auth: Implement Max Password Length Error Handling.

Previously, during registration and login, the system failed to check
if the entered password exceeded the maximum length. This led
to silent truncation of passwords longer than the limit, potentially
causing user confusion and security issues,as detailed in #15087.

In response,I've updated LoggingSetPasswordForm and RegistrationForm.
Now, entering a password beyond the maximum length triggers
a ValidationError.This uses PASSWORD_TOO_LONG_ERROR, alerting
users with "The password cannot exceed 100 characters in length."
This fix enhances user understanding and system security.

Fixes #27922.
This commit is contained in:
kota-karthik 2023-12-21 14:00:35 +05:30
parent 377df9e4db
commit 5f758e6d0d
2 changed files with 22 additions and 0 deletions

View File

@ -63,6 +63,7 @@ DEACTIVATED_ACCOUNT_ERROR = gettext_lazy(
" Please contact your organization administrator to reactivate it."
)
PASSWORD_TOO_WEAK_ERROR = gettext_lazy("The password is too weak.")
PASSWORD_TOO_LONG_ERROR = gettext_lazy("The password cannot exceed 100 characters in length.")
def email_is_not_mit_mailing_list(email: str) -> None:
@ -212,6 +213,8 @@ class RegistrationForm(RealmDetailsForm):
# The frontend code tries to stop the user from submitting the form with a weak password,
# but if the user bypasses that protection, this error code path will run.
raise ValidationError(str(PASSWORD_TOO_WEAK_ERROR))
if len(password) > RegistrationForm.MAX_PASSWORD_LENGTH:
raise ValidationError(str(PASSWORD_TOO_LONG_ERROR))
return password
@ -329,6 +332,8 @@ class LoggingSetPasswordForm(SetPasswordForm):
# The frontend code tries to stop the user from submitting the form with a weak password,
# but if the user bypasses that protection, this error code path will run.
raise ValidationError(str(PASSWORD_TOO_WEAK_ERROR))
if len(new_password) > RegistrationForm.MAX_PASSWORD_LENGTH:
raise ValidationError(str(PASSWORD_TOO_LONG_ERROR))
return new_password

View File

@ -2523,6 +2523,23 @@ class UserSignUpTest(ZulipTestCase):
# Account wasn't created.
get_user(email, get_realm("zulip"))
def test_signup_with_too_long_password(self) -> None:
"""
Check if signing up with a password that exceeds the maximum length fails.
"""
email = "newguy@zulip.com"
too_long_password = "a" * 101
with self.settings(PASSWORD_MIN_GUESSES=1000):
result = self.verify_signup(email=email, password=too_long_password)
assert not isinstance(result, UserProfile)
self.assert_in_success_response(
["Ensure this value has at most 100 characters (it has 101)."], result
)
with self.assertRaises(UserProfile.DoesNotExist):
# Account wasn't created.
get_user(email, get_realm("zulip"))
def test_signup_with_default_stream_group(self) -> None:
# Check if user is subscribed to the streams of default
# stream group as well as default streams.