Merge pull request #1372 from salesforcecli/jf/W-21055697

feat: generated passwords default to 20 if unspecified or a lower value is provided @W-21055697@

Author: soridalac

messages/password.generate.md

@@ -25,9 +25,9 @@ To see a password that was previously generated, run "org display user".
 
   <%= config.bin %> <%= command.id %>
 
-- Generate a password that contains 12 characters for the original admin user of the scratch org with alias "my-scratch":
+- Generate a password that contains 25 characters for the original admin user of the scratch org with alias "my-scratch":
 
-  <%= config.bin %> <%= command.id %> --length 12 --target-org my-scratch
+  <%= config.bin %> <%= command.id %> --length 25 --target-org my-scratch
 
 - Generate a password for your default scratch org admin user that uses lower and upper case letters and numbers only:
 
@@ -43,7 +43,7 @@ Comma-separated list of usernames or aliases to assign the password to; must hav
 
 # flags.length.summary
 
-Number of characters in the generated password; valid values are between 8 and 100.
+Number of characters in the generated password; valid values are between 20 and 100. Default value is 20.
 
 # flags.complexity.summary
 
@@ -66,6 +66,10 @@ version 51.0 of the Metadata API.
 - "features": ["EnableSetPasswordInApi"]
 - Then try creating the scratch org again.
 
+# defaultingToLength20Password
+
+Starting in Summer '26, this command will fail if you specify a password length below 20. For now, the command is generating a password of length 20 instead of the requested length.
+
 # scratchFeaturesUrl
 
 see https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_scratch_orgs_def_file_config_values.htm

src/commands/force/user/password/generate.ts

@@ -43,7 +43,7 @@ export class ForceUserPasswordGenerateCommand extends UserPasswordGenerateBaseCo
       summary: messages.getMessage('flags.length.summary'),
       min: 8,
       max: 1000,
-      default: 13,
+      default: 20,
     }),
     // the higher the value, the stronger the password
     complexity: Flags.integer({

src/commands/org/generate/password.ts

@@ -50,7 +50,7 @@ export class GenerateUserPasswordCommand extends UserPasswordGenerateBaseCommand
       summary: messages.getMessage('flags.length.summary'),
       min: 8,
       max: 1000,
-      default: 13,
+      default: 20,
     }),
     // the higher the value, the stronger the password
     complexity: Flags.integer({
@@ -66,9 +66,14 @@ export class GenerateUserPasswordCommand extends UserPasswordGenerateBaseCommand
 
   public async run(): Promise<GenerateResult> {
     const { flags } = await this.parse(GenerateUserPasswordCommand);
+    let length: number = flags.length;
+    if (length < 20) {
+      this.warn(messages.getMessage('defaultingToLength20Password'));
+      length = 20;
+    }
     return this.generate({
       usernames: ensureArray(flags['on-behalf-of'] ?? flags['target-org'].getUsername()),
-      length: flags.length,
+      length,
       complexity: flags.complexity,
       conn: flags['target-org'].getConnection(flags['api-version']),
     });

test/allCommands.nut.ts

@@ -132,7 +132,7 @@ describe('verifies all commands run successfully ', () => {
       ensureExitCode: 0,
     }).jsonOutput?.result;
     // testing default length
-    expect(output?.password?.length).to.equal(13);
+    expect(output?.password?.length).to.equal(20);
     const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing default complexity
     expect(complexity5Regex.test(output?.password ?? '')).to.be.true;
@@ -142,7 +142,8 @@ describe('verifies all commands run successfully ', () => {
     const output = execCmd<{ username: string; password: string }>('org:generate:password --json -l 11 -c 3', {
       ensureExitCode: 0,
     }).jsonOutput?.result;
-    expect(output?.password.length).to.equal(11);
+    // Password length gets overridden to 20
+    expect(output?.password.length).to.equal(20);
     const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
     expect(complexity3Regex.test(output?.password ?? ''));
   });
@@ -157,7 +158,8 @@ describe('verifies all commands run successfully ', () => {
       ensureExitCode: 0,
     }).jsonOutput?.result;
 
