Commit 9a84289a authored by ale's avatar ale

Enforce max password length

parent bdfa295b
......@@ -197,7 +197,7 @@ func TestService_ChangePassword(t *testing.T) {
},
CurPassword: "cur",
},
Password: "password",
Password: "a very good secret password",
}
err := svc.ChangeUserPassword(context.TODO(), tx, req)
if err != nil {
......
......@@ -30,6 +30,9 @@ func (c *Config) domainBackend() domainBackend {
func (c *Config) validationConfig() *validationConfig {
return &validationConfig{
forbiddenUsernames: newStringSetFromList(c.ForbiddenUsernames),
forbiddenPasswords: newStringSetFromList([]string{"123456", "password", "password1"}),
minPasswordLength: 6,
maxPasswordLength: 128,
}
}
......
......@@ -22,6 +22,7 @@ type validationConfig struct {
forbiddenUsernames stringSet
forbiddenPasswords stringSet
minPasswordLength int
maxPasswordLength int
}
// A stringSet is just a list of strings with a quick membership test.
......@@ -263,7 +264,7 @@ func isAvailableEmailAddr(be domainBackend, cb Backend) ValidatorFunc {
func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
return allOf(
validateUsernameAndDomain(
allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)),
allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
allOf(isAvailableEmailHostingDomain(be)),
),
isAvailableEmailAddr(be, cb),
......@@ -273,7 +274,7 @@ func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) Va
func validHostedMailingList(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
return allOf(
validateUsernameAndDomain(
allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)),
allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
allOf(isAvailableMailingListDomain(be)),
),
isAvailableEmailAddr(be, cb),
......@@ -283,6 +284,7 @@ func validHostedMailingList(config *validationConfig, be domainBackend, cb Backe
func validPassword(config *validationConfig) ValidatorFunc {
return allOf(
minLength(config.minPasswordLength),
maxLength(config.maxPasswordLength),
notInSet(config.forbiddenPasswords),
)
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment