Validation Rules

The LaraUtilX package provides custom validation rules to enhance the security and data integrity of your Laravel applications.

RejectCommonPasswords

The RejectCommonPasswords validation rule helps improve password security by rejecting commonly used passwords that are easily guessable or vulnerable to brute force attacks.

Features

  • Comprehensive Password List: Includes 200+ common passwords and variations
  • Case-Insensitive Matching: Automatically converts passwords to lowercase for comparison
  • Trimmed Input: Removes leading and trailing whitespace
  • Laravel Integration: Works seamlessly with Laravel's validation system
  • Custom Error Messages: Provides clear, user-friendly error messages

Common Passwords Covered

The rule rejects passwords including but not limited to:

  • Simple sequences: 123456, qwerty, abc123
  • Common words: password, admin, welcome, hello
  • Keyboard patterns: qwertyuiop, asdfghjkl, zxcvbnm
  • Repeated characters: 111111, aaaa, 000000
  • Variations: password1, admin123, qwerty123

Usage

1. Using the Validation Rule Class

use LaraUtilX\Rules\RejectCommonPasswords;
use Illuminate\Http\Request;

class UserController extends Controller
{
    public function store(Request $request)
    {
        $request->validate([
            'password' => ['required', 'string', 'min:8', new RejectCommonPasswords()],
        ]);

        // Password is valid and not a common password
    }
}

2. Using in Form Request Classes

<?php

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use LaraUtilX\Rules\RejectCommonPasswords;

class CreateUserRequest extends FormRequest
{
    public function rules(): array
    {
        return [
            'name' => 'required|string|max:255',
            'email' => 'required|email|unique:users,email',
            'password' => [
                'required',
                'string',
                'min:8',
                'confirmed',
                new RejectCommonPasswords()
            ],
        ];
    }
}

3. Using the Custom Validation Rule String

The package also registers a custom validation rule string for convenience:

use Illuminate\Http\Request;

class UserController extends Controller
{
    public function store(Request $request)
    {
        $request->validate([
            'password' => 'required|string|min:8|reject_common_passwords',
        ]);

        // Password is valid and not a common password
    }
}

4. Testing the Validation Rule

use LaraUtilX\Rules\RejectCommonPasswords;
use Illuminate\Http\Request;

class TestController extends Controller
{
    public function testPasswordValidation(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'password' => ['required', 'string', new RejectCommonPasswords()],
        ]);

        if ($validator->fails()) {
            return response()->json([
                'success' => false,
                'errors' => $validator->errors()
            ], 422);
        }

        return response()->json([
            'success' => true,
            'message' => 'Password passed validation - it is not a common password'
        ]);
    }
}

Configuration

The RejectCommonPasswords rule is automatically registered when the package is installed. No additional configuration is required.

Customizing the Password List

If you need to customize the list of common passwords, you can extend the rule:

<?php

namespace App\Rules;

use LaraUtilX\Rules\RejectCommonPasswords as BaseRejectCommonPasswords;

class CustomRejectCommonPasswords extends BaseRejectCommonPasswords
{
    protected array $commonPasswords = [
        // Your custom list of common passwords
        'company123',
        'mypassword',
        'secret123',
        // ... add more as needed
    ];
}

Custom Messages

Default Error Message

The default error message is:

The :attribute contains a common password that is not allowed.

Customizing Error Messages

You can customize the error message in several ways:

1. In Form Request Classes

public function messages(): array
{
    return [
        'password.reject_common_passwords' => 'Please choose a more secure password that is not commonly used.',
    ];
}

2. In Validation Arrays

$request->validate([
    'password' => ['required', 'string', new RejectCommonPasswords()],
], [
    'password.reject_common_passwords' => 'Your password is too common. Please choose a more unique password.',
]);

3. In Language Files

Create or update resources/lang/en/validation.php:

return [
    'reject_common_passwords' => 'The :attribute contains a common password that is not allowed.',
    // ... other validation messages
];

Publishing

Publish the Validation Rule

You can publish the validation rule to your application's app/Rules directory:

php artisan vendor:publish --tag=lara-util-x-validation-rules

This will create a copy of the RejectCommonPasswords rule in your app/Rules directory, allowing you to customize it as needed.

Published File Structure

After publishing, you'll find:

app/
└── Rules/
    └── RejectCommonPasswords.php

Security Benefits

Why Use This Rule?

  1. Prevents Weak Passwords: Blocks commonly used passwords that are easily guessable
  2. Reduces Brute Force Risk: Makes it harder for attackers to guess passwords
  3. Improves Security Posture: Enhances overall application security
  4. User Education: Encourages users to choose more secure passwords
  5. Compliance: Helps meet security requirements and best practices

Best Practices

  1. Combine with Other Rules: Use alongside min:8, confirmed, and other password rules
  2. User Feedback: Provide clear error messages to help users understand why their password was rejected
  3. Regular Updates: Consider updating the common passwords list periodically
  4. Custom Lists: Add organization-specific common passwords to the list

Examples

Complete Registration Form

<?php

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use LaraUtilX\Rules\RejectCommonPasswords;

class RegisterRequest extends FormRequest
{
    public function rules(): array
    {
        return [
            'name' => 'required|string|max:255',
            'email' => 'required|email|unique:users,email',
            'password' => [
                'required',
                'string',
                'min:8',
                'confirmed',
                'regex:/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/',
                new RejectCommonPasswords()
            ],
        ];
    }

    public function messages(): array
    {
        return [
            'password.reject_common_passwords' => 'Please choose a more secure password that is not commonly used.',
            'password.regex' => 'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character.',
        ];
    }
}

API Endpoint Example

use LaraUtilX\Rules\RejectCommonPasswords;

class PasswordController extends Controller
{
    public function validatePassword(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'password' => ['required', 'string', 'min:8', new RejectCommonPasswords()],
        ]);

        if ($validator->fails()) {
            return response()->json([
                'valid' => false,
                'errors' => $validator->errors()
            ], 422);
        }

        return response()->json([
            'valid' => true,
            'message' => 'Password meets security requirements'
        ]);
    }
}

This validation rule is an essential tool for improving password security in your Laravel applications, helping protect your users and data from common password-based attacks.