From df25e0574d9f452a33e9ba9cdd1da17b33fe0ecc Mon Sep 17 00:00:00 2001 From: SabreCat Date: Mon, 5 Dec 2022 16:36:42 -0600 Subject: [PATCH] fix(auth): enforce max pass length at update --- .../user/auth/PUT-user_update_password.test.js | 14 ++++++++++++++ website/server/controllers/api-v3/auth.js | 7 +++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js index 94fbd4f3e2..4ccfef0c5a 100644 --- a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js +++ b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js @@ -96,6 +96,20 @@ describe('PUT /user/auth/update-password', async () => { }); }); + it('returns an error when newPassword is too long', async () => { + const body = { + password, + newPassword: '12345678910111213141516171819202122232425262728293031323334353637383940', + confirmPassword: '12345678910111213141516171819202122232425262728293031323334353637383940', + }; + + await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({ + code: 400, + error: 'BadRequest', + message: t('invalidReqParams'), + }); + }); + it('returns an error when confirmPassword is missing', async () => { const body = { password, diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js index 7092066446..31cf12408e 100644 --- a/website/server/controllers/api-v3/auth.js +++ b/website/server/controllers/api-v3/auth.js @@ -289,8 +289,11 @@ api.updatePassword = { newPassword: { notEmpty: { errorMessage: res.t('missingNewPassword') }, isLength: { - options: { min: common.constants.MINIMUM_PASSWORD_LENGTH }, - errorMessage: res.t('minPasswordLength'), + options: { + min: common.constants.MINIMUM_PASSWORD_LENGTH, + max: common.constants.MAXIMUM_PASSWORD_LENGTH, + }, + errorMessage: res.t('passwordIssueLength'), }, }, confirmPassword: {