Summary
Warpgate currently accepts any password when creating or changing user credentials, including single-character or empty strings. For organizations using Warpgate as a PAM/bastion, there is no way to enforce password complexity requirements.
Proposed feature
Add an optional password_policy section to warpgate.yaml that enforces requirements whenever a password credential is created or changed — both via the Admin API and the user self-service profile page.
Configuration (warpgate.yaml)
password_policy:
min_length: 12
require_uppercase: true
require_lowercase: true
require_digits: true
require_special: true
# optional: max_length, forbidden_patterns, etc.
All fields should be optional with sensible defaults (policy disabled by default for backward compatibility).
Behaviour
- When a policy is configured, POST /users/:id/credentials/passwords (admin) and the user self-service password change endpoint return HTTP 422 with a structured error listing which requirements were not met.
- The policy object should be exposed via a read-only endpoint (or included in an existing info endpoint) so the frontend can render live validation hints in the password input form.
- The policy is not re-evaluated on login — it only applies when credentials are created or changed.
Implementation sketch
- Add
PasswordPolicyConfig struct to warpgate-common/src/config/mod.rs and include it as an optional field in WarpgateConfigStore.
- Add
validate_password(password: &str, policy: &PasswordPolicyConfig) -> Result<(), Vec<PolicyViolation>> in warpgate-common/src/helpers/ (new file password_policy.rs).
- Call
validate_password in:
warpgate-admin/src/api/password_credentials.rs (api_create)warpgate-protocol-http/src/api/credentials.rs (change-password handler)
- Add a
422 UnprocessableEntity response variant to both API handlers with a JSON body describing which rules failed.
- Update
warpgate-web Svelte components to display real-time password strength hints based on the policy fetched from the API.
- Run just
openapi-all to regenerate OpenAPI SDKs.
Why this matters
Warpgate is a security gateway. Weak user passwords are a significant attack surface, especially for SSH and web console access. Similar tools (Teleport, JumpServer, Guacamole) all expose password policy configuration.
Acceptance criteria
Summary
Warpgate currently accepts any password when creating or changing user credentials, including single-character or empty strings. For organizations using Warpgate as a PAM/bastion, there is no way to enforce password complexity requirements.
Proposed feature
Add an optional
password_policysection towarpgate.yamlthat enforces requirements whenever a password credential is created or changed — both via the Admin API and the user self-service profile page.Configuration (warpgate.yaml)
All fields should be optional with sensible defaults (policy disabled by default for backward compatibility).
Behaviour
Implementation sketch
PasswordPolicyConfigstruct to warpgate-common/src/config/mod.rs and include it as an optional field in WarpgateConfigStore.validate_password(password: &str, policy: &PasswordPolicyConfig) -> Result<(), Vec<PolicyViolation>> in warpgate-common/src/helpers/(new filepassword_policy.rs).validate_passwordin:warpgate-admin/src/api/password_credentials.rs(api_create)warpgate-protocol-http/src/api/credentials.rs(change-password handler)422 UnprocessableEntityresponse variant to both API handlers with a JSON body describing which rules failed.warpgate-webSvelte components to display real-time password strength hints based on the policy fetched from the API.openapi-allto regenerate OpenAPI SDKs.Why this matters
Warpgate is a security gateway. Weak user passwords are a significant attack surface, especially for SSH and web console access. Similar tools (Teleport, JumpServer, Guacamole) all expose password policy configuration.
Acceptance criteria
password_policysection recognised inwarpgate.yaml; all sub-fields optionalvalidate_passwordcovering all rule combinations