Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bcrypt: reject passwords > 72 bytes #1389

Merged
merged 3 commits into from
Feb 12, 2025
Merged

bcrypt: reject passwords > 72 bytes #1389

merged 3 commits into from
Feb 12, 2025

Conversation

alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Feb 7, 2025
edited
Loading

What has been done to verify that this works as intended?

Manual testing - there are no existing tests for short passwords.

Why is this the best possible solution? Were any other approaches considered?

I think a better approach would be to move max-length validation into lib/util/crypto.js.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Should not affect existing users with very long passwords, but will prevent new passwords being saved with >72 bytes.

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

No - the docs do not currently mention any restrictions on password length.

Before submitting this PR, please make sure you have:

  • run make test and confirmed all checks still pass OR confirm CircleCI build passes
  • verified that any code from external sources are properly credited in comments or that everything is internally sourced

@alxndrsn alxndrsn requested a review from lognaturel February 7, 2025 07:04
lognaturel
lognaturel reviewed Feb 10, 2025
View reviewed changes
lib/util/problem.js
@@ -140,6 +140,8 @@ const problems = {

encodingNotSupported: problem(400.37, () => 'Encoding not supported.'),

passwordTooLong: problem(400.38, () => 'The password or passphrase provided exceeds the maximum length.'),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you thinking this is likely rare enough that we just leave a raw backend message (vs. introducing localizable frontend error messages)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the distinction? Should there be an accompanying PR for odk-central-frontend?

lognaturel
lognaturel approved these changes Feb 10, 2025
View reviewed changes
Copy link
Member

@lognaturel lognaturel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a better approach would be to move max-length validation into lib/util/crypto.js.

But you're keeping it there for now because the short length validation is already there, right?

This looks good to me provided there are no surprises in the answers to the clarifying questions I've asked.

@ktuite @sadiqkhoja FYI in case you want to take another quick look.

@sadiqkhoja
Copy link
Contributor

What prompts this change? The datatype of password column is varchar(64), isn't that sufficient?

@alxndrsn
Copy link
Contributor Author

The datatype of password column is varchar(64), isn't that sufficient?

We're not storing passwords in plaintext 😁

Also is there a reason for that column to be VARCHAR when bcrypt hashes have a fixed length of 60 characters?

@alxndrsn
Copy link
Contributor Author

But you're keeping it there for now because the short length validation is already there, right?

Yes. Maybe they should both be moved into the hashPassword() function? "Password too long" seems a more fundamental failure than "too short" though.

sadiqkhoja
sadiqkhoja approved these changes Feb 11, 2025
View reviewed changes
Copy link
Contributor

@sadiqkhoja sadiqkhoja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only thing I would like to add is the reason i.e. "bcrypt truncates input to 72 bytes before hashing" in the PR description or commit message for future reference.

@alxndrsn alxndrsn merged commit ad40043 into getodk:master Feb 12, 2025
6 checks passed
@alxndrsn alxndrsn deleted the password-max-length branch February 12, 2025 06:16
@sentry-io Sentry.io
Copy link

sentry-io bot commented Feb 15, 2025
edited
Loading

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

  • ‼️ Error: data must be a string or Buffer and salt must either be a salt string or a number of rounds POST /users View Issue

Did you find this useful? React with a 👍 or 👎

@alxndrsn alxndrsn mentioned this pull request Feb 17, 2025
Open
@alxndrsn
Copy link
Contributor Author

This pull request was deployed and Sentry observed the following issues:

This issue seems unrelated, but has been filed at #1407

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sadiqkhoja sadiqkhoja sadiqkhoja approved these changes

@lognaturel lognaturel lognaturel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alxndrsn @sadiqkhoja @lognaturel