[WEB-4513] refactor: consolidate password strength meter into shared ui package

[anmolsinghbhatia]

Summary

• Refactored password strength meter into a shared PasswordStrengthIndicator component (packages/ui)
• Added custom helper utilities for strength calculation and validation
• Removed duplicated implementations from admin, space, and web apps
• Updated all password forms to use the shared component
• Removed zxcvbn from frontend dependencies to reduce bundle size

Type of Change

• Improvement
• Code refactoring

Media

Media

References

Work-item: [WEB-4513]

Summary by CodeRabbit

• New Features

  • Introduced a new PasswordStrengthIndicator component with enhanced UI feedback and password criteria validation.
  • Password fields now display which criteria are met (length, uppercase, lowercase, number, special character).

• Refactor

  • Replaced the old PasswordStrengthMeter component with the new PasswordStrengthIndicator across all apps.
  • Password strength logic now uses direct character checks instead of the zxcvbn library.

• Chores

  • Removed the zxcvbn dependency and related type definitions from all packages.

[coderabbitai]

Walkthrough

This change removes all usages and implementations of the legacy PasswordStrengthMeter component and its associated password strength logic, replacing them with a new PasswordStrengthIndicator component from the shared UI package. Password strength evaluation is refactored to remove the zxcvbn dependency, using custom criteria checks instead. Supporting UI and helper code is added or updated accordingly.

Changes

Files/Paths	Change Summary
apps/admin/core/components/common/password-strength-meter.tsx, apps/space/core/components/account/helpers/password-strength-meter.tsx, apps/web/core/components/account/password-strength-meter.tsx	Deleted legacy PasswordStrengthMeter React component implementations.
apps/space/helpers/password.helper.ts	Deleted password strength helper using zxcvbn.
apps/space/core/components/account/helpers/index.ts, apps/space/core/components/account/index.ts, apps/web/core/components/account/index.ts	Removed exports of password strength meter helpers/components.
apps/admin/core/components/instance/setup-form.tsx, apps/space/core/components/account/auth-forms/password.tsx, apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx, apps/web/app/(all)/accounts/reset-password/page.tsx, apps/web/app/(all)/accounts/set-password/page.tsx, apps/web/app/(all)/profile/security/page.tsx, apps/web/core/components/account/auth-forms/password.tsx, apps/web/core/components/onboarding/profile-setup.tsx	Updated imports and usage to use PasswordStrengthIndicator instead of PasswordStrengthMeter.
apps/admin/package.json, apps/space/package.json, apps/web/package.json, packages/utils/package.json	Removed zxcvbn and its type definitions from dependencies.
packages/ui/src/form-fields/index.ts	Added export for password field module.
packages/ui/src/form-fields/password/helper.tsx	Added helper for password strength UI feedback (messages, colors, fragments).
packages/ui/src/form-fields/password/index.ts	Added new module re-exporting password indicator and helper.
packages/ui/src/form-fields/password/indicator.tsx	Added new PasswordStrengthIndicator React component with criteria validation and visual feedback.
packages/utils/src/auth.ts	Refactored password strength logic: removed zxcvbn, added direct criteria checks and criteria feedback.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant PasswordForm
    participant PasswordStrengthIndicator
    participant Utils (getPasswordStrength/getPasswordCriteria)

    User->>PasswordForm: Types password
    PasswordForm->>PasswordStrengthIndicator: Passes password & focus state
    PasswordStrengthIndicator->>Utils: getPasswordStrength(password)
    Utils-->>PasswordStrengthIndicator: Returns strength enum
    PasswordStrengthIndicator->>Utils: getPasswordCriteria(password)
    Utils-->>PasswordStrengthIndicator: Returns criteria array
    PasswordStrengthIndicator-->>PasswordForm: Renders strength meter & criteria
    PasswordForm-->>User: Displays password feedback

