fix(auth): restrict max password length to 72 bytes

Bcrypt allows a maximum of 72 bytes. This is part of the algorithm and not something we could change in Vikunja. The solution here was to restrict the password during registration to a max length of 72 bytes. In the future, this should be changed to hash passwords with sha512 or similar before hashing them with bcrypt. Because they should also be salted in that case and the added complexity during the migration phase, this was not implemented yet. The change in this commit only improves the error handling to return an input error instead of a server error when the user enters a password > 72 bytes. Resolves https://vikunja.sentry.io/share/issue/e8e0b64612d84504942feee002ac498a/ (cherry picked from commit 44a43b9f8616f11560c9e04f88f3000a6df5338d)
2024-09-10 18:23:06 +02:00
parent 10edeafa46
commit ac87035742
4 changed files with 17 additions and 7 deletions
--- a/frontend/src/helpers/validatePasswort.ts
+++ b/frontend/src/helpers/validatePasswort.ts
@ -7,7 +7,7 @@ export function validatePassword(password: string, validateMinLength: boolean =
 		return 'user.auth.passwordNotMin'
 	}
 	
-	if (validateMinLength && password.length > 250) {
+	if (validateMinLength && password.length > 72) {
 		return 'user.auth.passwordNotMax'
 	}
 	
--- a/frontend/src/i18n/lang/en.json
+++ b/frontend/src/i18n/lang/en.json
@ -61,7 +61,7 @@
      "usernameMustNotLookLikeUrl": "The username must not look like a URL.",
      "passwordRequired": "Please provide a password.",
      "passwordNotMin": "Password must have at least 8 characters.",
-      "passwordNotMax": "Password must have at most 250 characters.",
+      "passwordNotMax": "Password must have at most 72 characters.",
      "showPassword": "Show the password",
      "hidePassword": "Hide the password",
      "noAccountYet": "Don't have an account yet?",