Lack of validation on name of the users #4894

New Issue

Closed

opened 2026-03-07 20:04:52 -06:00 by GiteaMirror · 4 comments

GiteaMirror commented 2026-03-07 20:04:52 -06:00

Owner

Copy Link

Originally created by @pavel1337 on GitHub (Apr 14, 2022).

Originally assigned to: @BlackDex on GitHub.

Subject of the issue

Lack of validation on name of the users

Deployment environment

• vaultwarden version: 1.24.0

• Install method: Docker (Base: Debian)

• Clients used: web client

• MySQL/MariaDB or PostgreSQL version: MySQL 8.0.23 RDS

• Other relevant details:

Steps to reproduce

1. Receieve an invite to vaultwarden
2. Create account with long name (eg. using this command pwgen 100000 1)

Expected behaviour

• validation error with something like "the name is too long"

Actual behaviour

• I was able to create a user and login, but I cannot send secrets. I guess because the bearer token is too big, because the username is too long.

Troubleshooting data

The command I used to create a long username: pwgen 100000 1

The screenshot of the users table; I guess it should be something like varchar(x)

The screenshot of the organization with me in it:

The screenshot of me trying create a send and developer tools

Originally created by @pavel1337 on GitHub (Apr 14, 2022). Originally assigned to: @BlackDex on GitHub. ### Subject of the issue Lack of validation on name of the users ### Deployment environment * vaultwarden version: 1.24.0 * Install method: Docker (Base: Debian) * Clients used: web client * MySQL/MariaDB or PostgreSQL version: MySQL 8.0.23 RDS * Other relevant details: ### Steps to reproduce 1. Receieve an invite to vaultwarden 2. Create account with long name (eg. using this command ```pwgen 100000 1```) ### Expected behaviour - validation error with something like "the name is too long" ### Actual behaviour - I was able to create a user and login, but I cannot send secrets. I guess because the bearer token is too big, because the username is too long. ### Troubleshooting data The command I used to create a long username: ```pwgen 100000 1``` The screenshot of the users table; I guess it should be something like ```varchar(x)```  The screenshot of the organization with me in it:  The screenshot of me trying create a send and developer tools 

GiteaMirror added the enhancementlow priority labels 2026-03-07 20:04:52 -06:00

GiteaMirror closed this issue 2026-03-07 20:04:53 -06:00

GiteaMirror commented 2026-03-07 20:04:53 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 4, 2022):

Looks like Bitwarden it self uses a max of 50 characters. It will be a bit difficult now to switch that for Vaultwarden to a lower size if people were already using a larger amount of characters for the names.
Though limiting it a specific amount is not a bad idea, i need to see what a good amount is.

@BlackDex commented on GitHub (Jun 4, 2022): Looks like Bitwarden it self uses a max of 50 characters. It will be a bit difficult now to switch that for Vaultwarden to a lower size if people were already using a larger amount of characters for the names. Though limiting it a specific amount is not a bad idea, i need to see what a good amount is.

GiteaMirror commented 2026-03-07 20:04:54 -06:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Jun 4, 2022):

We could just limit it in the save function, if we don't want to create a new migration for this change

@dani-garcia commented on GitHub (Jun 4, 2022): We could just limit it in the save function, if we don't want to create a new migration for this change

GiteaMirror commented 2026-03-07 20:04:55 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 8, 2022):

I think it should be enough to have this only at the register function, what do you think @dani-garcia ?
That would at least prevent new users from using a large Name, but will not force current users to change it when they update there info.

btw: i have it working already locally.

@BlackDex commented on GitHub (Jun 8, 2022): I think it should be enough to have this only at the register function, what do you think @dani-garcia ? That would at least prevent new users from using a large Name, but will not force current users to change it when they update there info. btw: i have it working already locally.

GiteaMirror commented 2026-03-07 20:04:55 -06:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Jun 8, 2022):

Right, but a user could also change their name from the web vault after the account was created, I know realistically no one is going to put a long enough name to break the web vault, but we should cover all bases if possible.

@dani-garcia commented on GitHub (Jun 8, 2022): Right, but a user could also change their name from the web vault after the account was created, I know realistically no one is going to put a long enough name to break the web vault, but we should cover all bases if possible.

GiteaMirror referenced this issue 2026-03-07 21:12:04 -06:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #7163

GiteaMirror referenced this issue 2026-04-16 12:26:27 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #8463

GiteaMirror referenced this issue 2026-04-20 15:42:49 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #12389

GiteaMirror referenced this issue 2026-04-23 07:50:07 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #16369

GiteaMirror referenced this issue 2026-04-25 22:29:29 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #20356

GiteaMirror referenced this issue 2026-04-30 08:09:09 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #21723

GiteaMirror referenced this issue 2026-05-16 05:44:05 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #23051

GiteaMirror referenced this issue 2026-05-22 01:44:04 -05:00

[PR #4894] [CLOSED] Non-interactive Argon2id PHC hash generation #24392

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label enhancement low priority

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#4894