fix: handle invalid passwords better (#23377)

* chore(login): show a message for response code 500 as well Signed-off-by: Akhil Narang <me@akhilnarang.dev> * refactor: reject passwords > 512 characters Signed-off-by: Akhil Narang <me@akhilnarang.dev> --------- Signed-off-by: Akhil Narang <me@akhilnarang.dev>
2023-11-23 15:35:37 +05:30 · 2023-11-23 15:35:37 +05:30 · f007f16ce9
commit f007f16ce9
parent a775d5adb0
3 changed files with 11 additions and 2 deletions
--- a/frappe/auth.py
+++ b/frappe/auth.py
@ -25,6 +25,7 @@ from frappe.website.utils import get_home_page

 SAFE_HTTP_METHODS = frozenset(("GET", "HEAD", "OPTIONS"))
 UNSAFE_HTTP_METHODS = frozenset(("POST", "PUT", "DELETE", "PATCH"))
+MAX_PASSWORD_SIZE = 512


 class HTTPRequest:
@ -235,6 +236,9 @@ class LoginManager:
 		if not (user and pwd):
 			self.fail(_("Incomplete login details"), user=user)

+		if len(pwd) > MAX_PASSWORD_SIZE:
+			self.fail(_("Password size exceeded the maximum allowed size"), user=user)
+
 		_raw_user_name = user
 		user = User.find_by_credentials(user, pwd)

--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@ -9,6 +9,7 @@ import frappe.defaults
 import frappe.permissions
 import frappe.share
 from frappe import STANDARD_USERS, _, msgprint, throw
+from frappe.auth import MAX_PASSWORD_SIZE
 from frappe.core.doctype.user_type.user_type import user_linked_with_permission_on_doctype
 from frappe.desk.doctype.notification_settings.notification_settings import (
 	create_notification_settings,
@ -823,6 +824,9 @@ def update_password(
 	        old_password (str, optional): Old password. Defaults to None.
 	"""

+	if len(new_password) > MAX_PASSWORD_SIZE:
+		frappe.throw(_("Password size exceeded the maximum allowed size."))
+
 	result = test_password_strength(new_password)
 	feedback = result.get("feedback", None)

--- a/frappe/templates/includes/login/login.js
+++ b/frappe/templates/includes/login/login.js
@ -287,8 +287,9 @@ login.login_handlers = (function () {
 			}
 		},
 		401: get_error_handler('{{ _("Invalid Login. Try again.") }}'),
-		417: get_error_handler('{{ _("Oops! Something went wrong") }}'),
-		404: get_error_handler('{{ _("User does not exist.")}}')
+		417: get_error_handler('{{ _("Oops! Something went wrong.") }}'),
+		404: get_error_handler('{{ _("User does not exist.")}}'),
+		500: get_error_handler('{{ _("Something went wrong.") }}')
 	};

 	return login_handlers;