api/sessions: document bcrypt implementation curiosity (#1408)

Closes #1409
getodk · Feb 19, 2025 · c56a5d7 · c56a5d7
1 parent e7ec970
commit c56a5d7
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/test/integration/api/sessions.js b/test/integration/api/sessions.js
@@ -14,6 +14,26 @@ describe('api: /sessions', () => {
           body.should.be.a.Session();
         })));
 
+    // These demonstrate a strange feature of bcrypt - a valid password can be
+    // repeated multiple times and still validate successfully.  An alternative
+    // to these tests would be to check for NUL characters in supplied passwords
+    // and reject them before passing the values to bcrypt.
+    describe('weird bcrypt implementation details', () => {
+      [
+        [ 'repeated once',             'chelsea\0chelsea' ],          // eslint-disable-line no-multi-spaces
+        [ 'repeated twice',            'chelsea\0chelsea\0chelsea' ], // eslint-disable-line no-multi-spaces
+        [ 'repeated until truncation', 'chelsea\0chelsea\0chelsea\0chelsea\0chelsea\0chelsea\0chelsea\0chelsea\0chelsea\0' ],
+      ].forEach(([ description, password ]) => {
+        it(`should treat a password ${description} as the singular version of the same`, testService((service) =>
+          service.post('/v1/sessions')
+            .send({ email: 'chelsea@getodk.org', password })
+            .expect(200)
+            .then(({ body }) => {
+              body.should.be.a.Session();
+            })));
+      });
+    });
+
     it('should treat email addresses case insensitively', testService((service) =>
       service.post('/v1/sessions')
         .send({ email: 'cHeLsEa@getodk.OrG', password: 'chelsea' })