github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-04-30 08:25:58 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity

feat(api): enforce password validation on reset and update flows

Browse Source 
Add bcrypt_password validation to password reset and update endpoints:
- Add validation tag to PasswordReset.NewPassword struct field
- Add validation tag to UserPassword.NewPassword struct field
- Add c.Validate() calls in both handlers
- Fix off-by-one error in bcrypt_password validator (use <= 72 not < 72)

Password requirements: min 8 chars, max 72 bytes (bcrypt limit)
This commit is contained in:
kolaente
2026-02-25 13:34:55 +01:00
parent 39da47e435
commit 89c17d3b23
4 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/routes/api/v1/user_password_reset.go
View File

@@ -44,6 +44,11 @@ func UserResetPassword(c *echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "No password provided.").Wrap(err) return echo.NewHTTPError(http.StatusBadRequest, "No password provided.").Wrap(err)
} }
// Validate the password
if err := c.Validate(pwReset); err != nil {
return err
}
s := db.NewSession() s := db.NewSession()
defer s.Close() defer s.Close()

7
pkg/routes/api/v1/user_update_password.go
View File

@@ -29,7 +29,7 @@ import (
// UserPassword holds a user password. Used to update it. // UserPassword holds a user password. Used to update it.
type UserPassword struct { type UserPassword struct {
OldPassword string `json:"old_password"` OldPassword string `json:"old_password"`
NewPassword string `json:"new_password"` NewPassword string `json:"new_password" valid:"bcrypt_password" minLength:"8" maxLength:"72"`
} }
// UserChangePassword is the handler to change a users password // UserChangePassword is the handler to change a users password
@@ -58,6 +58,11 @@ func UserChangePassword(c *echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "No password provided.").Wrap(err) return echo.NewHTTPError(http.StatusBadRequest, "No password provided.").Wrap(err)
} }
// Validate the new password
if err := c.Validate(newPW); err != nil {
return err
}
if newPW.OldPassword == "" { if newPW.OldPassword == "" {
return user.ErrEmptyOldPassword{} return user.ErrEmptyOldPassword{}
} }

2
pkg/user/user_password_reset.go
View File

@@ -27,7 +27,7 @@ type PasswordReset struct {
// The previously issued reset token. // The previously issued reset token.
Token string `json:"token"` Token string `json:"token"`
// The new password for this user. // The new password for this user.
NewPassword string `json:"new_password"` NewPassword string `json:"new_password" valid:"bcrypt_password" minLength:"8" maxLength:"72"`
} }
// ResetPassword resets a users password. It returns the ID of the user whose // ResetPassword resets a users password. It returns the ID of the user whose

2
pkg/user/validator.go
View File

@@ -54,7 +54,7 @@ func init() {
return false return false
} }
return len([]byte(str)) < 72 return len([]byte(str)) <= 72
} }
govalidator.TagMap["language"] = i18n.HasLanguage govalidator.TagMap["language"] = i18n.HasLanguage