Password configuration doesnt match

[marcuscfarias]

Hey, I am creating this issue because I notice that the .Matches() extension doesnt work properly. You can notice that I have 3 configs in my password and the display only shows the first one and duplicated.

internal sealed class CreateUserRequestValidator : AbstractValidator<CreateUserRequest>
{
    public CreateUserRequestValidator()
    {
        RuleFor(x => x.Email)
            .NotEmpty()
            .EmailAddress()
            .MaximumLength(UserConsts.EmailMaxLength);

        RuleFor(x => x.Password)
            .NotEmpty()
            .MinimumLength(UserConsts.PasswordMinLength)
            .MaximumLength(UserConsts.PasswordHashMaxLength)
            .Matches("[a-z]").WithMessage("'Password' must contain at least one lowercase letter.")
            .Matches("[A-Z]").WithMessage("'Password' must contain at least one uppercase letter.")
            .Matches("[0-9]").WithMessage("'Password' must contain at least one digit.");

        RuleFor(x => x.FirstName)
            .NotEmpty()
            .MaximumLength(UserConsts.FirstNameMaxLength);

        RuleFor(x => x.LastName)
            .NotEmpty()
            .MaximumLength(UserConsts.LastNameMaxLength);
    }
}

[avgalex]

Hi @marcuscfarias — thanks for the detailed report with a clear repro. This is a real bug, and it's now fixed.

Root cause

OpenAPI / JSON Schema allows only one pattern keyword per schema. When a property has several .Matches() rules, the library used to put each pattern into its own allOf subschema:

"password": {
  "type": "string",
  "minLength": 8,
  "maxLength": 256,
  "allOf": [
    { "pattern": "[a-z]" },
    { "pattern": "[A-Z]" },
    { "pattern": "[0-9]" }
  ]
}

This is technically valid JSON Schema, but renderers (Swagger UI, Redoc, Scalar) merge allOf into the parent property — and two pattern keywords can't be merged, so only the first one ([a-z]) survives and the property gets rendered twice. That's exactly what your screenshot shows.

Fix

Multiple .Matches() rules are now combined into a single valid pattern using lookahead assertions:

(?=[\s\S]*(?:[a-z]))(?=[\s\S]*(?:[A-Z]))(?=[\s\S]*(?:[0-9]))

This preserves FluentValidation's .Matches() semantics (Regex.IsMatch — "contains a match"), validates correctly with any JSON Schema validator, and renders correctly in all tools.

Try it

Available now in 7.1.5-beta.2 — it would be great if you could try it on your CreateUserRequestValidator and confirm.

Note — behavior change

The SchemaGenerationOptions.UseAllOfForMultipleRules option default changed true → false. Set it back to true if you specifically want the legacy allOf representation (semantically valid, but not displayed by renderers).

Details in #205.