You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: When attempting to update a password, if the new password exceeds the maximum length requirement of 128 characters as specified in Personal_Account_page+requirements
, the system incorrectly allows the password to be saved. This behavior contradicts the documented password length constraint, which should restrict passwords to a maximum of 128 characters.
Preconditions:
User must be registered and authenticated.
Steps to Reproduce:
Execute any the following CURL commands to attempt updating the user password:
Description: When attempting to update a password, if the new password exceeds the maximum length requirement of 128 characters as specified in Personal_Account_page+requirements
![change_password_accept_len_130](https://private-user-images.githubusercontent.com/23553019/319802067-051a80c9-73dc-4bad-9fdb-b47742bbf16c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE1MTA4MjEsIm5iZiI6MTcyMTUxMDUyMSwicGF0aCI6Ii8yMzU1MzAxOS8zMTk4MDIwNjctMDUxYTgwYzktNzNkYy00YmFkLTlmZGItYjQ3NzQyYmJmMTZjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDIxMjIwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWVkY2Y4NTMwMzRlOWJiOWE5YjgwZTM2Mzc0NTJjMjRiZjU5M2VhMDkyYzNlYmFkYmZkMmM1MmFjMzE2YTlkYjUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.3TpOMheFB5pe4HlvVz-tS6b_PTrBcJgqcWDDs-wwcPM)
![change_password_accecpt_len_129](https://private-user-images.githubusercontent.com/23553019/319802075-120e7cf8-6f56-4d74-9149-a58ab1cc7bc4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE1MTA4MjEsIm5iZiI6MTcyMTUxMDUyMSwicGF0aCI6Ii8yMzU1MzAxOS8zMTk4MDIwNzUtMTIwZTdjZjgtNmY1Ni00ZDc0LTkxNDktYTU4YWIxY2M3YmM0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDIxMjIwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWM2MTc0MGIzYjRlMjM2ZGM4N2M1NDg4NmViNmU1NzI2ZjNiZGFmYmU0Yjc1Y2VjZjU3ZWY5MDExYjg0ZDdhNDMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.XugexDfruI8LpScQiNhKZizlEgN_EWnI4b33KFVXbCk)
, the system incorrectly allows the password to be saved. This behavior contradicts the documented password length constraint, which should restrict passwords to a maximum of 128 characters.
Preconditions:
User must be registered and authenticated.
Steps to Reproduce:
Execute any the following CURL commands to attempt updating the user password:
1.1 password with length = 129:
curl --location --request PATCH 'http://0.0.0.0:8083/api/v1/users'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJpY2VkbGF0ZS50ZXN0QGdtYWlsLmNvbSIsImlhdCI6MTcwOTgyNjk2NywiZXhwIjoxNzA5ODI3MjA3fQ.ebcUbpALQg7Imh207aznezB9AsJYxj0KmijMBEz_9W8'
--data-raw '{
"newPassword": "@OUiDQK3BFZNSk3NLN4Sp%w@CNOa!7xP5B&cx7Gw9E6sXl@x4GwPRlyjErQEW8G9YbW@x5kUnS0sTeY0DwKTIFUZSxd$UETcblOxsDGaxHagIB7aWN0%G5o4CqQo*H%",
"oldPassword": "password12345"
}'
1.2 password with length = 130: curl --location --request PATCH 'http://0.0.0.0:8083/api/v1/users'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJpY2VkbGF0ZS50ZXN0QGdtYWlsLmNvbSIsImlhdCI6MTcwOTgyNjk2NywiZXhwIjoxNzA5ODI3MjA3fQ.ebcUbpALQg7Imh207aznezB9AsJYxj0KmijMBEz_9W8'
--data-raw '{
"newPassword": "@OUiDQK3BFZNSk3NLN4Sp %w@CNOa!7xP5B&cx7Gw9E6sXl@x4Gw_PRlyjErQEW8G9YbW@x5kUnS0sTeY0DwKTIFUZSxd$UETcblOxsDGaxHagIB7aWN0_%G5o4CqQo*H%9",
"oldPassword": "password12345"
}'
Expected Result:
The system should reject the "newPassword" if its length exceeds 128 characters.
An HTTP status code of 400 (Bad Request) should be returned.
The error message should clearly state: { "message": "Password should have a length between 8 and 128 characters" }.
Actual Result:
Passwords with lengths of 129 and 130 characters are incorrectly saved.
An HTTP status code of 200 (OK) is returned, indicating a successful operation contrary to expectations.
The text was updated successfully, but these errors were encountered: