From 9a84289acb04d9e615a171728f556fd6bf090314 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Thu, 21 Jun 2018 09:26:31 +0100
Subject: [PATCH] Enforce max password length

---
 actions_test.go | 2 +-
 config.go       | 3 +++
 validators.go   | 6 ++++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/actions_test.go b/actions_test.go
index 0a9f7cf..af34bfb 100644
--- a/actions_test.go
+++ b/actions_test.go
@@ -197,7 +197,7 @@ func TestService_ChangePassword(t *testing.T) {
 			},
 			CurPassword: "cur",
 		},
-		Password: "password",
+		Password: "a very good secret password",
 	}
 	err := svc.ChangeUserPassword(context.TODO(), tx, req)
 	if err != nil {
diff --git a/config.go b/config.go
index 42d95f3..c2fa3db 100644
--- a/config.go
+++ b/config.go
@@ -30,6 +30,9 @@ func (c *Config) domainBackend() domainBackend {
 func (c *Config) validationConfig() *validationConfig {
 	return &validationConfig{
 		forbiddenUsernames: newStringSetFromList(c.ForbiddenUsernames),
+		forbiddenPasswords: newStringSetFromList([]string{"123456", "password", "password1"}),
+		minPasswordLength:  6,
+		maxPasswordLength:  128,
 	}
 }
 
diff --git a/validators.go b/validators.go
index 43450ae..51272fd 100644
--- a/validators.go
+++ b/validators.go
@@ -22,6 +22,7 @@ type validationConfig struct {
 	forbiddenUsernames stringSet
 	forbiddenPasswords stringSet
 	minPasswordLength  int
+	maxPasswordLength  int
 }
 
 // A stringSet is just a list of strings with a quick membership test.
@@ -263,7 +264,7 @@ func isAvailableEmailAddr(be domainBackend, cb Backend) ValidatorFunc {
 func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
 	return allOf(
 		validateUsernameAndDomain(
-			allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)),
+			allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
 			allOf(isAvailableEmailHostingDomain(be)),
 		),
 		isAvailableEmailAddr(be, cb),
@@ -273,7 +274,7 @@ func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) Va
 func validHostedMailingList(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
 	return allOf(
 		validateUsernameAndDomain(
-			allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)),
+			allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
 			allOf(isAvailableMailingListDomain(be)),
 		),
 		isAvailableEmailAddr(be, cb),
@@ -283,6 +284,7 @@ func validHostedMailingList(config *validationConfig, be domainBackend, cb Backe
 func validPassword(config *validationConfig) ValidatorFunc {
 	return allOf(
 		minLength(config.minPasswordLength),
+		maxLength(config.maxPasswordLength),
 		notInSet(config.forbiddenPasswords),
 	)
 }
-- 
GitLab