Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System Allows Saving Passwords Exceeding Maximum Length of 128 Characters #259

Open
Sunagatov opened this issue Apr 4, 2024 · 0 comments
Open

System Allows Saving Passwords Exceeding Maximum Length of 128 Characters #259

Sunagatov opened this issue Apr 4, 2024 · 0 comments

Comments

@Sunagatov
Copy link
Owner

Description: When attempting to update a password, if the new password exceeds the maximum length requirement of 128 characters as specified in Personal_Account_page+requirements
change_password_accept_len_130
change_password_accecpt_len_129
, the system incorrectly allows the password to be saved. This behavior contradicts the documented password length constraint, which should restrict passwords to a maximum of 128 characters.

Preconditions:

User must be registered and authenticated.

Steps to Reproduce:

Execute any the following CURL commands to attempt updating the user password:

1.1 password with length = 129:
curl --location --request PATCH 'http://0.0.0.0:8083/api/v1/users'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJpY2VkbGF0ZS50ZXN0QGdtYWlsLmNvbSIsImlhdCI6MTcwOTgyNjk2NywiZXhwIjoxNzA5ODI3MjA3fQ.ebcUbpALQg7Imh207aznezB9AsJYxj0KmijMBEz_9W8'
--data-raw '{
"newPassword": "@OUiDQK3BFZNSk3NLN4Sp%w@CNOa!7xP5B&cx7Gw9E6sXl@x4GwPRlyjErQEW8G9YbW@x5kUnS0sTeY0DwKTIFUZSxd$UETcblOxsDGaxHagIB7aWN0%G5o4CqQo*H%",
"oldPassword": "password12345"
}'

1.2 password with length = 130: curl --location --request PATCH 'http://0.0.0.0:8083/api/v1/users'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJpY2VkbGF0ZS50ZXN0QGdtYWlsLmNvbSIsImlhdCI6MTcwOTgyNjk2NywiZXhwIjoxNzA5ODI3MjA3fQ.ebcUbpALQg7Imh207aznezB9AsJYxj0KmijMBEz_9W8'
--data-raw '{
"newPassword": "@OUiDQK3BFZNSk3NLN4Sp %w@CNOa!7xP5B&cx7Gw9E6sXl@x4Gw_PRlyjErQEW8G9YbW@x5kUnS0sTeY0DwKTIFUZSxd$UETcblOxsDGaxHagIB7aWN0_%G5o4CqQo*H%9",
"oldPassword": "password12345"
}'

  1. Observe the response.

Expected Result:

The system should reject the "newPassword" if its length exceeds 128 characters.

An HTTP status code of 400 (Bad Request) should be returned.

The error message should clearly state: { "message": "Password should have a length between 8 and 128 characters" }.

Actual Result:

Passwords with lengths of 129 and 130 characters are incorrectly saved.

An HTTP status code of 200 (OK) is returned, indicating a successful operation contrary to expectations.
@Sunagatov Sunagatov linked a pull request Jun 16, 2024 that will close this issue
change actionv2 #266
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

change actionv2 Sunagatov/Iced-Latte
1 participant
@Sunagatov