diff --git a/test/api/v3/integration/user/auth/POST-register_local.test.js b/test/api/v3/integration/user/auth/POST-register_local.test.js index b511ad0950..6e548051cd 100644 --- a/test/api/v3/integration/user/auth/POST-register_local.test.js +++ b/test/api/v3/integration/user/auth/POST-register_local.test.js @@ -344,6 +344,24 @@ describe('POST /user/auth/local/register', () => { }); }); + it('enforces maximum length for the password', async () => { + const username = generateRandomUserName(); + const email = `${username}@example.com`; + const password = '12345678910111213141516171819202122232425262728293031323334353637383940'; + const confirmPassword = '12345678910111213141516171819202122232425262728293031323334353637383940'; + + await expect(api.post('/user/auth/local/register', { + username, + email, + password, + confirmPassword, + })).to.eventually.be.rejected.and.eql({ + code: 400, + error: 'BadRequest', + message: t('invalidReqParams'), + }); + }); + it('requires a username', async () => { const email = `${generateRandomUserName()}@example.com`; const password = 'password'; diff --git a/website/common/locales/en/settings.json b/website/common/locales/en/settings.json index 8375373718..5c459545de 100644 --- a/website/common/locales/en/settings.json +++ b/website/common/locales/en/settings.json @@ -178,6 +178,7 @@ "usernameIssueForbidden": "Usernames may not contain restricted words.", "usernameIssueLength": "Usernames must be between 1 and 20 characters.", "usernameIssueInvalidCharacters": "Usernames can only contain letters a to z, numbers 0 to 9, hyphens, or underscores.", + "passwordIssueLength": "Passwords must be between 8 and 64 characters.", "currentUsername": "Current username:", "displaynameIssueLength": "Display Names must be between 1 and 30 characters.", "bannedWordUsedInProfile": "Your Display Name or About text contained inappropriate language.", diff --git a/website/common/script/constants.js b/website/common/script/constants.js index 4e34c0ab0f..b3510378e0 100644 --- a/website/common/script/constants.js +++ b/website/common/script/constants.js @@ -30,6 +30,7 @@ export const GUILDS_PER_PAGE = 30; // number of guilds to return per page when u export const PARTY_LIMIT_MEMBERS = 29; export const MINIMUM_PASSWORD_LENGTH = 8; +export const MAXIMUM_PASSWORD_LENGTH = 64; export const TRANSFORMATION_DEBUFFS_LIST = { snowball: 'salt', diff --git a/website/common/script/index.js b/website/common/script/index.js index 040065d0f4..3045e012ee 100644 --- a/website/common/script/index.js +++ b/website/common/script/index.js @@ -17,6 +17,7 @@ import { MIN_SHORTNAME_SIZE_FOR_CHALLENGES, PARTY_LIMIT_MEMBERS, MINIMUM_PASSWORD_LENGTH, + MAXIMUM_PASSWORD_LENGTH, SUPPORTED_SOCIAL_NETWORKS, TAVERN_ID, MAX_MESSAGE_LENGTH, @@ -119,6 +120,7 @@ api.constants = { CHAT_FLAG_FROM_MOD, CHAT_FLAG_FROM_SHADOW_MUTE, MINIMUM_PASSWORD_LENGTH, + MAXIMUM_PASSWORD_LENGTH, MAX_MESSAGE_LENGTH, MAX_GIFT_MESSAGE_LENGTH, MAX_LEVEL_HARD_CAP, diff --git a/website/server/libs/auth/index.js b/website/server/libs/auth/index.js index bd5248c3f7..d816d4bfa5 100644 --- a/website/server/libs/auth/index.js +++ b/website/server/libs/auth/index.js @@ -100,8 +100,11 @@ async function registerLocal (req, res, { isV3 = false }) { errorMessage: res.t('missingPassword'), equals: { options: [req.body.confirmPassword], errorMessage: res.t('passwordConfirmationMatch') }, isLength: { - options: { min: common.constants.MINIMUM_PASSWORD_LENGTH }, - errorMessage: res.t('minPasswordLength'), + options: { + min: common.constants.MINIMUM_PASSWORD_LENGTH, + max: common.constants.MAXIMUM_PASSWORD_LENGTH, + }, + errorMessage: res.t('passwordIssueLength'), }, }, });