-    expect(output?.password.length).to.equal(12);
+    // Password length overridden to 20
+    expect(output?.password.length).to.equal(20);
     const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing the default complexity
     expect(complexity5Regex.test(output?.password ?? ''));
@@ -168,7 +170,7 @@ describe('verifies all commands run successfully ', () => {
       ensureExitCode: 0,
     }).jsonOutput?.result;
     // testing default length
-    expect(output?.password.length).to.equal(13);
+    expect(output?.password.length).to.equal(20);
     const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
     expect(complexity3Regex.test(output?.password ?? ''));
   });

test/commands/password/generate.test.ts

@@ -16,6 +16,7 @@
 
 import { Connection, Messages, User } from '@salesforce/core';
 import { MockTestOrgData, TestContext } from '@salesforce/core/testSetup';
+import { stubSfCommandUx } from '@salesforce/sf-plugins-core';
 import { assert, expect } from 'chai';
 // dirty import to stub something we don't want to export from sfdx-core
 import { SecureBuffer } from '../../../node_modules/@salesforce/core/lib/crypto/secureBuffer.js';
@@ -83,16 +84,44 @@ describe('org:generate:password', () => {
     expect(result).to.deep.equal(expected);
     expect(queryStub.callCount).to.equal(1);
   });
-  it('should generate a new passsword of length 12', async () => {
-    await prepareStubs(false, false);
-    const result = (await GenerateUserPasswordCommand.run([
-      '--target-org',
-      testOrg.username,
-      '-l',
-      '12',
-      '--json',
-    ])) as PasswordData;
-    expect(result.password.length).to.equal(12);
+
+  describe('--length handling', () => {
+    it('when no length is specified, password should default to length 20', async () => {
+      await prepareStubs(false, false);
+      const result = (await GenerateUserPasswordCommand.run([
+        '--target-org',
+        testOrg.username,
+        '--json',
+      ])) as PasswordData;
+
+      expect(result.password.length).to.equal(20);
+    });
+
+    it('when length <20 is specified, logs info-level message and defaults to 20', async () => {
+      await prepareStubs(false, false);
+      const uxStubs = stubSfCommandUx($$.SANDBOX);
+      const result = (await GenerateUserPasswordCommand.run([
+        '--target-org',
+        testOrg.username,
+        '--length',
+        '12',
+        '--json',
+      ])) as PasswordData;
+      expect(result.password.length).to.equal(20);
+      expect(uxStubs.warn.args.flat()).to.include(messages.getMessage('defaultingToLength20Password'));
+    });
+
+    it('when length >20 is specified, length is used as-is', async () => {
+      await prepareStubs(false, false);
+      const result = (await GenerateUserPasswordCommand.run([
+        '--target-org',
+        testOrg.username,
+        '--length',
+        '50',
+        '--json',
+      ])) as PasswordData;
+      expect(result.password.length).to.equal(50);
+    });
   });
   it('should throw the correct error with warning message', async () => {
     await prepareStubs(true);

test/forceCommands.nut.ts

@@ -135,7 +135,7 @@ describe('verifies legacy force commands run successfully ', () => {
       ensureExitCode: 0,
     }).jsonOutput?.result;
     // testing default length
-    expect(output?.password?.length).to.equal(13);
+    expect(output?.password?.length).to.equal(20);
     const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing default complexity
     expect(complexity5Regex.test(output?.password ?? '')).to.be.true;
@@ -177,7 +177,7 @@ describe('verifies legacy force commands run successfully ', () => {
       }
     ).jsonOutput?.result;
     // testing default length
-    expect(output?.password.length).to.equal(13);
+    expect(output?.password.length).to.equal(20);
     const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
     expect(complexity3Regex.test(output?.password ?? ''));
   });