fix: add check for max password length (supabase#1368)

nndi-oss · Dec 29, 2023 · 41aac69 · 41aac69
1 parent 4280288
commit 41aac69
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/internal/crypto/password.go b/internal/crypto/password.go
@@ -3,6 +3,7 @@ package crypto
 import (
 	"context"
 	"errors"
+	"fmt"
 
 	"github.com/supabase/auth/internal/observability"
 	"go.opentelemetry.io/otel/attribute"
@@ -21,6 +22,9 @@ const (
 	// hashing cost for any hashing algorithm,
 	// useful for tests only.
 	QuickHashCost HashCost = iota
+
+	// BCrypt hashed passwords have a 72 character limit
+	MaxPasswordLength = 72
 )
 
 // PasswordHashCost is the current pasword hashing cost
@@ -73,6 +77,10 @@ func CompareHashAndPassword(ctx context.Context, hash, password string) error {
 func GenerateFromPassword(ctx context.Context, password string) (string, error) {
 	var hashCost int
 
+	if len(password) > MaxPasswordLength {
+		return "", fmt.Errorf("password cannot be longer than %d characters", MaxPasswordLength)
+	}
+
 	switch PasswordHashCost {
 	case QuickHashCost:
 		hashCost = bcrypt.MinCost

diff --git a/internal/models/user_test.go b/internal/models/user_test.go
@@ -1,6 +1,7 @@
 package models
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -366,3 +367,15 @@ func (ts *UserTestSuite) TestUpdateUserEmailFailure() {
 	require.ErrorIs(ts.T(), userA.UpdateUserEmail(ts.db), UserEmailUniqueConflictError{})
 	require.Equal(ts.T(), primaryIdentity.GetEmail(), userA.GetEmail())
 }
+
+func (ts *UserTestSuite) TestSetPasswordTooLong() {
+	user, err := NewUser("", "", strings.Repeat("a", crypto.MaxPasswordLength), "", nil)
+	require.NoError(ts.T(), err)
+	require.NoError(ts.T(), ts.db.Create(user))
+
+	err = user.SetPassword(ts.db.Context(), strings.Repeat("a", crypto.MaxPasswordLength+1))
+	require.Error(ts.T(), err)
+
+	err = user.SetPassword(ts.db.Context(), strings.Repeat("a", crypto.MaxPasswordLength))
+	require.NoError(ts.T(), err)
+}