The current code does not enforce any sort of sensible restrictions on username/password/email, etc, no does it provide hooks to allow you to. But it would be swell if it did!
That information would be passed in via the initPassword function:https://github.com/Happstack/happstack-authenticate/blob/master/Happstack/Authenticate/Password/Route.hs#L51
Right now there is a paramater, isAuthAdmin. I am thinking that would be replace with a record that includes isAuthAdmin, plus some functions that can place restrictions on the username and password?