bool? requireLowercase = _policy.containsLowercaseCharacter;
+    bool? requireUppercase = _policy.containsUppercaseCharacter;
+    bool? requireDigits = _policy.containsNumericCharacter;
+    bool? requireSymbols = _policy.containsNonAlphanumericCharacter;
+
+    if (requireLowercase ?? false) {
+      status.meetsLowercaseRequirement = password.contains(RegExp('[a-z]'));
+      if (!status.meetsLowercaseRequirement) {
+        status.isValid = false;
+      }
+    }
+    if (requireUppercase ?? false) {
+      status.meetsUppercaseRequirement = password.contains(RegExp('[A-Z]'));
+      if (!status.meetsUppercaseRequirement) {
+        status.isValid = false;
+      }
+    }
+    if (requireDigits ?? false) {
+      status.meetsDigitsRequirement = password.contains(RegExp('[0-9]'));
+      if (!status.meetsDigitsRequirement) {
+        status.isValid = false;
+      }
+    }
+    if (requireSymbols ?? false) {
+      // Check if password contains any non-alphanumeric characters
+      bool hasSymbol = false;
+      if (_policy.allowedNonAlphanumericCharacters.isNotEmpty) {
+        // Check against allowed symbols
+        for (final String symbol in _policy.allowedNonAlphanumericCharacters) {
+          if (password.contains(symbol)) {
+            hasSymbol = true;
+            break;
+          }
+        }
+      } else {
+        // Check for any non-alphanumeric character
+        hasSymbol = password.contains(RegExp('[^a-zA-Z0-9]'));
+      }
+      status.meetsSymbolsRequirement = hasSymbol;
+      if (!hasSymbol) {
+        status.isValid = false;
+      }
+    }
+  }
+}
diff --git a/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_validation_status.dart b/packages/firebase_auth/firebase_auth_platform_interface/lib/src/password_policy/password_validation_status.dart
diff --git a/packages/firebase_auth/firebase_auth_platform_interface/pubspec.yaml b/packages/firebase_auth/firebase_auth_platform_interface/pubspec.yaml
diff --git a/tests/integration_test/firebase_auth/firebase_auth_instance_e2e_test.dart b/tests/integration_test/firebase_auth/firebase_auth_instance_e2e_test.dart
