vikunja/pkg/user/validator.go
kolaente 44a43b9f86
Some checks failed
continuous-integration/drone/push Build is failing
fix(auth): restrict max password length to 72 bytes
Bcrypt allows a maximum of 72 bytes. This is part of the algorithm and not something we could change in Vikunja. The solution here was to restrict the password during registration to a max length of 72 bytes. In the future, this should be changed to hash passwords with sha512 or similar before hashing them with bcrypt. Because they should also be salted in that case and the added complexity during the migration phase, this was not implemented yet.
The change in this commit only improves the error handling to return an input error instead of a server error when the user enters a password > 72 bytes.

Resolves https://vikunja.sentry.io/share/issue/e8e0b64612d84504942feee002ac498a/
2024-09-10 18:23:06 +02:00

47 lines
1.3 KiB
Go

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public Licensee as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public Licensee for more details.
//
// You should have received a copy of the GNU Affero General Public Licensee
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package user
import (
"github.com/asaskevich/govalidator"
)
func init() {
govalidator.TagMap["username"] = func(i string) bool {
// To avoid making this overly complicated, we only two things:
// 1. No Spaces
// 2. Should not look like an url
if govalidator.IsURL(i) {
return false
}
if govalidator.HasWhitespace(i) {
return false
}
return true
}
govalidator.TagMap["bcrypt_password"] = func(str string) bool {
if len(str) < 8 {
return false
}
return len([]byte(str)) < 72
}
}