From 0fa9b653c2a6915c0d9a948beabbad61ef22759f Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 16 Aug 2011 14:13:13 +0300
Subject: [PATCH] add check in WSAPI that verifies passwords are between 8 and
 80 chars in length

---
 browserid/lib/wsapi.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index da4c3a2ce..9f69e0d2c 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -99,9 +99,16 @@ function setup(app) {
    * the staged user account transitions to a valid user account */
   app.post('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
 
-    // bcrypt the password
     // we should be cloning this object here.
     var stageParams = req.body;
+
+    // issue #155, valid password length is between 8 and 80 chars.
+    if (stageParams.pass.length < 8 || stageParams.pass.length > 80) {
+      httputils.badRequest(resp, "valid passwords are between 8 and 80 chars");
+      return;
+    }
+
+    // bcrypt the password
     stageParams['hash'] = bcrypt.encrypt_sync(stageParams.pass, bcrypt.gen_salt_sync(10));
 
     try {
-- 
GitLab