Enforce maximum password length (#14290)

* fix(auth): enforce maximum password length * fix(auth): line length and better error message * fix(auth): correctly import/export constant Co-authored-by: SabreCat <sabe@habitica.com>
2025-12-17 14:47:53 +01:00 · 2022-11-18 16:49:10 -06:00
parent 6b27e18699
commit 82c5e40b92
5 changed files with 27 additions and 2 deletions
--- a/test/api/v3/integration/user/auth/POST-register_local.test.js
+++ b/test/api/v3/integration/user/auth/POST-register_local.test.js
@@ -344,6 +344,24 @@ describe('POST /user/auth/local/register', () => {
      });
    });

+    it('enforces maximum length for the password', async () => {
+      const username = generateRandomUserName();
+      const email = `${username}@example.com`;
+      const password = '12345678910111213141516171819202122232425262728293031323334353637383940';
+      const confirmPassword = '12345678910111213141516171819202122232425262728293031323334353637383940';
+
+      await expect(api.post('/user/auth/local/register', {
+        username,
+        email,
+        password,
+        confirmPassword,
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('invalidReqParams'),
+      });
+    });
+
    it('requires a username', async () => {
      const email = `${generateRandomUserName()}@example.com`;
      const password = 'password';
--- a/website/common/locales/en/settings.json
+++ b/website/common/locales/en/settings.json
@@ -178,6 +178,7 @@
    "usernameIssueForbidden": "Usernames may not contain restricted words.",
    "usernameIssueLength": "Usernames must be between 1 and 20 characters.",
    "usernameIssueInvalidCharacters": "Usernames can only contain letters a to z, numbers 0 to 9, hyphens, or underscores.",
+    "passwordIssueLength": "Passwords must be between 8 and 64 characters.",
    "currentUsername": "Current username:",
    "displaynameIssueLength": "Display Names must be between 1 and 30 characters.",
    "bannedWordUsedInProfile": "Your Display Name or About text contained inappropriate language.",
--- a/website/common/script/constants.js
+++ b/website/common/script/constants.js
@@ -30,6 +30,7 @@ export const GUILDS_PER_PAGE = 30; // number of guilds to return per page when u
 export const PARTY_LIMIT_MEMBERS = 29;

 export const MINIMUM_PASSWORD_LENGTH = 8;
+export const MAXIMUM_PASSWORD_LENGTH = 64;

 export const TRANSFORMATION_DEBUFFS_LIST = {
  snowball: 'salt',
--- a/website/common/script/index.js
+++ b/website/common/script/index.js
@@ -17,6 +17,7 @@ import {
  MIN_SHORTNAME_SIZE_FOR_CHALLENGES,
  PARTY_LIMIT_MEMBERS,
  MINIMUM_PASSWORD_LENGTH,
+  MAXIMUM_PASSWORD_LENGTH,
  SUPPORTED_SOCIAL_NETWORKS,
  TAVERN_ID,
  MAX_MESSAGE_LENGTH,
@@ -119,6 +120,7 @@ api.constants = {
  CHAT_FLAG_FROM_MOD,
  CHAT_FLAG_FROM_SHADOW_MUTE,
  MINIMUM_PASSWORD_LENGTH,
+  MAXIMUM_PASSWORD_LENGTH,
  MAX_MESSAGE_LENGTH,
  MAX_GIFT_MESSAGE_LENGTH,
  MAX_LEVEL_HARD_CAP,
--- a/website/server/libs/auth/index.js
+++ b/website/server/libs/auth/index.js
@@ -100,8 +100,11 @@ async function registerLocal (req, res, { isV3 = false }) {
      errorMessage: res.t('missingPassword'),
      equals: { options: [req.body.confirmPassword], errorMessage: res.t('passwordConfirmationMatch') },
      isLength: {
-        options: { min: common.constants.MINIMUM_PASSWORD_LENGTH },
-        errorMessage: res.t('minPasswordLength'),
+        options: {
+          min: common.constants.MINIMUM_PASSWORD_LENGTH,
+          max: common.constants.MAXIMUM_PASSWORD_LENGTH,
+        },
+        errorMessage: res.t('passwordIssueLength'),
      },
    },
  });