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~45 minutes

Poem

A password once measured by meter and score,
Now checks for strength at its very core.
No more zxcvbn, just rules clear and neat—
Upper, lower, number, and special complete!
With colors and fragments, the UI’s much brighter,
This bunny approves: your security’s tighter!
🥕🔒✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between de44915 and fd4eaee.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• apps/admin/package.json (1 hunks)
• apps/space/core/components/account/auth-forms/password.tsx (2 hunks)
• apps/space/package.json (1 hunks)
• apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx (2 hunks)
• apps/web/app/(all)/accounts/set-password/page.tsx (2 hunks)
• apps/web/app/(all)/profile/security/page.tsx (2 hunks)
• apps/web/package.json (1 hunks)
• packages/utils/package.json (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• apps/space/package.json
• apps/admin/package.json
• apps/web/package.json

🚧 Files skipped from review as they are similar to previous changes (5)

• packages/utils/package.json
• apps/web/app/(all)/profile/security/page.tsx
• apps/web/app/(all)/accounts/set-password/page.tsx
• apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx
• apps/space/core/components/account/auth-forms/password.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and lint web apps
• GitHub Check: Analyze (javascript)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore-consolidate-password-strength-indicator

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[makeplane]

Pull Request Linked with Plane Work Items

• [WEB-4513] Replace password strength checker with custom regex

Comment Automatically Generated by Plane

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

apps/space/package.json (1)

40-53: Double-check Space app for stale imports after dropping zxcvbn

Same rationale as Admin & Web apps.

🧹 Nitpick comments (2)

packages/ui/src/form-fields/index.ts (1)

5-5: Barrel export looks correct – consider adding type re-exports

The new line properly surfaces the password field package; no issues spotted. If the sub-module exposes types/interfaces (PasswordCriteria, etc.), re-exporting them here would simplify consumer imports.

packages/ui/src/form-fields/password/indicator.tsx (1)

22-22: Simplify the ternary operator as flagged by static analysis.

The nested ternary operator can be simplified for better readability and performance.

-  const isPasswordMeterVisible = isFocused ? true : strength === E_PASSWORD_STRENGTH.STRENGTH_VALID ? false : true;
+  const isPasswordMeterVisible = isFocused || strength !== E_PASSWORD_STRENGTH.STRENGTH_VALID;

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2629d7 and de44915.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (24)

• apps/admin/core/components/common/password-strength-meter.tsx (0 hunks)
• apps/admin/core/components/instance/setup-form.tsx (2 hunks)
• apps/admin/package.json (1 hunks)
• apps/space/core/components/account/auth-forms/password.tsx (2 hunks)
• apps/space/core/components/account/helpers/index.ts (0 hunks)
• apps/space/core/components/account/helpers/password-strength-meter.tsx (0 hunks)
• apps/space/core/components/account/index.ts (0 hunks)
• apps/space/helpers/password.helper.ts (0 hunks)
• apps/space/package.json (1 hunks)
• apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx (2 hunks)
• apps/web/app/(all)/accounts/reset-password/page.tsx (2 hunks)
• apps/web/app/(all)/accounts/set-password/page.tsx (2 hunks)
• apps/web/app/(all)/profile/security/page.tsx (2 hunks)
• apps/web/core/components/account/auth-forms/password.tsx (2 hunks)
• apps/web/core/components/account/index.ts (0 hunks)
• apps/web/core/components/account/password-strength-meter.tsx (0 hunks)
• apps/web/core/components/onboarding/profile-setup.tsx (2 hunks)
• apps/web/package.json (1 hunks)
• packages/ui/src/form-fields/index.ts (1 hunks)
• packages/ui/src/form-fields/password/helper.tsx (1 hunks)
• packages/ui/src/form-fields/password/index.ts (1 hunks)
• packages/ui/src/form-fields/password/indicator.tsx (1 hunks)
• packages/utils/package.json (1 hunks)
• packages/utils/src/auth.ts (2 hunks)

🧠 Learnings (1)

apps/web/core/components/onboarding/profile-setup.tsx (1)

Learnt from: janreges
PR: #6743
File: packages/i18n/src/store/index.ts:160-161
Timestamp: 2025-03-11T19:42:41.769Z
Learning: In the Plane project, the file 'packages/i18n/src/store/index.ts' already includes support for Polish language translations with the case "pl".

🪛 Biome (1.9.4)

packages/ui/src/form-fields/password/indicator.tsx

[error] 22-22: Unnecessary use of boolean literals in conditional expression.

Simplify your code by directly assigning the result without using a ternary operator.
If your goal is negation, you may use the logical NOT (!) or double NOT (!!) operator for clearer and concise code.
Check for more details about NOT operator.
Unsafe fix: Remove the conditional expression with

(lint/complexity/noUselessTernary)

💤 Files with no reviewable changes (7)

• apps/space/core/components/account/index.ts
• apps/web/core/components/account/index.ts
• apps/space/core/components/account/helpers/index.ts
• apps/space/core/components/account/helpers/password-strength-meter.tsx
• apps/web/core/components/account/password-strength-meter.tsx
• apps/admin/core/components/common/password-strength-meter.tsx
• apps/space/helpers/password.helper.ts

🧰 Additional context used

🧠 Learnings (1)

apps/web/core/components/onboarding/profile-setup.tsx (1)

Learnt from: janreges
PR: #6743
File: packages/i18n/src/store/index.ts:160-161
Timestamp: 2025-03-11T19:42:41.769Z
Learning: In the Plane project, the file 'packages/i18n/src/store/index.ts' already includes support for Polish language translations with the case "pl".

🪛 Biome (1.9.4)

packages/ui/src/form-fields/password/indicator.tsx

[error] 22-22: Unnecessary use of boolean literals in conditional expression.

Simplify your code by directly assigning the result without using a ternary operator.
If your goal is negation, you may use the logical NOT (!) or double NOT (!!) operator for clearer and concise code.
Check for more details about NOT operator.
Unsafe fix: Remove the conditional expression with

(lint/complexity/noUselessTernary)

🔇 Additional comments (28)

apps/web/package.json (1)

17-69: No residual zxcvbn imports in apps/web

I searched all apps/web JS/TS files for both import and require references to zxcvbn and found none. Removing it from package.json is safe and won’t break the build.

packages/utils/package.json (1)

23-33: No incompatible uuid imports detected – safe to upgrade

• Searched for CommonJS require('uuid') and default ES imports (import uuid from 'uuid') across all JS/TS files; no occurrences found.
• All existing imports use the named syntax import { v4 as uuidv4 } from "uuid", which is compatible with v10.

apps/admin/package.json (1)

38-44: No leftover zxcvbn or password-strength references
Searches for zxcvbn, password-strength and related component files under apps/admin/ returned no matches—all helpers and components have been removed.

apps/web/app/(all)/accounts/reset-password/page.tsx (2)

14-14: LGTM: Import updated correctly for the new shared component.

The import has been properly updated to use PasswordStrengthIndicator from the shared UI package as part of the consolidation effort.

---

195-195: LGTM: Component usage updated consistently.

The component replacement maintains the same props interface (password and isFocused), ensuring seamless migration to the new shared password strength indicator.

apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx (2)

10-10: LGTM: Import correctly updated for consolidated component.

The import statement has been properly updated to use the new PasswordStrengthIndicator from the shared UI package.

---

110-110: LGTM: Component replacement maintains consistent interface.

The component usage has been updated while preserving the same props and conditional rendering logic.

apps/web/app/(all)/accounts/set-password/page.tsx (2)

14-14: LGTM: Import statement correctly updated.

The import has been properly updated to use the new shared PasswordStrengthIndicator component.

---

189-189: LGTM: Component usage updated with consistent interface.

The component replacement maintains the same props structure, ensuring smooth transition to the shared component.

apps/web/app/(all)/profile/security/page.tsx (2)

10-10: LGTM: Import updated consistently with refactor.

The import statement has been correctly updated to use the new shared password strength indicator component.

---

110-110: LGTM: Component usage updated maintaining same interface.

The component replacement preserves the existing props and conditional rendering behavior.

apps/web/core/components/account/auth-forms/password.tsx (2)

11-11: LGTM: Import correctly updated for shared component.

