From f007f16ce98a61beafc2507eba60065ed9484caa Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Thu, 23 Nov 2023 15:35:37 +0530
Subject: [PATCH] fix: handle invalid passwords better (#23377)

* chore(login): show a message for response code 500 as well

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* refactor: reject passwords > 512 characters

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

---------

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/auth.py                           | 4 ++++
 frappe/core/doctype/user/user.py         | 4 ++++
 frappe/templates/includes/login/login.js | 5 +++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/frappe/auth.py b/frappe/auth.py
index 941edb9277..efd1428545 100644
--- a/frappe/auth.py
+++ b/frappe/auth.py
@@ -25,6 +25,7 @@ from frappe.website.utils import get_home_page
 
 SAFE_HTTP_METHODS = frozenset(("GET", "HEAD", "OPTIONS"))
 UNSAFE_HTTP_METHODS = frozenset(("POST", "PUT", "DELETE", "PATCH"))
+MAX_PASSWORD_SIZE = 512
 
 
 class HTTPRequest:
@@ -235,6 +236,9 @@ class LoginManager:
 		if not (user and pwd):
 			self.fail(_("Incomplete login details"), user=user)
 
+		if len(pwd) > MAX_PASSWORD_SIZE:
+			self.fail(_("Password size exceeded the maximum allowed size"), user=user)
+
 		_raw_user_name = user
 		user = User.find_by_credentials(user, pwd)
 
diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
index cdb3e394ee..711c07ed95 100644
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@@ -9,6 +9,7 @@ import frappe.defaults
 import frappe.permissions
 import frappe.share
 from frappe import STANDARD_USERS, _, msgprint, throw
+from frappe.auth import MAX_PASSWORD_SIZE
 from frappe.core.doctype.user_type.user_type import user_linked_with_permission_on_doctype
 from frappe.desk.doctype.notification_settings.notification_settings import (
 	create_notification_settings,
@@ -823,6 +824,9 @@ def update_password(
 	        old_password (str, optional): Old password. Defaults to None.
 	"""
 
+	if len(new_password) > MAX_PASSWORD_SIZE:
+		frappe.throw(_("Password size exceeded the maximum allowed size."))
+
 	result = test_password_strength(new_password)
 	feedback = result.get("feedback", None)
 
diff --git a/frappe/templates/includes/login/login.js b/frappe/templates/includes/login/login.js
index 6e18421837..90e12cf3d0 100644
--- a/frappe/templates/includes/login/login.js
+++ b/frappe/templates/includes/login/login.js
@@ -287,8 +287,9 @@ login.login_handlers = (function () {
 			}
 		},
 		401: get_error_handler('{{ _("Invalid Login. Try again.") }}'),
-		417: get_error_handler('{{ _("Oops! Something went wrong") }}'),
-		404: get_error_handler('{{ _("User does not exist.")}}')
+		417: get_error_handler('{{ _("Oops! Something went wrong.") }}'),
+		404: get_error_handler('{{ _("User does not exist.")}}'),
+		500: get_error_handler('{{ _("Something went wrong.") }}')
 	};
 
 	return login_handlers;