fix: added password validation messages

[hemantmm]

closes: #1173

Add real-time password validation with immediate user feedback during account registration and password reset flows.

✅ Changes Made:

1. Enhanced Password Strength Validation (JavaScript)
File: app/eventyay/static/common/js/password_strength.js:

✅ Added validatePasswordComplexity() to enforce password rules in real time
✅ Updated updatePasswordStrength() to display validation errors instantly.
✅ Implemented color-coded visual feedback (🔴 red / 🟡 yellow / 🟢 green).
✅ Added specific, actionable error messages for each validation rule.
✅ Displayed success indicators once all requirements are met.

2. Updated Password Input Widgets
File: app/eventyay/common/forms/widgets.py:

✅ Enhanced PasswordStrengthInput widget with built-in validation container.
✅ Added password requirement helper text below the input field.
✅ Improved markup structure for clarity and accessibility.

3. CSS Styling for Validation Messages
File: app/eventyay/static/common/css/_forms.css:

✅ Added .password-validation-errors class for inline feedback.
✅ Styled password requirements and progress bar indicators.
✅ Improved focus states for better accessibility.
✅ Used Bootstrap-compatible color palette for consistency.

Summary:
This PR significantly improves password creation UX and security by adding real-time and accessible password validation.

Summary by Sourcery

Provide real-time password validation and feedback by enforcing complexity rules in JS, updating the strength meter dynamically, enhancing input widgets with requirement hints, and adding CSS for inline error and focus styling.

New Features:

• Add live password complexity checks with specific error messages.
• Display color-coded strength meter updates and success indicators dynamically based on custom rules and zxcvbn scores.

Enhancements:

• Augment password input widget with requirement helper text and improved accessible markup.
• Add CSS classes for inline validation errors, requirement hints, and enhanced focus states.

[sourcery-ai]

Reviewer's Guide

This PR implements real-time password complexity checks alongside the existing zxcvbn strength estimation, updates the registration/reset password input widget to include built-in requirement hints and accessible markup, and adds CSS rules for inline validation feedback and improved focus states.

Class diagram for updated PasswordStrengthInput widget

classDiagram
    class PasswordStrengthInput {
        +render(name, value, attrs=None, renderer=None)
        - Enhanced markup structure
        - Built-in validation container
        - Password requirement helper text
    }

Loading

Flow diagram for password validation logic in JavaScript

flowchart TD
    A["User types password"] --> B["validatePasswordComplexity(password)"]
    B --> C{"Validation errors?"}
    C -- Yes --> D["Show error messages in .password-validation-errors"]
    C -- No --> E["Run zxcvbn(password)"]
    E --> F["Update strength bar and show crack time"]
    D --> G["Update strength bar to red"]
    F --> H["Update strength bar to yellow/green"]

Loading

File-Level Changes

Change	Details	Files
Implement real-time JS password complexity validation with inline visual feedback	Added validatePasswordComplexity() enforcing length, letter/number, and common password rules Modified updatePasswordStrength() to show error messages when complexity rules fail Applied color-coded bar classes and width adjustments based on validation or zxcvbn score Updated passwordStrengthInfo.innerHTML to render actionable error or success indicators	app/eventyay/static/common/js/password_strength.js
Enhance password input widget with requirement helper text and accessible markup	Refactored strength info container into a with nested for better semantics Introduced .password-requirements element displaying complexity rules below the input Ensured consistent spacing and Bootstrap‐compatible classes for accessibility	app/eventyay/common/forms/widgets.py
Add CSS rules for validation messages and improved focus styling	Defined .password-validation-errors style for inline error container Styled password requirements text and focus state under .password-requirements Used Bootstrap-compatible color palette for consistency	app/eventyay/static/common/css/_forms.css

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1173	Display a real-time validation message when the password does not meet complexity requirements (at least one letter, one number, and one special character) during account registration.	✅
#1173	Show clear, actionable warnings directly within the password input field, without waiting for form submission.	✅
#1173	Update password input UI to include helper text and visual feedback about password requirements and strength.	✅

Possibly linked issues

• No validation message for password needing letters or special characters #1173: The PR implements real-time password complexity validation and displays immediate feedback, directly addressing the issue's request for front-end validation during registration.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Blocking issues:

• User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities (link)
• User controlled data in a passwordStrengthInfo.innerHTML is an anti-pattern that can lead to XSS vulnerabilities (link)
• User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities (link)
• User controlled data in a passwordStrengthInfo.innerHTML is an anti-pattern that can lead to XSS vulnerabilities (link)

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `app/eventyay/static/common/css/_forms.css:783` </location>
<code_context>
   }
 }
+
+.password-validation-errors {
+    margin-top: 0.5rem;
+    padding: 0.5rem;
</code_context>

<issue_to_address>
**suggestion:** Consider using CSS variables for color values to improve maintainability.

Referencing CSS variables or theme classes will make future design updates easier and ensure consistency across the codebase.

Suggested implementation:

```
.password-validation-errors {
    margin-top: 0.5rem;
    padding: 0.5rem;
    background-color: var(--color-danger-bg, #f8d7da);
    border: 1px solid var(--color-danger-border, #f5c6cb);
    border-radius: 0.25rem;
}

```

If the variables `--color-danger-bg` and `--color-danger-border` are not yet defined, add them to your global CSS (e.g., `:root` selector or theme file) for consistency:

:root {
  --color-danger-bg: #f8d7da;
  --color-danger-border: #f5c6cb;
}

This ensures the variables are available throughout your codebase and can be easily updated for theming.
</issue_to_address>

### Comment 2
<location> `app/eventyay/static/common/js/password_strength.js:104` </location>
<code_context>
            passwordStrengthInfo.innerHTML = `<div class="password-validation-errors">${errorHtml}</div>`
</code_context>

<issue_to_address>
**security (javascript.browser.security.insecure-document-method):** User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

*Source: opengrep*
</issue_to_address>

### Comment 3
<location> `app/eventyay/static/common/js/password_strength.js:104` </location>
<code_context>
            passwordStrengthInfo.innerHTML = `<div class="password-validation-errors">${errorHtml}</div>`
</code_context>

<issue_to_address>
**security (javascript.browser.security.insecure-innerhtml):** User controlled data in a `passwordStrengthInfo.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities

*Source: opengrep*
</issue_to_address>

### Comment 4
<location> `app/eventyay/static/common/js/password_strength.js:130` </location>
<code_context>
            passwordStrengthInfo.innerHTML = `<p class="text-muted mb-0">${strengthText}</p>`
</code_context>

<issue_to_address>
**security (javascript.browser.security.insecure-document-method):** User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

*Source: opengrep*
</issue_to_address>

### Comment 5
<location> `app/eventyay/static/common/js/password_strength.js:130` </location>
<code_context>
            passwordStrengthInfo.innerHTML = `<p class="text-muted mb-0">${strengthText}</p>`
</code_context>

<issue_to_address>
**security (javascript.browser.security.insecure-innerhtml):** User controlled data in a `passwordStrengthInfo.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[mariobehling]

Thanks! Please check the ai feedback.

[Copilot]

Pull Request Overview

This PR enhances password validation by adding real-time complexity checks in the UI, providing immediate feedback to users when their passwords don't meet security requirements (minimum 8 characters, containing letters and numbers, not being a common password).

Key changes:

• Added client-side password validation function with detailed error messaging
• Refactored password strength display logic to show validation errors before zxcvbn scoring
• Updated HTML structure to accommodate both validation errors and strength information

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
app/eventyay/static/common/js/password_strength.js	Implements validatePasswordComplexity function and refactors updatePasswordStrength to display validation errors prominently with conditional logic for zxcvbn scoring
app/eventyay/static/common/css/_forms.css	Adds styling for password validation error display container and requirements text
app/eventyay/common/forms/widgets.py	Updates HTML structure to wrap password strength info in a div and adds static password requirements text

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hemantmm]

@mariobehling, should I make the changes suggested by the copilot?

[hemantmm]

@mariobehling, should I make the changes suggested by the copilot?

And should I add more common passwords?

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hemantmm]

@mariobehling, can you review now?