The import statement has been properly updated to use the new PasswordStrengthIndicator from the consolidated UI package.

---

98-98: LGTM: Final component replacement completes the consistent refactor.

The component usage has been updated while maintaining the same props interface. This completes a well-executed consolidation across all password forms, ensuring consistent password strength feedback throughout the application.

packages/ui/src/form-fields/password/index.ts (1)

1-2: Clean module organization for password form fields.

The index file properly follows the standard pattern of re-exporting related functionality, making it easy for consumers to import password strength components and helpers from a single entry point.

apps/admin/core/components/instance/setup-form.tsx (2)

10-10: Clean migration to the shared password strength component.

The import has been properly updated to use the new PasswordStrengthIndicator from the shared UI package, aligning with the consolidation objectives.

---

276-276: Consistent API usage for password strength indicator.

The component usage maintains the same props (password and isFocused), demonstrating good API compatibility between the old and new components.

apps/web/core/components/onboarding/profile-setup.tsx (2)

14-14: Successfully migrated to shared password strength component.

The import statement correctly references the new PasswordStrengthIndicator from the UI package, supporting the consolidation effort.

---

456-459: Proper component usage with consistent API.

The PasswordStrengthIndicator is correctly implemented with the same props pattern as the previous component, ensuring seamless functionality.

apps/space/core/components/account/auth-forms/password.tsx (2)

7-10: Comprehensive migration to shared password utilities.

The imports correctly transition from local implementations to the shared utilities (PasswordStrengthIndicator from UI and getPasswordStrength from utils), supporting both the component consolidation and logic centralization objectives.

---

72-72: Consistent component usage in conditional rendering.

The PasswordStrengthIndicator is properly integrated within the conditional logic, maintaining the same props pattern for seamless functionality.

packages/ui/src/form-fields/password/helper.tsx (3)

3-7: Well-defined interface for password strength feedback.

The StrengthInfo interface provides a clean structure for encapsulating password strength UI data with clear property names and appropriate types.

---

12-45: Comprehensive strength evaluation with proper fallback.

The function correctly maps all password strength states to appropriate UI feedback. The default case provides a sensible fallback, ensuring robust behavior.

---

50-65: Clean color logic for visual strength indicators.

The fragment coloring logic is well-structured with appropriate fallbacks. The color mapping (red→orange→green) provides intuitive visual feedback for password strength progression.

packages/ui/src/form-fields/password/indicator.tsx (3)

1-11: LGTM! Clean imports and well-structured interface.

The component interface is well-designed with appropriate optional props and sensible defaults.

---

28-46: LGTM! Well-implemented visual strength indicator.

The strength meter with animated fragments and conditional message display is well-structured. The accessibility concern of color-only indication is mitigated by the accompanying text message and detailed criteria list.

---

48-72: LGTM! Well-structured criteria list with good accessibility.

The criteria list provides clear visual and textual feedback for each password requirement, with proper conditional styling and responsive layout.

packages/utils/src/auth.ts (2)

43-78: LGTM! Well-structured criteria validation with clear user feedback.

The PasswordCriteria type and getPasswordCriteria function provide excellent separation between validation logic and UI display. The criteria labels are user-friendly and the validation logic is consistent with getPasswordStrength.

The regex pattern consistency between both functions ensures reliable validation behavior.

---

21-41: Include double-quote in special-character regex

The Python test shows that the current regex doesn’t match " (double‐quote), so if you intend to treat " as a valid special character you’ll need to add it to the character class.

Locations to update:

• File: packages/utils/src/auth.ts
• Function: getPasswordStrength
• Line where hasSpecialChar is defined

Suggested diff:

- const hasSpecialChar = /[!@#$%^&*()\-_+=\[\]{}|;:'",.<>?/]/.test(password);
+ const hasSpecialChar = /[!@#$%^&*()\-_+=\[\]{}|;:'",.<>?\/]/.test(password);

If you intentionally exclude " from your policy, no change is needed.

Likely an incorrect or invalid review comment.