🔒(backend) respect keycloak password policy when generating passwords

[zeylos]

Purpose

Description...

Proposal

Description...

• [] item 1...
• [] item 2...

Summary by CodeRabbit

• Security
  • Minimum password length requirement increased to 12 characters
  • Passwords now must include special characters in addition to letters and numbers

[coderabbitai]

Warning

Rate limit exceeded

@zeylos has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 7 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 7 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df067bec-a613-4235-ad20-68ce7a270a56

📥 Commits

Reviewing files that changed from the base of the PR and between 05d23e2 and e94a530.

📒 Files selected for processing (1)

• src/backend/core/services/identity/keycloak.py

📝 Walkthrough

Walkthrough

Updated the generate_password function in the Keycloak identity service to enforce stronger password requirements. The minimum length increased from 3 to 12 characters, a special character requirement was added, and the digits character pool was modified.

Changes

Cohort / File(s)	Summary
Password Security Enhancement src/backend/core/services/identity/keycloak.py	Increased minimum password length from 3 to 12 characters, added mandatory special character inclusion from set "!@#$%&*?", updated digits pool to "12346789", and enhanced character selection logic to sample from combined uppercase, lowercase, digits, and special characters.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• sylvinus

Poem

🐰 Passwords grow stronger, twelve hops deep,
Special characters dance and leap,
No more shortcuts, weak and bare,
Secure the gates with utmost care! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly relates to the main change: enforcing stricter password requirements (minimum 12 chars, special characters) to respect Keycloak's password policy in the generate_password function.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch keycloak_password_policy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/backend/core/services/identity/keycloak.py`:
- Around line 316-319: The digit character pool _digits was changed to include
"1", reintroducing a visually ambiguous character against the project's
ambiguity-avoidance convention; revert _digits to exclude ambiguous digits by
setting the pool back to "2346789" (matching the convention used by _upper and
_lower), and ensure any related password-generation logic that references
_digits continues to function without further changes (look for usages of
_digits in the password generator function/class in this module to confirm no
additional adjustments are required).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53654b60-683c-4d66-85e7-dae9c2cf729d

📥 Commits

Reviewing files that changed from the base of the PR and between 7a0f6fb and 05d23e2.

📒 Files selected for processing (1)

• src/backend/core/services/identity/keycloak.py