synapse's password policy is ignored/circumvented

[HarHarLinks]

Describe the bug

To Reproduce

1. setup synapse password policy e.g. minimum length 10 letters
2. register new user with token, using a policy violating password, e.g. 8 characters long

Expected behavior

respect pw policy

Screenshots

System:

• OS: docker
• python version: docker
• matrix registration version: v0.7.2 (docker)

Additional context

not sure what good practices are in regards of informing users of the pw policy

[zeratax]

are those policies being exposed somehow? otherwise you can set this manually via https://github.com/ZerataX/matrix-registration/blob/master/config.sample.yaml#L41

[HarHarLinks]

looks like they are, this is the MSC the synapse sample config file links to https://github.com/matrix-org/matrix-doc/blob/babolivier/password-policy/proposals/2000-password-policies.md

[xelantro]

Since the admin of the Synapse server also runs matrix-registration, we'd have two ways of implementing this:
Requesting the server policy via synapse api
+ following the configuration setup in synapse
- doesn't seem to have a default value (on my server it just returns empty json body - synapse 1.37.1 / edit: even matrix.org doesn't seem to implement /_matrix/client/r0/password_policy)
- doesn't seem to be suggested anywhere to change theese (correct me if I missed it)
- the synapse config files are quite cryptic and always scary for less experienced admins to touch

Implementing it ourselfes
+ centralised registration policies (e.g. usernames, passwords)
+ cleaner way of configuration (easier to find in my opinion)
(+ prettier on our side to implement without repeating api calls)

Conclusion / Proposal
The probability of one using the integrated registration feature of synapse alongside matrix-reistration is quite low.
So I propose that we include theese settings into our password reqirement field somewhat like this:

# password requirements
password:
  min_length: 8
  needs_lowercase: true
  needs_upercase: false
  needs_numbers: false
  needs_symbols: false

Of cause open to suggestions (esp. regarding the default values)

[zeratax]

looks like this msc isn't yet merged?
matrix-org/matrix-spec-proposals#2000

it is in synapse though:
matrix-org/synapse#7118

@xelantro looks like if you don't define a password policy it just responds with {}
since as the msc describes all parameters are optional