Remove OPA-based password policy enforcement (#2875)

Co-authored-by: Quentin Gliech <quenting@element.io>
2025-12-03 22:51:11 +03:00 · 2024-07-16 14:33:04 +01:00
parent e47f26fde6
commit 1afd2a2906
13 changed files with 9 additions and 168 deletions
--- a/crates/handlers/src/graphql/mutations/user.rs
+++ b/crates/handlers/src/graphql/mutations/user.rs
@@ -546,11 +546,7 @@ impl UserMutations {
            return Err(async_graphql::Error::new("Unauthorized"));
        }

-        let mut policy = state.policy().await?;
-
-        let res = policy.evaluate_password(&input.new_password).await?;
-
-        if !res.valid() {
+        if input.new_password.is_empty() {
            // TODO Expose the reason for the policy violation
            // This involves redesigning the error handling
            // Idea would be to expose an errors array in the response,
--- a/crates/handlers/src/test_utils.rs
+++ b/crates/handlers/src/test_utils.rs
@@ -85,7 +85,6 @@ pub(crate) async fn policy_factory(
        client_registration: "client_registration/violation".to_owned(),
        authorization_grant: "authorization_grant/violation".to_owned(),
        email: "email/violation".to_owned(),
-        password: "password/violation".to_owned(),
    };

    let policy_factory = PolicyFactory::load(file, data, entrypoints).await?;
--- a/crates/handlers/src/views/recovery/finish.rs
+++ b/crates/handlers/src/views/recovery/finish.rs
@@ -24,7 +24,6 @@ use mas_axum_utils::{
    FancyError,
 };
 use mas_data_model::SiteConfig;
-use mas_policy::Policy;
 use mas_router::UrlBuilder;
 use mas_storage::{BoxClock, BoxRepository, BoxRng};
 use mas_templates::{
@@ -129,7 +128,6 @@ pub(crate) async fn post(
    mut rng: BoxRng,
    clock: BoxClock,
    mut repo: BoxRepository,
-    mut policy: Policy,
    State(site_config): State<SiteConfig>,
    State(password_manager): State<PasswordManager>,
    State(templates): State<Templates>,
@@ -238,17 +236,6 @@ pub(crate) async fn post(
        );
    }

-    let res = policy.evaluate_password(&form.new_password).await?;
-
-    if !res.valid() {
-        form_state = form_state.with_error_on_field(
-            RecoveryFinishFormField::NewPassword,
-            FieldError::Policy {
-                message: res.to_string(),
-            },
-        );
-    }
-
    if !form_state.is_valid() {
        let context = RecoveryFinishContext::new(user)
            .with_form_state(form_state)
--- a/crates/handlers/src/views/register.rs
+++ b/crates/handlers/src/views/register.rs
@@ -214,7 +214,7 @@ pub(crate) async fn post(
        }

        let res = policy
-            .evaluate_register(&form.username, &form.password, &form.email)
+            .evaluate_register(&form.username, &form.email)
            .await?;

        for violation in res.violations {