As discussed in the Configure Shopper Settings chapter of Using Oracle Commerce Cloud, you can configure password policies through the Commerce Cloud administration interface. The purpose of these settings is to ensure that shoppers do not use passwords that are easy to guess.
The properties set through the administration interface can also be set using the savePolicies
endpoint in the Admin API. In addition to these properties, this endpoint can set the blockCommonPasswords
property, which has no equivalent setting in the administration interface. If blockCommonPasswords
is set to true
, Commerce Cloud rejects weak passwords, regardless of whether they meet the criteria specified in the other properties.
For example, the following call specifies values for password policy settings, including blockCommonPasswords
, which it sets to true
:
PUT /ccadmin/v1/merchant/profilePolicies HTTP/1.1
Authorization: Bearer <access_token>
{
"guestCheckoutEnabled": true,
"numberOfPreviousPasswords": 3,
"numberOfPreviousPasswordsMinVal": 1,
"passwordExpirationEnabled": false,
"passwordExpirationLengthMinVal": 1,
"sessionTimeoutLength": 15,
"cannotUsePreviousPasswords": false,
"passwordExpirationLength": 90,
"minPasswordLengthMinVal": 4,
"sessionTimeoutEnabled": true,
"minPasswordLengthMaxVal": 64,
"useNumber": true,
"cannotUseUsername": false,
"useMinPasswordLength": true,
"minPasswordLength": 8,
"numberOfPreviousPasswordsMaxVal": 6,
"useMixedCase": false,
"sessionTimeoutLengthMinVal": 1,
"sessionTimeoutLengthMaxVal": 120,
"useSymbol": false,
"blockCommonPasswords": true
}
If blockCommonPasswords
is true
, Commerce Cloud rejects any password that appears in its dictionary of weak passwords. When the shopper specifies a new password, it is compared against all of the entries in the dictionary, and if it matches one of those entries, it is rejected.
In addition to the passwords listed in the dictionary, you can specify your own list of passwords to block using the updateRestrictedWords
endpoint. For example:
POST /ccadmin/v1/merchant/profilePolicies/updateRestrictedWords HTTP/1.1
Authorization: Bearer <access_token>
{
"add": ["frog", "cow", "pig"]
}
The response includes an items
array that lists your blocked entries:
{ "links": [ { "rel": "self", "href": "http://myserver.example.com:7002/ccadmin/v1/merchant/profilePolicies/ updateRestrictedWords" } ], "items": [ "frog", "cow", "pig" ] }
You can also display your current list using the getRestrictedWords
endpoint (GET /ccadmin/v1/merchant/profilePolicies/restrictedWords
).
Note that your list of blocked passwords is not site-specific. The entries you specify apply to all sites running on your Commerce Cloud instance.
The updateRestrictedWords
endpoint can also take a delete
array for specifying entries to remove from your list. For example:
POST /ccadmin/v1/merchant/profilePolicies/updateRestrictedWords HTTP/1.1
Authorization: Bearer <access_token>
{
"delete": ["frog", "cow"]
}
Deleting entries affects only your own list of blocked passwords. You cannot modify the dictionary that Commerce Cloud uses. For example, if you add an entry to your list that matches a value already in the dictionary, and subsequently delete that entry from your list, it does not affect the entry for that value in the dictionary.
Note that changing settings in the password policy does not invalidate existing passwords. The policy change is applied only when a shopper attempts to set a new password.