Password validation when resetting password

Hello everyone. I have a couple of questions about auth and passwords.

1- Is there any way to use passwordValidation() on password reset to enforce some password validation rules when resetting a password?
It says the handler is called after the password is changed in the database : so it seems I can do client-side validation, then send the info to the server, but I can’t validate anything on the server before the password is saved in the database and then the handler is called?

Is that right? I’m basically looking for something like onSignUp.passwordValidation() to validate the password before saving it to the database, and sending back errors if some rules are not met.

  1. How would I go about doing something on login when an incorrect password (but a good email) is provided?
    I want to give 5 wrong attempts maximum to the user (good email with bad password) and after 5 attempts lock him out for 5 minutes.
    So when a user gives a good email but a wrong password, I would like to update a field in the database (numberOfFailedAttempts), and when the field gets to 5, update another field (lockedOutUntil) which is a Datetime.
    Then on login, I want to check that the user is not locked out, and if not locked out he can log in.

But it seems the handler() in loginOptions is called after finding the user (good email with good password). I guess I could use the user info in the handler to check if the user is locked out, but I would prefer checking on the server : first the email only, then checking the locking out, then if not locked out check the password (maybe it is not the best way?).
And there is a incorrectPassword error message, but how can I do something when this error is received? And even if I can send another mutation from the front-end, I would prefer to update the database on the server when the error is thrown (update database, then send incorrectPassword error with numberOfFailedAttempts info at the same time).

Is there any way to do this without needing to modify redwoodJs code?

For now the only thing I managed to do for all of this (both questions) is a client-side validation on password reset page

Thanks for your answers.