fix(auth): enforce max pass length at update

2025-12-16 22:27:26 +01:00 · 2022-12-05 16:36:42 -06:00
parent 4fe8b63748
commit df25e0574d
2 changed files with 19 additions and 2 deletions
--- a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
+++ b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
@@ -96,6 +96,20 @@ describe('PUT /user/auth/update-password', async () => {
    });
  });

+  it('returns an error when newPassword is too long', async () => {
+    const body = {
+      password,
+      newPassword: '12345678910111213141516171819202122232425262728293031323334353637383940',
+      confirmPassword: '12345678910111213141516171819202122232425262728293031323334353637383940',
+    };
+
+    await expect(user.put(ENDPOINT, body)).to.eventually.be.rejected.and.eql({
+      code: 400,
+      error: 'BadRequest',
+      message: t('invalidReqParams'),
+    });
+  });
+
  it('returns an error when confirmPassword is missing', async () => {
    const body = {
      password,
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -289,8 +289,11 @@ api.updatePassword = {
      newPassword: {
        notEmpty: { errorMessage: res.t('missingNewPassword') },
        isLength: {
-          options: { min: common.constants.MINIMUM_PASSWORD_LENGTH },
-          errorMessage: res.t('minPasswordLength'),
+          options: {
+            min: common.constants.MINIMUM_PASSWORD_LENGTH,
+            max: common.constants.MAXIMUM_PASSWORD_LENGTH,
+          },
+          errorMessage: res.t('passwordIssueLength'),
        },
      },
      confirmPassword: {