Commit 9a84289a authored by ale's avatar ale

Enforce max password length

parent bdfa295b
...@@ -197,7 +197,7 @@ func TestService_ChangePassword(t *testing.T) { ...@@ -197,7 +197,7 @@ func TestService_ChangePassword(t *testing.T) {
}, },
CurPassword: "cur", CurPassword: "cur",
}, },
Password: "password", Password: "a very good secret password",
} }
err := svc.ChangeUserPassword(context.TODO(), tx, req) err := svc.ChangeUserPassword(context.TODO(), tx, req)
if err != nil { if err != nil {
......
...@@ -30,6 +30,9 @@ func (c *Config) domainBackend() domainBackend { ...@@ -30,6 +30,9 @@ func (c *Config) domainBackend() domainBackend {
func (c *Config) validationConfig() *validationConfig { func (c *Config) validationConfig() *validationConfig {
return &validationConfig{ return &validationConfig{
forbiddenUsernames: newStringSetFromList(c.ForbiddenUsernames), forbiddenUsernames: newStringSetFromList(c.ForbiddenUsernames),
forbiddenPasswords: newStringSetFromList([]string{"123456", "password", "password1"}),
minPasswordLength: 6,
maxPasswordLength: 128,
} }
} }
......
...@@ -22,6 +22,7 @@ type validationConfig struct { ...@@ -22,6 +22,7 @@ type validationConfig struct {
forbiddenUsernames stringSet forbiddenUsernames stringSet
forbiddenPasswords stringSet forbiddenPasswords stringSet
minPasswordLength int minPasswordLength int
maxPasswordLength int
} }
// A stringSet is just a list of strings with a quick membership test. // A stringSet is just a list of strings with a quick membership test.
...@@ -263,7 +264,7 @@ func isAvailableEmailAddr(be domainBackend, cb Backend) ValidatorFunc { ...@@ -263,7 +264,7 @@ func isAvailableEmailAddr(be domainBackend, cb Backend) ValidatorFunc {
func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc { func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
return allOf( return allOf(
validateUsernameAndDomain( validateUsernameAndDomain(
allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)), allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
allOf(isAvailableEmailHostingDomain(be)), allOf(isAvailableEmailHostingDomain(be)),
), ),
isAvailableEmailAddr(be, cb), isAvailableEmailAddr(be, cb),
...@@ -273,7 +274,7 @@ func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) Va ...@@ -273,7 +274,7 @@ func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) Va
func validHostedMailingList(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc { func validHostedMailingList(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
return allOf( return allOf(
validateUsernameAndDomain( validateUsernameAndDomain(
allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)), allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
allOf(isAvailableMailingListDomain(be)), allOf(isAvailableMailingListDomain(be)),
), ),
isAvailableEmailAddr(be, cb), isAvailableEmailAddr(be, cb),
...@@ -283,6 +284,7 @@ func validHostedMailingList(config *validationConfig, be domainBackend, cb Backe ...@@ -283,6 +284,7 @@ func validHostedMailingList(config *validationConfig, be domainBackend, cb Backe
func validPassword(config *validationConfig) ValidatorFunc { func validPassword(config *validationConfig) ValidatorFunc {
return allOf( return allOf(
minLength(config.minPasswordLength), minLength(config.minPasswordLength),
maxLength(config.maxPasswordLength),
notInSet(config.forbiddenPasswords), notInSet(config.forbiddenPasswords),
) )
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment