symfony · nicolas-grekas · Apr 1, 2023 · Mar 31, 2023
diff --git a/src/Symfony/Component/Validator/Constraints/PasswordStrength.php b/src/Symfony/Component/Validator/Constraints/PasswordStrength.php
@@ -40,12 +40,16 @@ final class PasswordStrength extends Constraint
 
     public int $minScore;
 
-    public function __construct(int $minScore = self::STRENGTH_REASONABLE, mixed $options = null, array $groups = null, mixed $payload = null)
+    public function __construct(array $options = null, int $minScore = null, array $groups = null, mixed $payload = null)
     {
-        if (isset($minScore) && (!\is_int($minScore) || $minScore < 1 || $minScore > 4)) {
-            throw new ConstraintDefinitionException(sprintf('The parameter "minScore" of the "%s" constraint must be an integer between 1 and 4.', static::class));
-        }
-        $options['minScore'] = $minScore;
+        $options['minScore'] ??= self::STRENGTH_REASONABLE;
+
         parent::__construct($options, $groups, $payload);
+
+        $this->minScore = $minScore ?? $this->minScore;
+
+        if ($this->minScore < 1 || 4 < $this->minScore) {
+            throw new ConstraintDefinitionException(sprintf('The parameter "minScore" of the "%s" constraint must be an integer between 1 and 4.', self::class));
+        }
     }
 }
diff --git a/src/Symfony/Component/Validator/Constraints/PasswordStrengthValidator.php b/src/Symfony/Component/Validator/Constraints/PasswordStrengthValidator.php
@@ -58,7 +58,26 @@ public function validate(#[\SensitiveParameter] mixed $value, Constraint $constr
      */
     private static function estimateStrength(#[\SensitiveParameter] string $password): int
     {
-        $entropy = log(\strlen(count_chars($password, 3)) ** \strlen($password), 2);
+        if (!$length = \strlen($password)) {
+            return PasswordStrength::STRENGTH_VERY_WEAK;
+        }
+        $password = count_chars($password, 1);
+        $chars = \count($password);
+
+        $control = $digit = $upper = $lower = $symbol = $other = 0;
+        foreach ($password as $chr => $count) {
+            match (true) {
+                $chr < 32 || 127 === $chr => $control = 33,
+                48 <= $chr && $chr <= 57 => $digit = 10,
+                65 <= $chr && $chr <= 90 => $upper = 26,
+                97 <= $chr && $chr <= 122 => $lower = 26,
+                128 <= $chr => $other = 128,
+                default => $symbol = 33,
+            };
+        }
+
+        $pool = $lower + $upper + $digit + $symbol + $control + $other;
+        $entropy = $chars * log($pool, 2) + ($length - $chars) * log($chars, 2);
 
         return match (true) {
             $entropy >= 120 => PasswordStrength::STRENGTH_VERY_STRONG,

diff --git a/src/Symfony/Component/Validator/Tests/Constraints/PasswordStrengthValidatorTest.php b/src/Symfony/Component/Validator/Tests/Constraints/PasswordStrengthValidatorTest.php
@@ -30,12 +30,22 @@ public function testValidValues(string $value, int $expectedStrength)
         $this->validator->validate($value, new PasswordStrength(minScore: $expectedStrength));
 
         $this->assertNoViolation();
+
+        if (PasswordStrength::STRENGTH_VERY_STRONG === $expectedStrength) {
+            return;
+        }
+
+        $this->validator->validate($value, new PasswordStrength(minScore: $expectedStrength + 1));
+
+        $this->buildViolation('The password strength is too low. Please use a stronger password.')
+            ->setCode(PasswordStrength::PASSWORD_STRENGTH_ERROR)
+            ->assertRaised();
     }
 
     public static function getValidValues(): iterable
     {
-        yield ['How-is this 🤔?!', PasswordStrength::STRENGTH_WEAK];
-        yield ['Reasonable-pwd-❤️', PasswordStrength::STRENGTH_REASONABLE];
+        yield ['How-is-this', PasswordStrength::STRENGTH_WEAK];
+        yield ['Reasonable-pwd', PasswordStrength::STRENGTH_REASONABLE];
         yield ['This 1s a very g00d Pa55word! ;-)', PasswordStrength::STRENGTH_VERY_STRONG];
         yield ['pudding-smack-👌🏼-fox-😎', PasswordStrength::STRENGTH_VERY_STRONG];
     }