@1password/password-rules-parser

Password Rules Parser

Context Free Grammar and PEGs

A context-free grammar (CFG) is a set of "production rules" that describe all the possible strings that can be formed in a given formal language. Production rules are simple replacements, and they can produce more than one result.

A Parsing Expression Grammar (PEG) is a CFG that will choose the first match and therefore is not ambiguous. The nitty-gritty about PEGs can be read in this paper.

Note that a PEG is not a parser, but it can be converted into one.

How to get a parser from a PEG

The grammar itself is the set of substitution rules. Depending on the target language for the parser, it is possible to add functions in that language to clean up and improve the output. These functions should not alter what the grammar produces (don't add if statements!) just the way it presents the answer.

PEG.js is the best and most user friendly option. It outputs a JavaScript parser. To obtain a JavaScript parser, install and configure PEG.js in your computer, or generate it with the online tool by pasting the code here. The online tool makes it easy to test different inputs, but these inputs are not part of the generated or downloaded parser.

If you need a parser in Go instead of JS, the answer is Pigeon. There's no online version so it needs to be configured in your computer.

Apple's Password Rule Validation Tool

Apple has implemented a standard syntax for addressing password rules.

The grammar ParserNoCharacterClass defines a subset of the above specs, in PEG.js. It does not allow custom character classes (for now). It allows 0 or more spaces between the different parts of the rule so, minlength: 15;required: upper, lower; will output the same content result as minlength:15;required:upper, lower;. It does not allow line breaks.

And the custom character classes?

A grammar that parses the full specs will be added soon. Later on, a Go version for it.