Enforce max password length

9a84289a · ale · bdfa295b · 9a84289a · 9a84289a · 9a84289a
Commit 9a84289a authored Jun 21, 2018 by ale
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

actions_test.go actions_test.go +1 -1

config.go config.go +3 -0

validators.go validators.go +4 -2

No files found.
--- a/actions_test.go
+++ b/actions_test.go
@@ -197,7 +197,7 @@ func TestService_ChangePassword(t *testing.T) {
 			},
 			CurPassword: "cur",
 		},
-		Password: "password",
+		Password: "a very good secret password",
 	}
 	err := svc.ChangeUserPassword(context.TODO(), tx, req)
 	if err != nil {

--- a/config.go
+++ b/config.go
@@ -30,6 +30,9 @@ func (c *Config) domainBackend() domainBackend {
 func (c *Config) validationConfig() *validationConfig {
 	return &validationConfig{
 		forbiddenUsernames: newStringSetFromList(c.ForbiddenUsernames),
+		forbiddenPasswords: newStringSetFromList([]string{"123456", "password", "password1"}),
+		minPasswordLength:  6,
+		maxPasswordLength:  128,
 	}
 }

--- a/validators.go
+++ b/validators.go
@@ -22,6 +22,7 @@ type validationConfig struct {
 	forbiddenUsernames stringSet
 	forbiddenPasswords stringSet
 	minPasswordLength  int
+	maxPasswordLength  int
 }
 // A stringSet is just a list of strings with a quick membership test.
@@ -263,7 +264,7 @@ func isAvailableEmailAddr(be domainBackend, cb Backend) ValidatorFunc {
 func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
 	return allOf(
 		validateUsernameAndDomain(
-			allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)),
+			allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
 			allOf(isAvailableEmailHostingDomain(be)),
 		),
 		isAvailableEmailAddr(be, cb),
@@ -273,7 +274,7 @@ func validHostedEmail(config *validationConfig, be domainBackend, cb Backend) Va
 func validHostedMailingList(config *validationConfig, be domainBackend, cb Backend) ValidatorFunc {
 	return allOf(
 		validateUsernameAndDomain(
-			allOf(matchUsernameRx(), minLength(4), notInSet(config.forbiddenUsernames)),
+			allOf(matchUsernameRx(), minLength(4), maxLength(64), notInSet(config.forbiddenUsernames)),
 			allOf(isAvailableMailingListDomain(be)),
 		),
 		isAvailableEmailAddr(be, cb),
@@ -283,6 +284,7 @@ func validHostedMailingList(config *validationConfig, be domainBackend, cb Backe
 func validPassword(config *validationConfig) ValidatorFunc {
 	return allOf(
 		minLength(config.minPasswordLength),
+		maxLength(config.maxPasswordLength),
 		notInSet(config.forbiddenPasswords),
 	)
 }