Add stricter authentication validation rules

[Stereco-btc]

Overview: This PR introduces stricter validation rules for authentication inputs to enhance security and data integrity.

Changes

• Implemented stronger password requirements, including minimum length and character diversity, within src/lib/validations/auth.ts.
• Added input trimming checks to ensure no leading or trailing whitespace for relevant authentication fields.
• Updated associated error messages to provide clearer feedback to users.
• All changes are confined to src/lib/validations/auth.ts.

Summary by CodeRabbit

• Bug Fixes
  • Strengthened password validation with enhanced security requirements: minimum 8 characters including uppercase, lowercase, digit, and special character.
  • Improved input handling with automatic whitespace trimming for email and name fields.

[coderabbitai]

Walkthrough

The pull request strengthens authentication validation by enhancing the SigninSchema and SignupSchema in src/lib/validations/auth.ts. Both schemas now trim email inputs, enforce stricter password requirements (8+ characters with uppercase, lowercase, digit, and special character), and SignupSchema also trims the name field. A new SignupFormValues type export is added.

Changes

Cohort / File(s)	Change Summary
Authentication Validation Enhancement src/lib/validations/auth.ts	Updated SigninSchema and SignupSchema to trim email fields and enforce stricter password policy (min 8 chars, uppercase, lowercase, digit, special character). Updated SignupSchema to trim name field and adjust error messages. Added new SignupFormValues type export.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• fehranbit

Poem

🐰 A rabbit checks the gates with care,
Passwords stronger, defenses fair!
Trim the spaces, polish each field,
Eight chars and symbols—a fortress sealed!
Security hops forward, validation complete! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add stricter authentication validation rules" directly and accurately captures the main objective of the pull request. The changeset implements stricter validation requirements across both SigninSchema and SignupSchema, including enhanced password policies (minimum 8 characters with character diversity requirements), input trimming, and updated error messages. The title is concise, clear, and specific enough for a teammate to understand the primary change without being overly verbose or vague.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/stricter-auth-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06a1f86 and 679200e.

📒 Files selected for processing (1)

• src/lib/validations/auth.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: lint-and-build

🔇 Additional comments (2)

src/lib/validations/auth.ts (2)

27-27: LGTM! Good addition for type consistency.

The new SignupFormValues type export mirrors the existing SigninFormValues pattern and provides proper type inference for consumers of the schema.

---

4-4: The original review comment contains a false assumption about the codebase.

The concern about existing users with whitespace in emails cannot cause authentication or duplicate account issues because:

1. Normalization at logic layer: Both signin and signup normalize emails with trim().toLowerCase() before any database operations (signin/logic.ts:19, signup/logic.ts:21)
2. Normalized on storage: During signup, the normalized email is stored in the database
3. Normalized on lookup: During signin, the normalized email is used in the database query
4. New application: This project is only ~6 weeks old (created Sept 6, 2025) with minimal existing user data

The validation-layer trimming (auth.ts lines 4, 16) is redundant but harmless since trimming already occurs at the logic layer before database operations. There is no risk of mismatches between trimmed input and stored data.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Remove password trimming and reconsider stricter rules for signin.

Two critical issues:

1. Trimming passwords is a security risk: The .trim() on line 6 removes intentional leading/trailing whitespace from passwords. Users may include such whitespace as part of their password, and removing it will prevent authentication and reduce password entropy.

2. Stricter validation breaks existing users: Applying enhanced password requirements (min 8 chars, character diversity) to the signin schema will reject existing users whose passwords meet the old requirements (min 6 chars) but not the new ones, preventing them from signing in.

Apply this diff to remove password trimming from both schemas:

 export const SigninSchema = z.object({
   email: z.string().trim().email({ message: 'Invalid email address.' }),
   password: z.string()
-    .trim()
     .min(8, { message: 'Password must be at least 8 characters long.' })
     .regex(/[A-Z]/, { message: 'Password must contain at least one uppercase letter.' })
     .regex(/[a-z]/, { message: 'Password must contain at least one lowercase letter.' })
     .regex(/[0-9]/, { message: 'Password must contain at least one digit.' })
     .regex(/[^a-zA-Z0-9]/, { message: 'Password must contain at least one special character.' })
 });

 export const SignupSchema = z.object({
   name: z.string().trim().min(2, { message: 'Name must be at least 2 characters long.' }),
   email: z.string().trim().email({ message: 'Invalid email address.' }),
   password: z.string()
-    .trim()
     .min(8, { message: 'Password must be at least 8 characters long.' })
     .regex(/[A-Z]/, { message: 'Password must contain at least one uppercase letter.' })
     .regex(/[a-z]/, { message: 'Password must contain at least one lowercase letter.' })
     .regex(/[0-9]/, { message: 'Password must contain at least one digit.' })
     .regex(/[^a-zA-Z0-9]/, { message: 'Password must contain at least one special character.' })
 });

For the signin schema, consider using the original lenient validation (min 6 chars) to avoid breaking existing users, or implement a password migration strategy:

 export const SigninSchema = z.object({
   email: z.string().trim().email({ message: 'Invalid email address.' }),
-  password: z.string()
-    .min(8, { message: 'Password must be at least 8 characters long.' })
-    .regex(/[A-Z]/, { message: 'Password must contain at least one uppercase letter.' })
-    .regex(/[a-z]/, { message: 'Password must contain at least one lowercase letter.' })
-    .regex(/[0-9]/, { message: 'Password must contain at least one digit.' })
-    .regex(/[^a-zA-Z0-9]/, { message: 'Password must contain at least one special character.' })
+  password: z.string().min(6, { message: 'Password must be at least 6 characters.' })
 });

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/lib/validations/auth.ts around lines 5 to 11, the password validator
currently calls .trim() and applies strict complexity rules; remove the .trim()
call to preserve leading/trailing whitespace as valid password characters, and
for the signin schema revert to the original lenient validation (minimum length
6 and no added complexity regexes) so existing users are not rejected; ensure
the signup schema can keep stricter rules if desired but do not apply those
stricter rules to the signin schema without a documented migration strategy.