As discussed in the Configure Shopper Settings chapter of Using Oracle Commerce Cloud, you can configure password policies through the Commerce Cloud administration interface. The purpose of these settings is to ensure that shoppers do not use passwords that are easy to guess.
The properties set through the administration interface can also be set using the savePolicies endpoint in the Admin API. In addition to these properties, this endpoint can set the blockCommonPasswords property, which has no equivalent setting in the administration interface. If blockCommonPasswords is set to true, Commerce Cloud rejects weak passwords, regardless of whether they meet the criteria specified in the other properties.
For example, the following call specifies values for password policy settings, including blockCommonPasswords, which it sets to true:
PUT /ccadmin/v1/merchant/profilePolicies HTTP/1.1
Authorization: Bearer <access_token>
{
"guestCheckoutEnabled": true,
"numberOfPreviousPasswords": 3,
"numberOfPreviousPasswordsMinVal": 1,
"passwordExpirationEnabled": false,
"passwordExpirationLengthMinVal": 1,
"sessionTimeoutLength": 15,
"cannotUsePreviousPasswords": false,
"passwordExpirationLength": 90,
"minPasswordLengthMinVal": 4,
"sessionTimeoutEnabled": true,
"minPasswordLengthMaxVal": 64,
"useNumber": true,
"cannotUseUsername": false,
"useMinPasswordLength": true,
"minPasswordLength": 8,
"numberOfPreviousPasswordsMaxVal": 6,
"useMixedCase": false,
"sessionTimeoutLengthMinVal": 1,
"sessionTimeoutLengthMaxVal": 120,
"useSymbol": false,
"blockCommonPasswords": true
}If blockCommonPasswords is true, Commerce Cloud rejects any password that appears in its dictionary of weak passwords. When the shopper specifies a new password, it is compared against all of the entries in the dictionary, and if it matches one of those entries, it is rejected.
In addition to the passwords listed in the dictionary, you can specify your own list of passwords to block using the updateRestrictedWords endpoint. For example:
POST /ccadmin/v1/merchant/profilePolicies/updateRestrictedWords HTTP/1.1
Authorization: Bearer <access_token>
{
"add": ["frog", "cow", "pig"]
}The response includes an items array that lists your blocked entries:
{
"links": [
{
"rel": "self",
"href":
"http://myserver.example.com:7002/ccadmin/v1/merchant/profilePolicies/
updateRestrictedWords"
}
],
"items": [
"frog",
"cow",
"pig"
]
}You can also display your current list using the getRestrictedWords endpoint (GET /ccadmin/v1/merchant/profilePolicies/restrictedWords).
Note that your list of blocked passwords is not site-specific. The entries you specify apply to all sites running on your Commerce Cloud instance.
The updateRestrictedWords endpoint can also take a delete array for specifying entries to remove from your list. For example:
POST /ccadmin/v1/merchant/profilePolicies/updateRestrictedWords HTTP/1.1
Authorization: Bearer <access_token>
{
"delete": ["frog", "cow"]
}Deleting entries affects only your own list of blocked passwords. You cannot modify the dictionary that Commerce Cloud uses. For example, if you add an entry to your list that matches a value already in the dictionary, and subsequently delete that entry from your list, it does not affect the entry for that value in the dictionary.
Note that changing settings in the password policy does not invalidate existing passwords. The policy change is applied only when a shopper attempts to set a new password.
