The reasonable thing to do is to prehash the user password on the client with a Unicode normalization and a SHA-512 pass.
This way you can have strong input validation server side but also allow almost arbitrary inputs client side.
PS: you likely could also salt the client side hashing and use bcrypt, but bcrypt has a quite short maximum length and I am not sure if it would provide significantly better security here.
This way you can have strong input validation server side but also allow almost arbitrary inputs client side.
PS: you likely could also salt the client side hashing and use bcrypt, but bcrypt has a quite short maximum length and I am not sure if it would provide significantly better security here.